Documente Academic
Documente Profesional
Documente Cultură
Overview
What is Azure Active Directory?
Choose edition
About Azure identity management
Preview the Azure portal experience
Get started
Get an Azure AD tenant
Sign up for Azure AD Premium
Associate Azure subscriptions
Manage AD licensing
Get Azure for your organization
FAQs
SaaS app tutorials
How to
Manage users
Add users
Add users from other directories
Delete users
Manage user profiles
Reset a password
Manage user work information
Share accounts
Manage groups and members
Manage groups
Manage group members
Manage group owners
Manage group membership
View all groups
Enable dedicated groups
Add group access to SaaS apps
Manage group settings
Create advanced rules
Set up self-service groups
Troubleshoot
View access and usage reports
Azure AD reporting
Known networks
Reporting guide
Understand reports
Manage passwords
Update your own password
Understand password management
Understand policies and restrictions
Reset passwords
Set expiration policies
Enable Password Management
Manage devices
Register your device
Register a Windows 10 device
Conditional access
Azure AD Join
Certificate-based Authentication
Manage apps
Overview
Getting started
Cloud App Discovery
Give remote access to your apps
Understand SSO for apps
Integrate SaaS apps
Manage enterprise apps
Develop
Manage access to apps
Use SCIM provision users
Document library
Manage your directory
Custom domain names
Customize the sign-in page
Administer your directory
Multiple directories
O365 directories
Self-service signup
Enterprise State Roaming
Integrate partners with Azure AD B2B
Integrate on-premises identities using Azure AD Connect
Delegate access to resources
Administrator roles
Administrative units
Resource access in Azure
Role-Based Access Control
Configure token lifetimes
Secure your identities
Azure AD Identity Protection
Privileged Identity Management
Deploy on Azure VMs
Windows Server Active Directory on Azure VMs
Replica domain controller in an Azure virtual network
New forest on an Azure virtual network
Deploy a hybrid identity solution
Determine requirements
Plan for data security
Plan your identity lifecycle
Next steps
Tools comparison
Deploy AD FS in Azure
High availability
Change signature hash algorithm
Troubleshoot
Reference
PowerShell cmdlets
Java API Reference
.NET API
Service limits and restrictions
Related
Multi-Factor Authentication
Azure AD Connect
Azure AD Connect Health
Azure AD for developers
Azure AD Privileged Identity Management
Resources
Pricing
MSDN forum
Stack Overflow
Videos
Service updates
Azure feedback forum
What is Azure Active Directory?
1/17/2017 5 min to read Edit on GitHub
Azure Active Directory (Azure AD) is Microsofts multi-tenant cloud based directory and identity management
service.
For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners
single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce.com, DropBox, and
Concur.
For application developers, Azure AD lets you focus on building your application by making it fast and simple to
integrate with a world class identity management solution used by millions of organizations around the world.
Azure AD also includes a full suite of identity management capabilities including multi-factor authentication,
device registration, self-service password management, self-service group management, privileged account
management, role based access control, application usage monitoring, rich auditing and security monitoring and
alerting. These capabilities can help secure cloud based applications, streamline IT processes, cut costs and help
ensure that corporate compliance goals are met.
Additionally, with just four clicks, Azure AD can be integrated with an existing Windows Server Active Directory,
giving organizations the ability to leverage their existing on-premises identity investments to manage access to
cloud based SaaS applications.
If you are an Office365, Azure or Dynamics CRM Online customer, you might not realize that you are already
using Azure AD. Every Office365, Azure and Dynamics CRM tenant is actually already an Azure AD tenant.
Whenever you want you can start using that tenant to manage access to thousands of other cloud applications
Azure AD integrates with!
On-premises AD DS
Open-ID Connect , SAML , WS-Fed
On-premises AD DS
Username + password , Smartcard
All Microsoft Online business services rely on Azure Active Directory (Azure AD) for sign-in and other identity
needs. If you subscribe to any of Microsoft Online business services (for example, Office 365 or Microsoft Azure),
you get Azure AD with access to all of the Free features, described below.
Azure Active Directory is a comprehensive, highly available identity and access management cloud solution that
combines core directory services, advanced identity governance, and application access management. Azure
Active Directory also offers a rich, standards-based platform that enables developers to deliver access control to
their applications, based on centralized policy and rules. With the Azure Active Directory Free edition, you can
manage users and groups, synchronize with on-premises directories, get single sign-on across Azure, Office 365,
and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box,
ServiceNow, Dropbox, and more. To learn more about Azure Active Directory, read What is Azure AD?
To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic,
Premium P1, and Premium P2 editions. Azure Active Directory paid editions are built on top of your existing free
directory, providing enterprise class capabilities spanning self-service, enhanced monitoring, security reporting,
Multi-Factor Authentication (MFA), and secure access for your mobile workforce.
Office 365 subscriptions include additional Azure Active Directory features described in the comparison table
below.
NOTE
For the pricing options of these editions, see Azure Active Directory Pricing. Azure Active Directory Premium P1, Premium
P2, and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory
Forum for more information.
Azure Active Directory Basic - Designed for task workers with cloud-first needs, this edition provides cloud
centric application access and self-service identity management solutions. With the Basic edition of Azure
Active Directory, you get productivity enhancing and cost reducing features like group-based access
management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy
(to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA
of 99.9 percent uptime.
Azure Active Directory Premium P1 - Designed to empower organizations with more demanding identity
and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level
identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud
capabilities. This edition includes everything you need for information worker and identity administrators in
hybrid environments across application access, self-service identity and access management (IAM), identity
protection and security in the cloud. It supports advanced administration and delegation resources like
dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises
identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-
service password reset for your on-premises users.
Azure Active Directory Premium P2 - Designed with advanced protection for all your users and
administrators, this new offering includes all the capabilities in Azure AD Premium P1 as well as our new
Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages
billions of signals to provide risk-based conditional access to your applications and critical company data. We
also help you manage and protect privileged accounts with Azure Active Directory Privileged Identity
Management so you can discover, restrict and monitor administrators and their access to resources and
provide just-in-time access when needed.
To sign up and start using Active Directory Premium today, see Getting started with Azure Active Directory
Premium.
NOTE
A number of Azure Active Directory capabilities are available through "pay as you go" editions:
Active Directory B2C is the identity and access management solution for your consumer-facing applications. For more
details, see Azure Active Directory B2C
Azure Multi-Factor Authentication can be used through per user or per authentication providers. For more details, see
What is Azure Multi-Factor Authentication?
Common Features
Directory Objects
User/Group Management (add/update/delete)/ User-based provisioning, Device registration
Single Sign-On (SSO)
Self-Service Password Change for cloud users
Connect (Sync engine that extends on-premises directories to Azure Active Directory)
Security / Usage Reports
Basic Features
Group-based access management / provisioning
Self-Service Password Reset for cloud users
Company Branding (Logon Pages/Access Panel customization)
Application Proxy
SLA 99.9%
Premium P1 Features
Self-Service Group and app Management/Self-Service application additions/Dynamic Groups
Self-Service Password Reset/Change/Unlock with on-premises write-back
Multi-Factor Authentication (Cloud and On-premises (MFA Server))
MIM CAL + MIM Server
Cloud App Discovery
Connect Health
Automatic password rollover for group accounts
Premium P2 Features
Identity Protection
Privileged Identity Management
Azure Active Directory Join Windows 10 only related features
Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator Bitlocker recovery
MDM auto-enrollment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices
via Azure AD Join
Common Features
Directory Objects
Type: Common Features
The default usage quota is 150,000 objects. An object is an entry in the directory service, represented by its
unique distinguished name. An example of an object is a user entry used for authentication purposes. If you need
to exceed this default quota, please contact support. The 500K object limit does not apply for Office 365,
Microsoft Intune or any other Microsoft paid online service that relies on Azure Active Directory for directory
services.
Availability:
Up to 500,000 objects No object limit No object limit No object limit for Office
365 user accounts
More details:
Administer your Azure AD directory
Azure Active Directory Device Registration overview
Single Sign-On (SSO)
Type: Common Features
Availability:
10 apps per user (1) 10 apps per user (1) No Limit (2) 10 apps per user (1)
1. With Azure AD Free and Azure AD Basic, end-users are entitled to get single sign-on access for up to 10
applications.
2. Self-service integration of any application supporting SAML, SCIM, or forms-based authentication by using
templates provided in the application gallery menu. For more details, see Configuring single sign-on to
applications that are not in the Azure Active Directory application gallery.
More details:
Managing Applications with Azure Active Directory (AD)
Self-Service Password Change for cloud users
Type: Common Features
Availability:
More details:
How to update your own password
Connect (Sync engine that extends on-premises directories to Azure Active Directory )
Type: Common Features
Availability:
More details:
Integrating your on-premises identities with Azure Active Directory
Security/Usage Reports
Type: Common Features
Availability:
More details:
View your access and usage reports
More details:
Using a group to manage access to SaaS applications
Self-Service Password Reset for cloud users
Type: Basic Features
Availability:
More details:
Azure AD Password Reset for Users and Admins
Company Branding (Logon Pages/Access Panel customization )
Type: Basic Features
Availability:
More details:
Add company branding to your Sign In and Access Panel pages
Application Proxy
Type: Basic Features
Availability:
More details:
How to provide secure remote access to on-premises applications
SLA 99.9%
Type: Basic Features
Availability:
More details:
Service Level Agreements
Premium Features
Self-Service Group and app Management/Self-Service application additions/Dynamic Groups
Type: Premium Features
Availability:
More details:
What is Azure Multi-Factor Authentication?
MIM CAL + MIM Server
Microsoft Identity Manager Server software rights are granted with Windows Server licenses (any edition).
Because Microsoft Identity Manager runs on the Windows Server operating system, as long as the server is
running a valid, licensed copy of Windows Server, then Microsoft Identity Manager can be installed and used on
that server. No other separate license is required for Microsoft Identity Manager Server.
Type: Premium Features
Availability:
More details:
Finding unmanaged cloud applications with Cloud App Discovery
Azure AD Connect Health
Type: Premium Features
Availability:
More details:
Monitor your on-premises identity infrastructure and synchronization services in the cloud
Automatic password rollover for group accounts
Type: Premium Features
Availability:
Identity Protection
Type: Premium Features
FREE EDITION BASIC EDITION PREMIUM P2 EDITION OFFICE 365 APPS ONLY
FREE EDITION BASIC EDITION PREMIUM P2 EDITION OFFICE 365 APPS ONLY
MDM auto-enrollment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD Join
Type: Azure Active Directory Join Windows 10 only related features
Availability:
PREMIUM (P1 AND P2)
FREE EDITION BASIC EDITION EDITIONS OFFICE 365 APPS ONLY
More details:
Enterprise State Roaming
What's next
Getting started with Azure Active Directory Premium
Add company branding to your Sign In and Access Panel pages
View your access and usage reports
The fundamentals of Azure identity management
1/17/2017 13 min to read Edit on GitHub
Managing identity is just as important in the public cloud as it is on premises. To help with this, Azure supports
several different cloud identity technologies. They include these:
You can run Windows Server Active Directory (commonly called just AD) in the cloud using virtual machines
created with Azure Virtual machines. This approach makes sense when you're using Azure to extend your on-
premises datacenter into the cloud.
You can use Azure Active Directory to give your users single sign-on to Software as a Service (SaaS)
applications. Microsoft's Office 365 uses this technology, for example, and applications running on Azure or
other cloud platforms can also use it.
Applications running in the cloud or on-premises can use Azure Active Directory Access Control to let users log
in using identities from Facebook, Google, Microsoft, and other identity providers.
This article describes all three of these options.
Table of Contents
Running Windows Server Active Directory in virtual machines
Using Azure Active Directory
Using Azure Active Directory Access Control
Figure 1: Windows Server Active Directory can run in Azure virtual machines connected to an organization's on-
premises datacenter using Azure Virtual Network.
In the example shown here, Windows Server AD is running in VMs created using Azure Virtual Machines, the
platform's IaaS technology. These VMs and a few others are grouped into a virtual network connected to an on-
premises datacenter using Azure Virtual Network. The virtual network carves out a group of cloud virtual machines
that interact with the on-premises network via a virtual private network (VPN) connection. Doing this lets these
Azure virtual machines look like just another subnet to the on-premises datacenter. As the figure shows, two of
those VMs are running Windows Server AD domain controllers. The other virtual machines in the virtual network
might be running applications, such as SharePoint, or being used in some other way, such as for development and
testing. The on-premises datacenter is also running two Windows Server AD domain controllers.
There are several options for connecting the domain controllers in the cloud with those running on premises:
Make all of them part of a single Active Directory domain.
Create separate AD domains on-premises and in the cloud that are part of the same forest.
Create separate AD forests in the cloud and on-premises, then connect the forests using cross-forest trusts or
Windows Server Active Directory Federation Services (AD FS), which can also run in virtual machines on Azure.
Whatever choice is made, an administrator should make sure that authentication requests from on-premises users
go to cloud domain controllers only when necessary, since the link to the cloud is likely to be slower than on-
premises networks. Another factor to consider in connecting cloud and on-premises domain controllers is the
traffic generated by replication. Domain controllers in the cloud are typically in their own AD site, which allows an
administrator to schedule how often replication is done. Azure charges for traffic sent out of an Azure datacenter,
although not for bytes sent in, which might affect the administrator's replication choices. It's also worth pointing
out that while Azure does provide its own Domain Name System (DNS) support, this service is missing features
required by Active Directory (such as support for Dynamic DNS and SRV records). Because of this, running
Windows Server AD on Azure requires setting up your own DNS servers in the cloud.
Running Windows Server AD in Azure VMs can make sense in several different situations. Here are some examples:
If you're using Azure Virtual Machines as an extension of your own datacenter, you might run applications in
the cloud that need local domain controllers to handle things such as Windows Integrated Authentication
requests or LDAP queries. SharePoint, for example, interacts frequently with Active Directory, and so while it's
possible to run a SharePoint farm on Azure using an on-premises directory, setting up domain controllers in the
cloud will significantly improve performance. (It's important to realize that this isn't necessarily required,
however; plenty of applications can run successfully in the cloud using only on-premises domain controllers.)
Suppose a faraway branch office lacks the resources to run its own domain controllers. Today, its users must
authenticate to domain controllers on the other side of the world - logins are slow. Running Active Directory on
Azure in a closer Microsoft datacenter can speed this up without requiring more servers in the branch office.
An organization that uses Azure for disaster recovery might maintain a small set of active VMs in the cloud,
including a domain controller. It can then be prepared to expand this site as needed to take over for failures
elsewhere.
There are also other possibilities. For example, you're not required to connect Windows Server AD in the cloud to
an on-premises datacenter. If you wanted to run a SharePoint farm that served a particular set of users, for
instance, all of whom would log in solely with cloud-based identities, you might create a standalone forest on
Azure. How you use this technology depends on what your goals are. (For more detailed guidance on using
Windows Server AD with Azure, see here.)
Figure 2: Azure Active Directory gives an organization's users single sign-on to SaaS applications, including Office
365.
As the figure shows, Azure AD is a multi-tenant service. This means that it can simultaneously support many
different organizations, storing directory information about users at each of them. In this example, a user at
organization A is trying to access a SaaS application. This application might be part of Office 365, such as
SharePoint Online, or it might be something else - non-Microsoft applications can also use this technology.
Because Azure AD supports the SAML 2.0 protocol, all that's required from an application is the ability to interact
using this industry standard. (In fact, applications that use Azure AD can run in any datacenter, not just an Azure
datacenter.)
The process begins when the user accesses a SaaS application (step 1). To use this application, the user must
present a token issued by Azure AD.
This token contains information that identifies the user, and it's digitally signed by Azure AD. To get the token, the
user authenticates himself to Azure AD by providing a username and password (step 2). Azure AD then returns the
token he needs (step 3).
This token is then sent to the SaaS application (step 4), which validates the token's signature and uses its contents
(step 5). Typically, the application will use the identity information the token contains to decide what information
the user is allowed to access and perhaps in other ways.
If the application needs more information about the user than what's contained in the token, it can request this
directly from Azure AD using the Azure AD Graph API (step 6). In the initial version of Azure AD, the directory
schema is quite simple: It contains just users and groups and relationships among them. Applications can use this
information to learn about connections between users. For example, suppose an application needs to know who
this user's manager is to decide whether he's allowed access to some chunk of data. It can learn this by querying
Azure AD through the Graph API.
The Graph API uses an ordinary RESTful protocol, which makes it straightforward to use from most clients,
including mobile devices. The API also supports the extensions defined by OData, adding things such as a query
language to let clients access data in more useful ways. (For more on OData, see Introducing OData.) Because the
Graph API can be used to learn about relationships between users, it lets applications understand the social graph
that's embedded in the Azure AD schema for a particular organization (which is why it's called the Graph API). And
to authenticate itself to Azure AD for Graph API requests, an application uses OAuth 2.0.
If an organization doesn't use Windows Server Active Directory - it has no on-premises servers or domains - and
relies solely on cloud applications that use Azure AD, using just this cloud directory would give the firm's users
single sign-on to all of them. Yet while this scenario gets more common every day, most organizations still use on-
premises domains created with Windows Server Active Directory. Azure AD has a useful role to play here as well,
as Figure 3 shows.
Figure 3: An
organization can federate Windows Server Active Directory with Azure Active Directory to give its users single
sign-on to SaaS applications.
In this scenario, a user at organization B wishes to access a SaaS application. Before she does this, the
organization's directory administrators must establish a federation relationship with Azure AD using AD FS, as the
figure shows. Those admins must also configure data synchronization between the organization's on-premises
Windows Server AD and Azure AD. This automatically copies user and group information from the on-premises
directory to Azure AD. Notice what this allows: In effect, the organization is extending its on-premises directory into
the cloud. Combining Windows Server AD and Azure AD in this way gives the organization a directory service that
can be managed as a single entity, while still having a footprint both on-premises and in the cloud.
To use Azure AD, the user first logs in to her on-premises Active Directory domain as usual (step 1). When she tries
to access the SaaS application (step 2), the federation process results in Azure AD issuing her a token for this
application (step 3). (For more on how federation works, see Claims-Based Identity for Windows: Technologies and
Scenarios.) As before, this token contains information that identifies the user, and it's digitally signed by Azure AD.
This token is then sent to the SaaS application (step 4), which validates the token's signature and uses its contents
(step 5). And is in the previous scenario, the SaaS application can use the Graph API to learn more about this user if
necessary (step 6).
Today, Azure AD isn't a complete replacement for on-premises Windows Server AD. As already mentioned, the
cloud directory has a much simpler schema, and it's also missing things such as group policy, the ability to store
information about machines, and support for LDAP. (In fact, a Windows machine can't be configured to let users
log in to it using nothing but Azure AD - this isn't a supported scenario.) Instead, the initial goals of Azure AD
include letting enterprise users access applications in the cloud without maintaining a separate login and freeing
on-premises directory administrators from manually synchronizing their on-premises directory with every SaaS
application their organization uses. Over time, however, expect this cloud directory service to address a wider
range of scenarios.
Figure 4: Azure Active Directory Access Control makes it easier for applications to accept identity tokens issued by
different identity providers.
The process begins when a user attempts to access the application from a browser. The application redirects her to
an IdP of her choice (and that the application also trusts). She authenticates herself to this IdP, such as by entering a
username and password (step 1), and the IdP returns a token containing information about her (step 2).
As the figure shows, Access Control supports a range of different cloud-based IdPs, including accounts created by
Google, Yahoo, Facebook, Microsoft (formerly known as Windows Live ID), and any OpenID provider. It also
supports identities created using Azure Active Directory and, through federation with AD FS, Windows Server
Active Directory. The goal is to cover the most commonly used identities today, whether they're issued by IdPs in
the cloud or on-premises.
Once the user's browser has an IdP token from her chosen IdP, it sends this token to Access Control (step 3). Access
Control validates the token, making sure that it really was issued by this IdP, then creates a new token according to
the rules that have been defined for this application. Like Azure Active Directory, Access Control is a multi-tenant
service, but the tenants are applications rather than customer organizations. Each application can get its own
namespace, as the figure shows, and can define various rules about authorization and more.
These rules let each application's administrator define how tokens from various IdPs should be transformed into an
Access Control token. For example, if different IdPs use different types for representing usernames, Access Control
rules can transform all of these into a common username type. Access Control then sends this new token back to
the browser (step 4), which submits it to the application (step 5). Once it has the Access Control token, the
application verifies that this token really was issued by Access Control, then uses the information it contains (step
6).
While this process might seem a little complicated, it actually makes life significantly simpler for the creator of the
application. Rather than handle diverse tokens containing different information, the application can accept
identities issued by multiple identity providers while still receiving only a single token with familiar information.
Also, rather than require each application to be configured to trust various IdPs, these trust relationships are
instead maintained by Access Control - an application need only trust it.
It's worth pointing out that nothing about Access Control is tied to Windows - it could just as well be used by a
Linux application that accepted only Google and Facebook identities. And even though Access Control is part of the
Azure Active Directory family, you can think of it as an entirely distinct service from what was described in the
previous section. While both technologies work with identity, they address quite different problems (although
Microsoft has said that it expects to integrate the two at some point).
Working with identity is important in nearly every application. The goal of Access Control is to make it easier for
developers to create applications that accept identities from diverse identity providers. By putting this service in the
cloud, Microsoft has made it available to any application running on any platform.
The Azure Active Directory (Azure AD) management experience is in preview in the Azure portal. You can try it
out by signing in to the Azure portal as a global administrator of your directory. Then, select Azure Active
Directory in the services list if it is visible, or select More services to view the list of all services. You do not need
an Azure subscription to use the Azure AD management experience in the Azure portal.
NOTE
Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of
Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Microsoft
Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.
When you are done, the following dialog shows up as confirmation for the activation of the license plan for your
tenant.
Step 3: Activate your Azure Active Directory access
If you have used Microsoft Azure before, you can proceed to Step 4.
When the licenses are provisioned to your directory, a Welcome email is sent to you. The email confirms that
you can start managing your Azure Active Directory Premium or Enterprise Mobility Suite licenses and features.
If you make an attempt to activate your access to Azure Active Directory prior to receiving the Welcome email,
you get the following error message.
If you Please try again in a few minutes once you have received the email.
New administrators in your subscription can also activate their access to the Azure classic portal through this link.
To activate your Azure Active Directory access, perform the following steps:
1. In your Welcome email, click Sign In.
2. When you have signed in successfully, you need to complete a second factor authentication in form of a
mobile verification:
The activation can take a few minutes. Once your access is active, the brown bar disappears and you are able to
click Portal.
In this case, your Azure access is limited to Azure Active Directory.
You may already have had access to Azure from prior usage; in addition, you can upgrade your Access Azure
Active Directory to full Azure access by activating additional Azure subscriptions. In these cases, the Azure classic
portal has more capabilities.
4. In the dialog box, select the users you want to assign licenses to, and then click the check mark icon to save
the changes.
License restrictions
Some license plans are subsets or supersets of other license plans. Typically, a user cannot be assigned a license
plan that has already been assigned to them. If it is your intention to assign a license plan that is a superset, you
need to first remove the subset license plan.
License requirements
When you assign a license to a user, you can specify a primary usage location in the properties of their account. If
a usage location is not specified, the tenants location is automatically assigned to the user.
The availability of services and features for a Microsoft cloud service varies by country or region. A service, such
as Voice over Internet Protocol (VoIP), may be available in one country or region, and not available in another.
Features within a service can be restricted for legal reasons in certain countries or regions. To see if a service or
feature is available with or without restrictions, look for your country or region on license restrictions site of a
service.
What's next
Add company branding to your Sign In and Access Panel pages
View your access and usage reports
How Azure subscriptions are associated with Azure
Active Directory
1/17/2017 9 min to read Edit on GitHub
This article covers information about signing in to Microsoft Azure and related issues, such as the relationship
between an Azure subscription and Azure Active Directory (Azure AD).
The consumer identity system run by Microsoft The business identity system run by Microsoft
Authentication to services that are consumer-oriented, such Authentication to services that are business-oriented, such as
as Hotmail and MSN Office 365
Consumers create their own Microsoft accounts, such when Companies and organizations create and manage their own
they sign up for email work or school accounts
Identities are created and stored in the Microsoft account Identities are created by using Azure or another service such
system as Office 365, and they are stored in an Azure AD instance
assigned to the organization
Although Azure originally allowed access only by Microsoft account users, it now allows access by users from both
systems. This was done by having all the Azure properties trust Azure AD for authentication, having Azure AD
authenticate organizational users, and by creating a federation relationship where Azure AD trusts the Microsoft
account consumer identity system to authenticate consumer users. As a result, Azure AD is able to authenticate
guest Microsoft accounts as well as native Azure AD accounts.
For example, here a user with a Microsoft account signs in to the Azure classic portal.
NOTE
To sign in to the Azure classic portal, msmith@hotmail.com must have a subscription to Azure. The account must be either a
Service administrator or a co-administrator of the subscription.
Because this Hotmail address is a consumer account, the sign in is authenticated by the Microsoft account
consumer identity system. The Azure AD identity system trusts the authentication done by the Microsoft account
system and will issue a token to access Azure services.
How an Azure subscription is related to Azure AD
Every Azure subscription has a trust relationship with an Azure AD instance. This means that it trusts that directory
to authenticate users, services, and devices. Multiple subscriptions can trust the same directory, but a subscription
trusts only one directory. You can see which directory is trusted by your subscription under the Settings tab. You
can edit the subscription settings to change which directory it trusts.
This trust relationship that a subscription has with a directory is unlike the relationship that a subscription has with
all other resources in Azure (websites, databases, and so on), which are more like child resources of a subscription.
If a subscription expires, then access to those other resources associated with the subscription also stops. But the
directory remains in Azure, and you can associate another subscription with that directory and continue to manage
the directory users.
Similarly, the Azure AD extension you see in your subscription doesnt work like the other extensions in the Azure
classic portal. Other extensions in the Azure classic portal are scoped to the Azure subscription. What you see in
the Azure AD extension does not vary based on subscription it shows only directories based on the signed-in
user.
All users have a single home directory which authenticates them, but they can also be guests in other directories.
In the Azure AD extension, you will see every directory your user account is a member of. Any directory that your
account is not a member of will not appear. A directory can issue tokens for work or school accounts in Azure AD
or for Microsoft account users (because Azure AD is federated with the Microsoft account system).
This diagram shows a subscription for Michael Smith after he signed up by using a work account for Contoso.
Signing in when you used your work email for your Microsoft account
If at some point of time in the past you created a consumer Microsoft account using your work email as a user
identifier, you may see a page asking you to select from either the Microsoft Azure Account system or the
Microsoft Account system.
You have user accounts with the same name, one in Azure AD and the other in the consumer Microsoft account
system. You should pick the account that is associated with the Azure subscription you want to use. If you get an
error saying a subscription does not exist for this user, you likely just chose the wrong option. Sign out and try
again. For more information about errors that can prevent sign in, see Troubleshooting "We were unable to find
any subscriptions associated with your account" errors.
NOTE
These steps can only be completed while a user is signed in with a Microsoft account. If the user is signed in with a work or
school account, the option Use existing directory is not available because a work or school account can be authenticated
only by its home directory (that is, the directory where the work or school account is stored, and which is owned by the
work or school).
Next Steps
To learn more about how to change administrators for an Azure subscription, see How to add or change Azure
administrator roles
To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource access
in Azure
For more information on how to assign roles in Azure AD, see Assigning administrator roles in Azure Active
Directory
Sign up for Azure as an organization
What is Microsoft Azure Active Directory licensing?
1/17/2017 10 min to read Edit on GitHub
Description
Azure Active Directory (Azure AD) is Microsoft's Identity as a Service (IDaaS) solution and platform. Azure AD is
offered in a number of functional and technical versions ranging from Azure AD Free, which is available with any
Microsoft service such as Office 365, Dynamics, Microsoft Intune and Azure (Azure AD does not generate any
consumption charges in this mode), to Azure AD paid versions such as Enterprise Mobility Suite (EMS), Azure AD
Premium and Basic, as well as Azure Multi-Factor Authentication (MFA). Like many of Microsoft online services,
most Azure AD paid versions are delivered through per-user entitlements as they are in Office 365, Microsoft
Intune, and Azure AD. In these cases, the service purchase is represented with one or more subscriptions, and each
subscription includes a pre-purchase number of licenses in your tenant. Per-user entitlements are achieved
through license assignment, creating a link between the user and the product, enabling the service components for
the user, and consuming one of the prepaid licenses.
Try Azure AD premium now.
NOTE
Azure AD administration portal is a part of the Azure classic portal. While using Azure AD does not require any Azure
purchases, accessing this portal requires an active Azure subscription or an Azure trial subscription.
For a broad overview of Azure AD service capabilities, see What is Azure AD. Learn more about Azure AD service
levels
NOTE
Azure pay as you go subscriptions are different: while also represented in your directory, these subscriptions enable creation
of Azure resources and map them to your payment method. In this case there are NO license counts associated with the
subscription. Users' association with the subscription, the users' access to managing subscription resources, is achieved by
granting them permissions to operate on Azure resources mapped to the subscription.
IMPORTANT
Azure AD Premium and Basic, as well as Enterprise Mobility Suite subscriptions, are confined to their provisioned
directory/tenant. Subscriptions cannot be split between directories or used to entitle users in other directories. Moving a
subscription between directories is possible but requires submitting a support ticket or cancellation and re-purchase in the
case of direct purchases.
When purchasing Azure AD or Enterprise Mobility Suite through Volume Licensing subscription activation will happen
automatically when the agreement includes other Microsoft Online services, e.g. Office 365.
Paid Azure AD features span the breadth of the directory. Examples include:
Group-based assignment to applications, which is enabled under the specific application you are managing.
Advanced and self-service group management capabilities are available under the directory configuration or
within the specific group.
Premium security reports are on the Reporting tab
Cloud application discovery shows up in the Azure portal under Identity.
Assigning licenses
While obtaining a subscription is all you need to configure paid capabilities, using your Azure AD paid features
requires distributing licenses to the right individuals. In general, any user who should have access to or who is
managed through an Azure AD paid feature must be assigned a license. A license assignment is a mapping
between a user and a purchased service, such as Azure AD Premium, Basic, or Enterprise Mobility Suite.
Managing which users in your directory should have a license is simple. It can be accomplished by assigning to a
group to create assignment rules through the Azure AD administration portal or by assigning licenses directly to
the right individuals through a portal, PowerShell, or APIs. When assigning licenses to a group, all group members
will be assigned a license. If users are added or removed from the group they will be assigned or removed the
appropriate license. Group assignment can utilize any group management available to you and is consistent with
group-based assignment to applications. Using this approach, you can set up rules such that all users in your
directory are automatically assigned, ensure that everyone with the appropriate job title has a license or even
delegate the decision to other managers in the organization.
With group-based license assignment, any user missing a usage location will inherit the directory location during
assignment. This location can be changed by the administrator at any time. In cases where the automated
assignment failed due to error, the user information under that license type will reflect that state.
NOTE
Azure AD supports external users, which are user accounts in an instance of Azure AD that were created using either a
Microsoft Account (MSA) or an Azure AD identity from another directory. While we are busy extending this capability into all
of Microsoft's organizational services, right now these accounts are not supported in some of the services' experiences; for
example, the Office 365 administration portal does not currently support these users. As a result, external users with
Microsoft accounts will not be able to access the Office 365 administration portal at all, while external users from other Azure
AD directories will be ignored. In the latter case, only the users local account, the Azure AD or Office 365 directory where the
user was originally created, would be accessible through these experiences.
As indicated, Azure AD has different paid versions. These versions have some minor differences in their purchase
availability:
Enterprise X X X X X
Mobility Suite
Azure AD X X X X X
Premium
Azure AD X X X X
Basic
Once in the assignment dialog for the selected plan, you can select users and adding them to the Assign column
on the right. You can page through the user list or search for specific individuals using the looking glass on the top
right of the user grid. To assign groups, select "Groups" from the Show menu and then click the check button on
the right to refresh the assignments that are displayed.
You can now search or page through groups and add them to the Assign column in the same way. You can use
these to assign a combination of users and groups in a single operation. To complete the assignment process, click
the check button in the bottom right corner of the page.
When a group is assigned, its members inherit the licenses within 30 minutes, but usually within 1-2 minutes.
Assignment errors can occur during Azure AD license assignment, but are relatively rare. Potential assignment
errors are limited to:
Assignment conflict - when a user was previously assigned a license that is incompatible with the current
license. In this case, assigning the new license will require removing the previous one.
Exceeded available licenses - when the number of users in assigned groups exceed available licenses, the users'
assignment status will reflect a failure to assign due to missing licenses.
View assigned licenses
A summary view of assigned licenses including available, assigned, and next subscription lifecycle event are
displayed on the Licenses tab.
A detailed list of assigned users and groups, including assignment status and path (direct or inherited from one or
more groups) is available when navigating into a license plan.
Removing licenses is just as easy as assigning them. If the user is directly assigned or for an assigned group, you
can remove the license by selecting the license type, selecting Remove, adding the user or group to the remove
list, and confirming the action. Alternatively, you can open a license type, select the specific user or group, and tap
Remove on the command bar. To end a users inheritance of a license from a group, simply remove the user from
the group.
Extending trials
Trial extensions for customers are available as self-service through the Office 365 portal. A customer admin can
navigate to the Office portal (access depends on permissions for the Office portal) and select your Azure AD
Premium trial. Click the Extend trial link and follow the instructions. You will need to enter a credit card, but it will
not be charged.
Customers can also request a trial extension by submitting a support request. A customer admin can navigate to
the Office 365 portal support page (access depends on permissions for the Office support page). On this page
select Subscriptions and Trials under Features and Trial questions under Symptom. Finally, enter information
on the circumstances
Next steps
Now you might be ready to configure and use some Azure AD Premium features.
Self-service password reset
Self-service group management
Azure AD Connect heath
Group assignment to applications
Azure Multi-Factor Authentication
Direct purchase of Azure AD Premium licenses
Sign up for Azure as an organization
1/17/2017 1 min to read Edit on GitHub
Until recently, you could only sign up for a new Microsoft Azure subscription using your Microsoft account
(Windows Live ID). Azure now supports using either of the following two account methods to sign up:
Microsoft accounts (created by you for personal use) - Provide access to all consumer-oriented Microsoft
products and cloud services, such as Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Office 365.
Signing up for an Outlook.com mailbox automatically creates a Microsoft account. After a Microsoft account is
created, it can be used to access consumer-related Microsoft cloud services or Azure. Learn more
Work or school accounts (issued by an admin for business/academic use) - Provide access to all small,
medium, and enterprise business-level Microsoft cloud services, such as Azure, Microsoft Intune, or Office
365. When you sign up to one of these services as an organization, a cloud-based directory is automatically
provisioned in Azure Active Directory to represent your organization. Learn more
After this directory has been created, an admin can then create users and assign licenses to them based on
which cloud service subscriptions they need access to, such as Azure.
Want to sign up for Azure as an organization? Sign up now
Additional Resources
Microsoft Azure blog
What is Azure AD?
Use your on-premises identity infrastructure in the cloud
Azure Active Directory FAQ
1/20/2017 7 min to read Edit on GitHub
Azure Active Directory is a comprehensive Identity as a Service (IDaaS) solution that spans all aspects of identity,
access management, and security.
For more details, see What is Azure Active Directory?.
Q: Whats the relationship between Azure AD, Office 365, and Azure?
A: Azure Active Directory provides you with common identity and access capabilities to all Microsoft online
services. Whether you are using Office 365, Microsoft Azure, Intune or others, you are already using an Azure AD to
enable sign-on and access management for all of these services.
In fact, all the users you have enabled for Microsoft Online services are defined as user accounts in one or more
Azure AD instances. You can enable these accounts for free Azure AD capabilities such as cloud application access.
Additionally, Azure AD paid services (e.g.: Azure AD basic, Premium, EMS, etc.) complement other Online services
such as Office 365 and Microsoft Azure with comprehensive enterprise scale management and security solutions.
Q: Why can I sign-in to the Azure portal but not the classic portal? A: The new Azure portal does not require
a valid subscription whereas the classic portal does require you to have a valid subscription. If you do not have a
subscription, you will not be able to sign-in to the classic portal.
Q: What are the differences between Subscription Administrator and Directory Administrator?**
A: By default, you are assigned the Subscription Administrator role when you sign up for Azure. A subscription
Administrator can use either a Microsoft account or a work or school account from the directory that the Azure
subscription is associated with. This role is authorized to manage services in the Azure portal. If others need to sign
in and access services using the same subscription, you can add them as co-administrators. This role has the same
access privileges as the Service Administrator, but cant change the association of subscriptions to Azure
directories. For additional information on Subscription Administrators see here. and here
Azure AD has a different set of administrative roles to manage the directory and identity-related features. These
administrators will have access to various features in the Azure portal or Azure classic portal and, depending on
their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage
user licenses, and manage domains, among other things. For additional information on Azure AD Directory
Administrators and their roles see here.
Getting started with Hybrid Azure AD
Q: How can I connect my on-premises directory to Azure AD?
A: You can connect your on-premises directory to Azure AD using Azure AD Connect.
For more details, see Integrating your on-premises identities with Azure Active Directory.
Q: Does Azure Active Directory provide a self-service portal for users in my organization?
A: Yes, Azure Active Directory provides you with the Azure AD Access Panel for user self-service and application
access. IF you are an Office 365 customer, you can find many of the same capabilities in the Office 365 portal.
For more information, see the Introduction to the Access Panel.
Password management
Q: Can I use Azure AD password write-back without password sync? (AKA, I would like to use Azure AD
SSPR with password write-back but I dont want my passwords stored in the cloud?)
A: You do not need to synchronize your AD passwords to Azure AD in order to enable write-back. In a federated
environment, Azure AD SSO relies on the on-premises directory to authenticate the user. This scenario does not
require the on-premises password to be tracked in Azure AD.
Q: Can I use password write-back with passwords that are managed by an administrator?
A: Yes, if you have password write-back enabled, the password operations performed by an administrator are
written back to your on-premises environment.
For more answers to password related questions, see Password Management Frequently Asked Questions.
Q: What can I do if I cannot remember my existing Office 365/Azure AD password while trying to change
my password?
A: For this type of situation there are a couple of options. If your organization has enabled self-service password
reset then you can try this. This may or may not work depending on how self-serive password reset has been
configured. For more information see How does the password reset portal work.
For Office 365 users, your administrator can reset the password using the steps outlined here.
For Azure AD accounts, administrators can reset passwords using one of the following:
Reset accounts in the Azure portal
Reset accounts in the classic portal
Using PowerShell
Application access
Q: Where can I find a list of applications that are pre-integrated with Azure AD and their capabilities?
A: Azure AD has over 2600 pre-integrated applications from Microsoft, application service providers, or partners.
All pre-integrated applications support SSO. SSO enables you to use your organizational credentials to access your
apps. Some of the applications also support automated provisioning and de-provisioning
For a complete list of the pre-integrated applications, see the Active Directory Marketplace.
Q: What are the different ways Azure Active Directory enables authentication and single sign-on to
applications?
A: Azure Active Directory supports many standardized protocols for authentication and authorization such as SAML
2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD also supports password vaulting and automated
sign-in capabilities for apps that only support forms-based authentication.
For more information, see:
Authentication Scenarios for Azure AD
Active Directory Authentication Protocols
How does single sign-on with Azure Active Directory work?
To help you integrate all of your cloud (SaaS) applications with Azure Active Directory, we have developed a
collection of tutorials that show you each of the necessary configuration steps.
For the comprehensive list of SaaS apps that have been pre-integrated into Azure AD, please see the Active
Directory Marketplace.
List of Tutorials
LOGO APP NAME
&frankly
@Task
10,000ft Plans
15Five
23 Video
360 Online
Abintegro
Adaptive Suite
LOGO APP NAME
Adobe EchoSign
ADP eTime
ADP GlobalView
Aha!
AirWatch
Allocadia
Anaplan
AnswerHub
AppBlade
AppDynamics
Aravo
LOGO APP NAME
ArcGIS
Ariba
Asana
Asset Bank
Atlassian Cloud
Atomic Learning
Autotask
Bamboo HR
BeeLine
Benefitsolver
BenSelect
BetterWorks
BGS Online
LOGO APP NAME
Bime
Blackboard Learn
BlueJeans
Bonus.ly
Boomi
Box
Brightspace by Desire2Learn
Bynder
CA PPM
Canvas LMS
Capriza
LOGO APP NAME
Central Desktop
Certify
Cezanne HR Software
Cherwell
Chromeriver
Cimpl
Cisco Spark
Cisco Webex
Citrix GoToMeeting
Citrix ShareFile
Clarizen
Clever
LOGO APP NAME
ClickTime
CloudPassage
Concur
Condeco
Cornerstone OnDemand
Coupa
CS Stars
Degreed
Deputy
Directions on Microsoft
DocuSign
Domo
LOGO APP NAME
Druva
e-Builder
eDigitalResearch
Egnyte
EmpCenter
Envoy
eTouches
EverBridge
Evidence.com
Expensify
LOGO APP NAME
Fieldglass
FileCloud
Flatter Files
FM:Systems
Freshdesk
FreshGrade
FreshService
Front
Fuse
GaggleAMP
Gigya
Google Apps
Greenhouse
LOGO APP NAME
HackerOne
Halogen Software
Halosys
Heroku
Hightail
HireVue
Hosted Graphite
HPE SaaS
HR2day by Merces
Huddle
ICIMS
LOGO APP NAME
IdeaScale
Igloo Software
Image Relay
Innotas
InsideView
Insperity ExpensAble
Intacct
Intralinks
ITRP
Jitbit Helpdesk
Jive
Jobscience
JobScore
LOGO APP NAME
Jostle
Keylight
Kindling
Kintone
Kiteworks
KnowBe4
Kontiki
Kronos
Kudos
Learning at Work
Learningpool
LearnUpon
Lesson.ly
LOGO APP NAME
Lifesize Cloud
Litmos
LogicMonitor
Lucidchart
Lynda.com
Marketo
MCM
M-Files
Mindflash
Mixpanel
MOVEit Transfer
LOGO APP NAME
Moxtra
Mozy Enterprise
Namely
NetDocuments
Netsuite
New Relic
Nexonia
Nomadesk
Novatus
O. C. Tanner - AppreciateHub
OfficeSpace Software
Onit
OpsGenie
LOGO APP NAME
Optimizely
Origami
Overdrive Books
Pacific Timesheet
Pagerduty
Panopto
Panorama9
Pantheon
People
PerformanceCentre
Picturepark
Pluralsight
PolicyStat
LOGO APP NAME
PostBeyond
Predictix Ordering
Printix
Projectplace
Promapp
Proofpoint on Demand
Qualtrics
QuickHelp
Rally Software
LOGO APP NAME
Recognize
RedVector
Replicon
Reward Gateway
RightAnswers
RightScale
RunMyProcess
Salesforce Sandbox
Salesforce
Samanage
SanSan
SAP NetWeaver
SCC LifeCycle
Sciforma
ScreenSteps
SD Elements
SECURE DELIVER
ServiceNow
ShiftPlanning
Showpad
SimpleNexus
LOGO APP NAME
Skilljar
Skydesk Email
Slack
Small Improvements
SmarterU
Soonr Workplace
Spring CM
Sprinklr
StatusPage
SuccessFactors
SugarCRM
SumoLogic
LOGO APP NAME
Syncplicity
Synergi
Tableau Online
Tableau Server
TalentLMS
TargetProcess
TeamSeer
Thirdlight
Thoughtworks Mingle
ThousandEyes
Tidemark
LOGO APP NAME
TimeOffManager
Tinfoil Security
TiViTz
TOPdesk - Public
TOPdesk - Secure
Trakopolis
Trakstar
Trello
UltiPro
UserEcho
UserVoice
Veracode
LOGO APP NAME
Voyance
vxMaintain
Weekdone
Wikispaces
Work.com
Workday
Workplace by Facebook
Workrite
xMatters OnDemand
Yardi eLearning
LOGO APP NAME
YouEarnedIt
Zendesk
Zoho Mail
Zoom
Zscaler Beta
Zscaler One
Zscaler Two
Zscaler ZSCloud
Zscaler
Related Articles
Article Index for Application Management in Azure Active Directory
List of Tutorials on How to Integrate SaaS Apps
Add new users to Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to add new users in your organization in the Azure Active Direstory (Azure AD) preview.
What's in the preview?
1. Sign in to the Azure portal with an account that's a global admin for the directory.
2. Select More services, enter Users and groups in the text box, and then select Enter.
3. On the Users and groups blade, select All users, and then select Add.
4. Enter details for the user, such as Name and User name. The domain name portion of the user name must
either be the initial default domain name "foo.onmicrosoft.com" domain name, or a verified, non-federated
domain name such as "contoso.com."
5. Copy or otherwise note the generated user password so that you can provide it to the user after this process is
complete.
6. Optionally, you can open and fill out the information in the Profile blade, the Groups blade, or the Directory
role blade for the user. For more information about user and administrator roles, see Assigning administrator
roles in Azure AD.
7. On the User blade, select Create.
8. Securely distribute the generated password to the new user so that the user can sign in.
What's next
Add an external user
Reset a user's password in the new Azure portal
Change a user's work information
Manage user profiles
Delete a user in your Azure AD
Assign a user to a role in your Azure AD
Add new users or users with Microsoft accounts to
Azure Active Directory
1/17/2017 3 min to read Edit on GitHub
Add users to populate your directory. This article explains how to add new users in your organization, and how to
add users who have Microsoft accounts. For more information about adding users from other directories in Azure
Active Directory or adding users from partner companies, see Add users from other directories or partner
companies in Azure Active Directory. Added users don't have administrator permissions by default, but you can
assign roles to them at any time.
Add a user
1. Sign in to the Azure classic portal with an account that's a global admin for the directory.
2. Select Active Directory, and then select the name of your organization directory.
3. Select the Users tab, and then, in the command bar, select Add User.
4. On the Tell us about this user page, under Type of user, select either:
New user in your organization adds a new user account in your directory.
User with an existing Microsoft account adds an existing Microsoft consumer account to your
directory (for example, an Outlook account)
5. Depending on Type of user, enter a user name (for new user) or an email address (for a user with a Microsoft
account).
6. On the user Profile page, provide a first and last name, a user-friendly name, and a user role from the Roles
list. For more information about user and administrator roles, see Assigning administrator roles in Azure AD.
Specify whether to Enable Multi-Factor Authentication for the user.
7. On the Get temporary password page, select Create.
IMPORTANT
If your organization uses more than one domain, you should know about the following issues when you add a user account:
TO add user accounts with the same user principal name (UPN) across domains, first add, for example,
geoffgrisso@contoso.onmicrosoft.com, followed by geoffgrisso@contoso.com.
Don't add geoffgrisso@contoso.com before you add geoffgrisso@contoso.onmicrosoft.com. This order is important, and
can be cumbersome to undo.
Then you can edit the options to control access for guest users.
What's next
Add users from other directories or partner companies in Azure Active Directory
Administering Azure AD
Manage passwords in Azure AD
Manage groups in Azure AD
Add users from other directories or partner
companies in Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to add users either from other directories in Azure Active Directory (Azure AD) preview or
from partner companies. What's in the preview? For information about adding new users in your organization, and
adding users who have Microsoft accounts, see Add new users to Azure Active Directory. Added users don't have
administrator permissions by default, but you can assign roles to them at any time.
Add a user
1. Sign in to the Azure portal with an account that's a global admin for the directory.
2. Select More services, enter Users and groups in the text box, and then select Enter.
3. On the Users and groups blade, select Users, and then select Add.
4. On the User blade, provide a display name in Name and the user's sign-in name in User name.
5. Copy or otherwise note the generated user password so that you can provide it to the user after this process is
complete.
6. Optionally, select Profile to add the users first and last name, a job title, and a department name.
Select Organizational role to assign the user to a role from the Roles list. For more information
about user and administrator roles, see Assigning administrator roles in Azure AD.
7. Select Create.
8. Securely distribute the generated password to the new user so that the user can sign in.
IMPORTANT
If your organization uses more than one domain, you should know about the following issues when you add a user account:
TO add user accounts with the same user principal name (UPN) across domains, first add, for example,
geoffgrisso@contoso.onmicrosoft.com, followed by geoffgrisso@contoso.com.
Don't add geoffgrisso@contoso.com before you add geoffgrisso@contoso.onmicrosoft.com. This order is important, and
can be cumbersome to undo.
If you change information for a user whose identity is synchronized with your on-premises Active Directory
service, you can't change the user information in the Azure classic portal. To change the user information, use your
on-premises Active Directory management tools.
What's next
Add a user
Reset a user's password in the new Azure portal
Assign a user to a role in your Azure AD
Change a user's work information
Manage user profiles
Delete a user in your Azure AD
Add users from other directories or partner
companies in Azure Active Directory
1/17/2017 4 min to read Edit on GitHub
This article explains how to add users from other directories in Azure Active Directory or add users from partner
companies. For information about adding new users in your organization, and adding users who have Microsoft
accounts, see Add new users to Azure Active Directory. Added users don't have administrator permissions by
default, but you can assign roles to them at any time.
Add a user
1. Sign in to the Azure classic portal with an account that's a global admin for the directory.
2. Select Active Directory, and then open your directory.
3. Select the Users tab, and then, in the command bar, select Add User.
4. On the Tell us about this user page, under Type of user, select either:
User in another Azure AD directory adds a user account to your directory that's sourced from
another Azure AD directory. You can select a user in another directory only if you're also a member of
that directory.
Users in partner companies - to invite and authorize partner company users to your directory (See
Azure Active Directory B2B collaboration). You'll need to upload a CSV file specifying email addresses.
5. On the user Profile page, provide a first and last name, a user-friendly name, and a user role from the Roles
list. For more information about user and administrator roles, see Assigning administrator roles in Azure AD.
Specify whether to Enable Multi-Factor Authentication for the user.
6. On the Get temporary password page, select Create.
IMPORTANT
If your organization uses more than one domain, you should know about the following issues when you add a user account:
TO add user accounts with the same user principal name (UPN) across domains, first add, for example,
geoffgrisso@contoso.onmicrosoft.com, followed by geoffgrisso@contoso.com.
Don't add geoffgrisso@contoso.com before you add geoffgrisso@contoso.onmicrosoft.com. This order is important, and
can be cumbersome to undo.
If you change information for a user whose identity is synchronized with your on-premises Active Directory
service, you can't change the user information in the Azure classic portal. To change the user information, use your
on-premises Active Directory management tools.
NOTE
You can still disable the external user in the directory, which blocks access to your directory.
If a user is deleted in their home directory or they cancel their Microsoft account, the external user still exists in
your directory. However, the user in your directory can't access resources because they can't authenticate with a
home directory or Microsoft account.
Services that currently support access by Azure AD external users
Azure classic portal: allows an external user who's an administrator of multiple directories to manage each of
those directories.
SharePoint Online: if external sharing is enabled, allows an external user to access SharePoint Online
authorized resources.
Dynamics CRM: if the user is licensed via PowerShell, allows an external user to access authorized resources in
Dynamics CRM.
Dynamics AX: if the user is licensed via PowerShell, allows an external user to access authorized resources in
Dynamics AX. The limitations for Azure AD external users apply to external users in Dynamics AX as well.
Known limitations of Azure AD external users
External users who are admins can't add users from partner companies to directories (B2B collaboration)
outside their home directory
External users can't consent to multi-tenant applications in directories outside of their home directory
PowerBI doesn't currently support access by external users
Office Portal doesn't support licensing external users
With respect to Azure AD PowerShell, external users are logged into their home directory and cannot manage
directories in which they are external users
What's next
Add new users to Azure Active Directory
Administering Azure AD
Manage passwords in Azure AD
Manage groups in Azure AD
Delete a user from a directory in Azure Active
Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to delete a user from a directory in Azure Active Directory (Azure AD) preview. What's in
the preview? For information about adding new users to your organization, see Add new users to Azure Active
Directory preview.
To delete a user
1. Sign in to the Azure portal with an account that's a global admin for the directory.
2. Select More services, enter Users and groups in the text box, and then select Enter.
Next steps
Add new users to Azure Active Directory preview
Reset the password for a user in Azure Active Directory preview
Assign a user to administrator roles in Azure Active Directory preview
Add or change profile information for a user in Azure Active Directory preview
Delete a user from a directory in Azure Active Directory preview
Add or change profile information for a user in
Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to add user profile information, such as a profile picture or phone and email
authentication information, in Azure Active Directory (Azure AD) preview. What's in the preview? For information
about adding new users in your organization, see Add new users to Azure Active Directory.
Next steps
Add new users to Azure Active Directory preview
Reset the password for a user in Azure Active Directory preview
Assign a user to administrator roles in Azure Active Directory preview
Add or change profile information for a user in Azure Active Directory preview
Delete a user from a directory in Azure Active Directory preview
Reset the password for a user in Azure Active
Directory preview
1/17/2017 1 min to read Edit on GitHub
What's next
Add a user
Assign a user to a role in your Azure AD
Change a user's work information
Manage user profiles
Delete a user in your Azure AD
Add or change work information for a user in Azure
Active Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to add or change work information such as phone numbers or department names for a
user in Azure Active Directory (Azure AD) preview. What's in the preview? For information about adding new
users in your organization, see Add new users to Azure Active Directory.
Next steps
Add new users to Azure Active Directory preview
Reset the password for a user in Azure Active Directory preview
Assign a user to administrator roles in Azure Active Directory preview
Add or change profile information for a user in Azure Active Directory preview
Delete a user from a directory in Azure Active Directory preview
Sharing accounts with Azure AD
1/17/2017 3 min to read Edit on GitHub
Overview
Sometimes organizations need to use a single username and password for multiple people. This typically happens
in two cases:
When accessing applications that require a unique login and password for each user, whether on-premises apps
or consumer cloud services ( e.g. corporate social media accounts).
When creating multi-user environments. You may have a single, local account that has elevated privileges and
can be used to do core setup, administration, and recovery activities (e.g. the local "global administrator"
account for Office 365 or the root account in Salesforce).
Traditionally, these accounts would be shared by distributing the credentials (username/password) to the right
individuals or storing them in a shared location where multiple trusted agents can access them.
The traditional sharing model has several drawbacks:
Enabling access to new applications requires you to distribute credentials to everyone that needs access.
Each shared application may require its own unique set of shared credentials, requiring users to remember
multiple sets of credentials. When users have to remember many credentials, the risk increases that they will
resort to risky practices. (e.g. writing down passwords).
You can't tell who has access to an application.
You can't tell who has accessed an application.
When you need to remove access to an application, you have to update the credentials and re-distribute them
to everyone that needs access to that application.
Sharing an account
To use Azure AD to share an account you will need to:
Add an application app gallery or custom application
Configure the application for password Single Sign-On (SSO)
Use group based assignment and select the option to enter a shared credential
Optional: in some applications, such as Facebook, Twitter, or LinkedIn, you can enable the option for Azure AD
automated password roll-over
You can also make your shared account more secure with Multi-Factor Authentication (MFA) (learn more about
securing applications with Azure AD) and you can delegate the ability to manage who has access to the application
using Azure AD Self-service Group Management.
Related articles
Article Index for Application Management in Azure Active Directory
Protecting apps with conditional access
Self-service group management/SSAA
Managing access to resources with Azure Active
Directory groups
1/17/2017 4 min to read Edit on GitHub
Azure Active Directory (Azure AD) is a comprehensive identity and access management solution that provides a
robust set of capabilities to manage access to on-premises and cloud applications and resources including
Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications. This article provides an
overview, but if you want to start using Azure AD groups right now, follow the instructions in Managing security
groups in Azure AD. If you want to see how you can use PowerShell to manage groups in Azure Active directory
you can read more in Azure Active Directory preview cmdlets for group management.
NOTE
To use Azure Active Directory, you need an Azure account. If you don't have an account, you can sign up for a free Azure
account.
Within Azure AD, one of the major features is the ability to manage access to resources. These resources can be
part of the directory, as in the case of permissions to manage objects through roles in the directory, or resources
that are external to the directory, such as SaaS applications, Azure services, and SharePoint sites or on premise
resources. There are four ways a user can be assigned access rights to a resource:
1. Direct assignment
Users can be assigned directly to a resource by the owner of that resource.
2. Group membership
A group can be assigned to a resource by the resource owner, and by doing so, granting the members of
that group access to the resource. Membership of the group can then be managed by the owner of the
group. Effectively, the resource owner delegates the permission to assign users to their resource to the
owner of the group.
3. Rule-based
The resource owner can use a rule to express which users should be assigned access to a resource. The
outcome of the rule depends on the attributes used in that rule and their values for specific users, and by
doing so, the resource owner effectively delegates the right to manage access to their resource to the
authoritative source for the attributes that are used in the rule. The resource owner still manages the rule
itself and determines which attributes and values provide access to their resource.
4. External authority
The access to a resource is derived from an external source; for example, a group that is synchronized
from an authoritative source such as an on-premises directory or a SaaS app such as WorkDay. The
resource owner assigns the group to provide access to the resource, and the external source manages the
members of the group.
Watch a video that explains access management
You can watch a short video that explains more about this:
Azure AD: Introduction to dynamic membership for groups
This article explains how to create and populate a new group in the Azure Active Directory (Azure AD) preview.
What's in the preview? Use a group to perform management tasks such as assigning licenses or permissions to a
number of users or devices at once.
5. On the Group blade, add a name and description for the group.
6. To select members to add to the group, select Assigned in the Membership type box, and then select
Members. For more information about how to manage the membership of a group dynamically, see Using
attributes to create advanced rules for group membership.
7. On the Members blade, select one or more users or devices to add to the group and select the Select button at
the bottom of the blade to add them to the group. The User box filters the display based on matching your
entry to any part of a user or device name. No wildcard characters are accepted in that box.
8. When you finish adding members to the group, select Create on the Group blade.
Additional information
These articles provide additional information on Azure Active Directory.
See existing groups
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Managing groups in Azure Active Directory
1/17/2017 4 min to read Edit on GitHub
One of the features of Azure Active Directory (Azure AD) user management is the ability to create groups of users.
You use a group to perform management tasks such as assigning licenses or permissions to a number of users at
once. You can also use groups to assign access permission to
Resources such as objects in the directory
Resources external to the directory such as SaaS applications, Azure services, SharePoint sites, or on-premises
resources
In addition, a resource owner can also assign access to a resource to an Azure AD group owned by someone else.
This assignment grants the members of that group access to the resource. Then, the owner of the group manages
membership in the group. Effectively, the resource owner delegates to the owner of the group the permission to
assign users to their resource.
NOTE
You can set up a rule for dynamic membership on security groups or Office 365 groups. Nested group memberships aren't
currently supported for group-based assignment to applications.
Dynamic memberships for groups require an Azure AD Premium license to be assigned to
The administrator who manages the rule on a group
All members of the group
Additional information
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Article Index for Application Management in Azure Active Directory
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Azure Active Directory preview cmdlets for group
management
1/17/2017 5 min to read Edit on GitHub
The following document will provide you with examples of how to use PowerShell to manage your groups in
Azure Active Directory (Azure AD). It also provides information on how to get set up with the Azure AD PowerShell
preview module. First, you must download the Azure AD PowerShell module.
To verify that the preview module was installed, use the following command:
Now you can start using the cmdlets in the module. For a full description of the cmdlets in the AzureAD Preview
module, please refer to the online reference documentation.
PS C:\Windows\system32> Connect-AzureAD
The cmdlet will prompt you for the credentials you want to use to access your directory. In this example, we are
using karen@drumkit.onmicrosoft.com to access the demonstration directory. The cmdlet will return a
confirmation to show the session was connected successfully to your directory:
Now you can start using the AzureAD preview cmdlets to manage groups in your directory.
Retrieving groups
To retrieve existing groups from your directory you can use the Get-AzureADGroups cmdlet. To retrieve all groups
in the directory, use the cmdlet without parameters:
PS C:\Windows\system32> get-azureadgroup
The cmdlet will now return the group whose objectID matches the value of the parameter you entered:
DeletionTimeStamp :
ObjectId : e29bae11-4ac0-450c-bc37-6dae8f3da61b
ObjectType : Group
Description :
DirSyncEnabled :
DisplayName : Pacific NW Support
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 9bb4139b-60a1-434a-8c0d-7c1f8eee2df9
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
You can search for a specific group using the -filter parameter. This parameter takes an ODATA filter clause and
returns all groups that match the filter, as in the following example:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
Note that the AzureAD PowerShell cmdlets implement the OData query standard, more information can be found
here.
Creating groups
To create a new group in your directory, use the New-AzureADGroup cmdlet. This cmdlet creates a new security
group called Marketing":
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
Next, were changing the Description property to the new value Intune Device Administrators:
Now if we find the group again, we see the Description property is updated to reflect the new value:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Device Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
Deleting groups
To delete groups from your directory, use the Remove-AzureADGroup cmdlet as follows:
The -ObjectId parameter is the ObjectID of the group to which we want to add a member, and the -RefObjectId is
the ObjectID of the user we want to add as a member to the group.
To get the existing members of a group, use the Get-AzureADGroupMember cmdlet, as in this example:
To remove the member we previously added to the group, use the Remove-AzureADGroupMember cmdlet, as is
shown here:
To verify the group membership(s) of a user, use the Select-AzureADGroupIdsUserIsMemberOf cmdlet. This
cmdlet takes as its parameters the ObjectId of the user for which to check the group memberships, and a list of
groups for which to check the memberships. The list of groups must be provided in the form of a complex variable
of type Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck, so we first must create a variable with
that type:
Next, we provide values for the groupIds to check in the attribute GroupIds of this complex variable:
Now, if we want to check the group memberships of a user with ObjectID 72cd4bbd-2594-40a2-935c-
016f3cfeeeea against the groups in $g, we should use:
OdataMetadata
Value
-------------
-----
https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String)
{31f1ff6c-d48c-4f8a-b2e1-abca7fd399df}
The value returned is a list of groups of which this user is a member. You can also apply this method to check
Contacts, Groups or Service Principals membership for a given list of groups, using Select-
AzureADGroupIdsContactIsMemberOf, Select-AzureADGroupIdsGroupIsMemberOf or Select-
AzureADGroupIdsServicePrincipalIsMemberOf
Managing owners of groups
To add owners to a group, use the Add-AzureADGroupOwner cmdlet:
The -ObjectId parameter is the ObjectID of the group to which we want to add an owner, and the -RefObjectId is
the ObjectID of the user we want to add as an owner of the group.
To retrieve the owners of a group, use the Get-AzureADGroupOwner:
The cmdlet will return the list of owners for the specified group:
Next steps
You can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.
Managing access to resources with Azure Active Directory groups
Integrating your on-premises identities with Azure Active Directory
Manage the members for a group in Azure Active
Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to manage the members for a group in Azure Active Directory (Azure AD) preview. What's
in the preview?
6. To add members to the group, on the Group - Members blade, select Add Members.
7. On the Members blade, select one or more users or devices to add to the group and select the Select button at
the bottom of the blade to add them to the group. The User box filters the display based on matching your
entry to any part of a user or device name. No wildcard characters are accepted in that box.
8. To remove members from the group, on the Group - Members blade, select a member.
9. On the membername blade, select the Remove command, and confirm your choice at the prompt.
10. When you finish changing members for the group, select Save.
Additional information
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Managing owners for a group
1/17/2017 1 min to read Edit on GitHub
Once a resource owner has assigned access to a resource to an Azure AD group, the membership of the group is
managed by the group owner. The resource owner effectively delegates the permission to assign users to the
resource to the owner of the group.
Additional information
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Article Index for Application Management in Azure Active Directory
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Manage the groups your group is a member of in
Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
Groups can contain other groups in Azure Active Directory preview. What's in the preview? Here's how to manage
those memberships.
6. To add your group as a member of another group, on the Group - Group memberships blade, select the Add
command.
7. Select a group from the Select Group blade, and then select the Select button at the bottom of the blade.
You can add your group to only one group at a time. The User box filters the display based on matching
your entry to any part of a user or device name. No wildcard characters are accepted in that box.
8. To remove your group as a member of another group, on the Group - Group memberships blade, select a
group.
9. On the groupname blade, select the Remove command, and confirm your choice at the prompt.
10. When you finish changing group memberships for your group, select Save.
Additional information
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage members of a group
Manage dynamic rules for users in a group
View all existing groups in Azure Active Directory
preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to view all groups in Azure Active Directory (Azure AD) preview. What's in the preview?
One of the features of Azure Active Directory (Azure AD) user management is the ability to create groups that you
can populate with your users. You use a group to perform management tasks such as assigning licenses or
permissions to a number of users at once.
Additional information
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Dedicated groups in Azure Active Directory
1/17/2017 1 min to read Edit on GitHub
In Azure Active Directory (Azure AD), the dedicated groups feature automatically creates and populates
membership for Azure AD predefined groups. Members of dedicated groups cannot be added or removed using
the Azure classic portal, Windows PowerShell cmdlets, or programmatically.
NOTE
Dedicated groups require that an Azure AD Premium license is assigned to
the administrator who manages the rule on a group
all users who are selected by the rule to be a member of the group
For a group that excludes all Guests, use a rule such as the following:
To learn about how to create advanced rules (rules that can contain multiple comparisons) for dynamic group
membership, see Using attributes to create advanced rules.
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Article Index for Application Management in Azure Active Directory
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Using a group to manage access to SaaS applications
1/17/2017 2 min to read Edit on GitHub
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups
to assign access to a SaaS application that's integrated with Azure AD. For example, if you want to assign access
for the marketing department to use five different SaaS applications, you can create a group that contains the
users in the marketing department, and then assign that group to these five SaaS applications that are needed by
the marketing department. This way you can save time by managing the membership of the marketing
department in one place. Users then are assigned to the application when they are added as members of the
marketing group, and have their assignments removed from the application when they are removed from the
marketing group.
This capability can be used with hundreds of applications that you can add from within the Azure AD Application
Gallery.
To assign access for a group to a SaaS application
1. In the Azure classic portal, select Active Directory on the navigation bar on the left hand side.
2. Select the Directory tab, and then open the directory in which you want to assign access for a group to a SaaS
application.
3. Select the Applications tab. Select an application that you added from the Application Gallery, and then click
the Users and Groups tab.
4. On the Users and Groups tab, in the Starting with field, enter the name of the group to which you want to
assign access, and then select the check mark in the upper right. You only need to type the first part of a
group's name.
5. Select the group, then then select the Assign Access button. Select Yes when you see the confirmation
message. Nested group memberships are not supported for group-based assignment to applications at this
time.
6. You can also see which users are assigned to the application, either directly or by membership in a group. To
do this, change the Show dropdown from 'Groups' to 'All Users'. The list shows users in the directory and
whether or not each user is assigned to the application. The list also shows whether the assigned users are
assigned to the application directly (assignment type shown as 'Direct'), or by virtue of group membership
(assignment type shown as 'Inherited.')
NOTE
You can see the Users and Groups tab only after you have enabled Azure AD Premium or Azure AD Basic.
Related Articles
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Article Index for Application Management in Azure Active Directory
Azure Active Directory cmdlets for configuring group settings
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Manage the settings for a group in Azure Active
Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to change the settings for a group in Azure Active Directory (Azure AD) preview. What's in
the preview?
6. When you finish changing properties for the group, select Save.
Additional information
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Azure Active Directory cmdlets for configuring group
settings
1/17/2017 3 min to read Edit on GitHub
The following settings for unified groups can be configured in your directory:
1. Classifications: the comma-separated list of classifications that users can set on a group. Examples would be
Classified, Secret, and Top Secret.
2. Usage Guidelines URL: a URL that points users to the terms of use for using Unified Groups, as defined by your
organization. This URL will show up in the user interface where users use groups.
3. Group creation enabled: whether none, some or all users are allowed to create Unified Groups. When set to on,
all users can create groups. When set to off, no users can create groups. When off, you can also specify a
security group whose users who are still allowed to create groups.
These settings are configured using a Settings and SettingsTemplate objects. Initially, you will not see any Settings
objects in your directory. This means your directory is configured with the default settings. To change the default
settings, you will create a new settings object using a settings template. Settings templates are defined by
Microsoft.
You can download the module containing the cmdlets used for these operations from the Microsoft Connect site.
2. To add a usage guideline URL, first you need to get the SettingsTemplate object that defines the usage
guideline URL value; that is, the Group.Unified template:
$template = Get-MsolSettingTemplate TemplateId 62375ab9-6b52-47ed-826b-58e47e0e304b
Next steps
You can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.
Additional instruction from Microsoft program manager Rob de Jong is available at Rob's Groups Blog.
Managing access to resources with Azure Active Directory groups
Integrating your on-premises identities with Azure Active Directory
Using attributes to create advanced rules for group
membership in Azure Active Directory preview
1/17/2017 6 min to read Edit on GitHub
The Azure portal provides you with the ability to create advanced rules to enable more complex attribute-based
dynamic memberships for Azure Active Directory (Azure AD) preview groups. What's in the preview? This article
details the rule attributes and syntax to create these advanced rules.
5. On the Group blade, enter a name and description for the new group. Select a Membership type of either
Dynamic User or Dynamic Device, depending on whether you want to create a rule for users or devices,
and then select Add dynamic query. For the attributes used for device rules, see Using attributes to create
rules for device objects.
6. On the Dynamic membership rules blade, enter your rule into the Add dynamic membership advanced
rule box, press Enter, and then select Create at the bottom of the blade.
7. Select Create on the Group blade to create the group.
NOTE
String and regex operations are case insensitive. You can also perform Null checks, using $null as a constant, for example,
user.department -eq $null. Strings containing quotes " should be escaped using 'character, for example, user.department -
eq `"Sales".
OPERATOR SYNTAX
Equals -eq
Contains -contains
Match -match
Error: Attribute not supported. (user.invalidProperty -eq "Value") (user.department -eq "value")
Property should match one from the
supported properties list.
Error: Operator is not supported on (user.accountEnabled -contains true) (user.accountEnabled -eq true)
attribute. Property is of type boolean. Use the
supported operators (-eq or -ne) on
boolean type from the above list.
Error: Query compilation error. (user.department -eq "Sales") -and (user.department -eq "Sales") -and
(user.department -eq "Marketing") (user.department -eq "Marketing")
(user.userPrincipalName -match Logical operator should match one
"*@domain.ext") from the supported properties list
above.(user.userPrincipalName -match
".*@domain.ext")or(user.userPrincipalNa
me -match "@domain.ext$")Error in
regular expression.
Error: Binary expression is not in right (user.department eq Sales) (user.accountEnabled -eq true) -and
format. (user.department -eq "Sales") (user.userPrincipalName -contains
(user.department-eq"Sales") "alias@domain")<br/>Query has
multiple errors. Parenthesis not in right
place.
Error: Unknown error occurred during (user.accountEnabled -eq "True" AND (user.accountEnabled -eq true) -and
setting up dynamic memberships. user.userPrincipalName -contains (user.userPrincipalName -contains
"alias@domain") "alias@domain")<br/>Query has
multiple errors. Parenthesis not in right
place.
Supported properties
The following are all the user properties that you can use in your advanced rule:
Properties of type boolean
Allowed operators
-eq
-ne
mailNickName Any string value (mail alias of the user) (user.mailNickName -eq "value")
Additional information
These articles provide additional information on groups in Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Using attributes to create advanced rules
1/17/2017 7 min to read Edit on GitHub
The Azure classic portal provides you with the ability to create advanced rules to enable more complex attribute-
based dynamic memberships for Azure Active Directory (Azure AD) groups.
When any attributes of a user change, the system evaluates all dynamic group rules in a directory to see if the
attribute change of the user would trigger any group adds or removes. If a user satisfies a rule on a group, they are
added as a member to that group. If they no longer satisfy the rule of a group they are a member of, they are
removed as a members from that group.
NOTE
You can set up a rule for dynamic membership on security groups or Office 365 groups. Nested group memberships aren't
currently supported for group-based assignment to applications.
Dynamic memberships for groups require an Azure AD Premium license to be assigned to
The administrator who manages the rule on a group
All members of the group
NOTE
String and regex operations are case insensitive. Strings containing quotes " should be escaped using 'character, for example,
user.department -eq `"Sales". Only use quotes for string type values, and only use English quotes.
OPERATOR SYNTAX
Equals -eq
Contains -contains
Match -match
Operator precedence
All Operators are listed below per precedence from lower to higher, operator in same line are in equal precedence
-any -all -or -and -not -eq -ne -startsWith -notStartsWith -contains -notContains -match notMatch
All operators can be used with or without hyphen prefix.
Note that parenthesis are not always needed, you only need to add parenthesis when precedence does not meet
your requirements For example:
user.department eq "Marketing" and user.country eq "US"
is equivalent to:
(user.department eq "Marketing") and (user.country eq "US")
Error: Attribute not supported. (user.invalidProperty -eq "Value") (user.department -eq "value")
Property should match one from the
supported properties list.
Error: Operator is not supported on (user.accountEnabled -contains true) (user.accountEnabled -eq true)
attribute. Property is of type boolean. Use the
supported operators (-eq or -ne) on
boolean type from the above list.
Error: Query compilation error. (user.department -eq "Sales") -and (user.department -eq "Sales") -and
(user.department -eq "Marketing") (user.department -eq "Marketing")
(user.userPrincipalName -match Logical operator should match one
"*@domain.ext") from the supported properties list
above.(user.userPrincipalName -match
".*@domain.ext")or(user.userPrincipalNa
me -match "@domain.ext$")Error in
regular expression.
Error: Binary expression is not in right (user.department eq Sales) (user.accountEnabled -eq true) -and
format. (user.department -eq "Sales") (user.userPrincipalName -contains
(user.department-eq"Sales") "alias@domain")<br/>Query has
multiple errors. Parenthesis not in right
place.
Error: Unknown error occurred during (user.accountEnabled -eq "True" AND (user.accountEnabled -eq true) -and
setting up dynamic memberships. user.userPrincipalName -contains (user.userPrincipalName -contains
"alias@domain") "alias@domain")<br/>Query has
multiple errors. Parenthesis not in right
place.
Supported properties
The following are all the user properties that you can use in your advanced rule:
Properties of type boolean
Allowed operators
-eq
-ne
mail Any string value or $null (SMTP address (user.mail -eq "value")
of the user)
mailNickName Any string value (mail alias of the user) (user.mailNickName -eq "value")
NOTE
These device rules cannot be created using the "simple rule" dropdown in the Azure classic portal.
Additional information
These articles provide additional information on Azure Active Directory.
Troubleshooting dynamic memberships for groups
Managing access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Article Index for Application Management in Azure Active Directory
Integrating your on-premises identities with Azure Active Directory
Setting up Azure Active Directory for self-service
group management
1/17/2017 3 min to read Edit on GitHub
Self-service group management enables users to create and manage security groups or Office 365 groups in
Azure Active Directory (Azure AD). Users can also request security group or Office 365 group memberships, and
then the owner of the group can approve or deny membership. In this way, day-to-day control of group
membership can be delegated to people who understand the business context for that membership. Self-service
group management features are available only for security groups and Office 365 groups, but not for mail-
enabled security groups or distribution lists.
Self-service group management currently comprises two essential scenarios: delegated group management and
self-service group management.
Delegated group management An example is an administrator who is managing access to a SaaS
application that the company is using. Managing these access rights is becoming cumbersome, so this
administrator asks the business owner to create a new group. The administrator assigns access for the
application to the new group, and adds to the group all people already accessing to the application. The
business owner then can add more users, and those users are automatically provisioned to the application.
The business owner doesn't need to wait for the administrator to manage access for users. If the administrator
grants the same permission to a manager in a different business group, then that person can also manage
access for their own users. Neither the business owner nor the manager can view or manage each others
users. The administrator can still see all users who have access to the application and block access rights if
needed.
Self-service group management An example of this scenario is two users who both have SharePoint Online
sites that they set up independently. They want to give each others teams access to their sites. To accomplish
this, they can create one group in Azure AD, and in SharePoint Online each of them selects that group to
provide access to their sites. When someone wants access, they request it from the Access Panel, and after
approval they get access to both SharePoint Online sites automatically. Later, one of them decides that all
people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS
application can add access rights for the application to the SharePoint Online site. From then on, any requests
that get approved gives access to the two SharePoint Online sites and also to this SaaS application.
Additional information
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Article Index for Application Management in Azure Active Directory
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Troubleshooting dynamic memberships for groups
1/17/2017 1 min to read Edit on GitHub
NOTE
Some advanced anomaly and resource usage reports are only available when you enable Azure Active Directory
Premium. Advanced reports help you improve access security, respond to potential threats and get access to analytics
on device access and application usage.
Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of
Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Microsoft
Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.
Reports
REPORT DESCRIPTION
Sign ins from unknown sources May indicate an attempt to sign in without being traced.
Sign ins after multiple failures May indicate a successful brute force attack.
Sign ins from multiple geographies May indicate that multiple users are signing in with the same
account.
Sign ins from IP addresses with suspicious activity May indicate a successful sign in after a sustained intrusion
attempt.
Sign ins from possibly infected devices May indicate an attempt to sign in from possibly infected
devices.
Irregular sign in activity May indicate events anomalous to users sign in patterns.
REPORT DESCRIPTION
Users with anomalous sign in activity Indicates users whose accounts may have been
compromised.
Activity logs
Password reset activity Provides a detailed view of password resets that occur in
your organization.
Password reset registration activity Provides a detailed view of password reset registrations that
occur in your organization.
Self service groups activity Provides an activity log to all group self service activity in
your directory
Integrated applications
Rights management
Most active RMS users Lists top 1000 active users who accessed RMS-protected files
RMS device usage Lists devices used for accessing RMS-protected files
Report editions
REPORT FREE BASIC PREMIUM
Anomalous activity
reports
Activity logs
Audit report
Integrated applications
Application usage
Account provisioning
activity
Rights managment
Activity logs
Audit report
DESCRIPTION REPORT LOCATION
Shows a record of all audited events within the last 24 hours, Directory > Reports tab
last 7 days, or last 30 days.
For more information, see Azure Active Directory Audit
Report Events
Shows all password reset attempts that have occurred in Directory > Reports tab
your organization.
Shows all password reset registrations that have occurred in Directory > Reports tab
your organization
Shows all activity for the self-service managed groups in your Directory > Users > User > Devices tab
directory.
Use this report when you want to see usage for all the SaaS Directory > Reports tab
applications in your directory. This report is based on the
number of times users have clicked on the application in the
Access Panel.
This report includes sign ins to all applications that your directory has access to, including pre-integrated
Microsoft applications.
Pre-integrated Microsoft applications include Office 365, Sharepoint, the Azure Management Portal, and others.
Application usage: detailed
DESCRIPTION REPORT LOCATION
Use this report when you want to see how much a specific Directory > Reports tab
SaaS application is being used. This report is based on the
number of times users have clicked on the application in the
Access Panel.
Application dashboard
DESCRIPTION REPORT LOCATION
This report indicates cumulative sign ins to the application by Directory > Application > Dashboard tab
users in your organization, over a selected time interval. The
chart on the dashboard page will help you identify trends for
all usage of that application.
Error reports
Account provisioning errors
DESCRIPTION REPORT LOCATION
Use this to monitor errors that occur during the Directory > Reports tab
synchronization of accounts from SaaS applications to Azure
Active Directory.
User-specific reports
Devices
DESCRIPTION REPORT LOCATION
Use this report when you want to see the IP address and Directory > Users > User > Devices tab
geographical location of devices that a specific user has used
to access Azure Active Directory.
Activity
DESCRIPTION REPORT LOCATION
Shows the sign in activity for a user. The report includes Directory > Users > User > Activity tab
information like the application signed into, device used, IP
address, and location. We do not collect the history for users
that sign in with a Microsoft account.
Sign ins to a custom business app that has been added to No (Coming soon)
the directory
Sign ins to an Azure AD Application Proxy app that has been No (Coming soon)
added to the directory
Note: To reduce the amount of noise in this report, sign ins by the Microsoft Online Services Sign-In Assistant
are not shown.
NOTE
If this is the first time you have used the reporting feature of Azure Active Directory, you will see a message to Opt
In. If you agree, click the check mark icon to continue.
3. Click the drop-down menu next to Interval, and then select one of the following time ranges that should
be used when generating this report:
Last 24 hours
Last 7 days
Last 30 days
4. Click the check mark icon to run the report.
Up to 1000 events will be shown in the Azure classic portal.
5. If applicable, click Download to download the report to a compressed file in comma-separated values (CSV)
format for offline viewing or archiving purposes.
Up to 75,000 events will be included in the downloaded file.
For more data, check out the Azure AD Reporting API.
Ignore an event
If you are viewing any anomaly reports, you may notice that you can ignore various events that show up in
related reports. To ignore an event, simply highlight the event in the report and then click Ignore. The Ignore
button will permanently remove the highlighted event from the report and can only be used by licensed global
admins.
What's next
Getting started with Azure Active Directory Premium
Add company branding to your Sign In and Access Panel pages
Getting started with Azure Active Directory
Reporting
1/17/2017 3 min to read Edit on GitHub
What it is
Azure Active Directory (Azure AD) includes security, activity, and audit reports for your directory. Here's a list of the
reports included:
Security reports
Sign-ins from unknown sources
Sign-ins after multiple failures
Sign-ins from multiple geographies
Sign-ins from IP addresses with suspicious activity
Irregular sign-in activity
Sign-ins from possibly infected devices
Users with anomalous sign-in activity
Activity reports
Application usage: summary
Application usage: detailed
Application dashboard
Account provisioning errors
Individual user devices
Individual user Activity
Groups activity report
Password Reset Registration Activity Report
Password reset activity
Audit reports
Directory audit report
TIP
For more documentation on Azure AD Reporting, check out View your access and usage reports.
How it works
Reporting pipeline
The reporting pipeline consists of three main steps. Every time a user signs in, or an authentication is made, the
following happens:
First, the user is authenticated (successfully or unsuccessfully), and the result is stored in the Azure Active
Directory service databases.
At regular intervals, all recent sign ins are processed. At this point, our security and anomalous activity
algorithms are searching all recent sign ins for suspicious activity.
After processing, the reports are written, cached, and served in the Azure classic portal.
Report generation times
Due to the large volume of authentications and sign ins processed by the Azure AD platform, the most recent sign-
ins processed are, on average, one hour old. In rare cases, it may take up to 8 hours to process the most recent
sign-ins.
You can find the most recent processed sign-in by examining the help text at the top of each report.
TIP
For more documentation on Azure AD Reporting, check out View your access and usage reports.
Getting started
Sign into the Azure classic portal
First, you'll need to sign into the Azure classic portal as a global or compliance administrator. You must also be an
Azure subscription service administrator or co-administrator, or be using the "Access to Azure AD" Azure
subscription.
Navigate to Reports
To view Reports, navigate to the Reports tab at the top of your directory.
If this is your first time viewing the reports, you'll need to agree to a dialog box before you can view the reports.
This is to ensure that it's acceptable for admins in your organization to view this data, which may be considered
private information in some countries.
TIP
For more documentation on Azure AD Reporting, check out View your access and usage reports.
Next steps
Customize alerts for anomalous sign in activity
Navigate to the "Configure" tab of your directory.
Scroll to the "Notifications" section.
Enable or disable the "Email Notifications of Anomalous sign-ins" section.
TIP
For more documentation on Azure AD Reporting, check out View your access and usage reports.
Learn more
Audit events
Learn about what events are audited in the directory in Azure Active Directory Reporting Audit Events.
API Integration
See Getting started with the Reporting API and the API reference documentation.
Get in touch
Email aadreportinghelp@microsoft.com for feedback, help, or any questions you might have.
TIP
For more documentation on Azure AD Reporting, check out View your access and usage reports.
Known networks
1/18/2017 1 min to read Edit on GitHub
You can use Azure Active Directory's access and usage reports to gain visibility into the integrity and security of
your organizations directory. With this information, a directory admin can better determine where possible
security risks may lie so that they can adequately plan to mitigate those risks.
It is possible that the Sign ins from multiple geographies and Sign ins from IP addresses with suspicious activity
reports incorrectly flag IP addresses that are actually owned by your organization.
This can, for example, happen when:
A user in your Boston office has signed in remotely to your data center in San Francisco triggers the Sign ins
from multiple geographies report
A user of your organization tries to sign-on several times with an incorrect password triggers the Sign ins from
IP addresses with suspicious activity report
To prevent these cases from generating misleading security reports, you should add known IP address ranges to
the list of your organization's public IP address.
To add your organizations public IP address ranges, perform the following steps:
1. Sign-on to the Azure management portal.
2. In the left pane, click Active Directory.
Sign-in activities
User sign-in activities
With the information provided by the user sign-in report, you find answers to questions such as:
What is the sign-in pattern of a user?
How many users have users signed in over a week?
Whats the status of these sign-ins?
Your entry point to this data is the user sign-in graph in the Overview section under Users and groups.
The user sign-in graph shows weekly aggregations of sign ins for all users in a given time period. The default for
the time period is 30 days.
When you click on a day in the sign-in graph, you get a detailed list of the sign-in activities.
Each row in the sign-in activities list gives you the detailed information about the selected sign-in such as:
Who has signed in?
What was the related UPN?
What application was the target of the sign-in?
What is the IP address of the sign-in?
What was the status of the sign-in?
Usage of managed applications
With an application-centric view of your sign-in data, you can answer questions such as:
Who is using my applications?
What are the top 3 applications in your organization?
I have recently rolled out an application. How is it doing?
Your entry point to this data is the top 3 applications in your organization within the last 30 days report in the
Overview section under Enterprise applications.
The app usage graph weekly aggregations of sign ins for your top 3 applications in a given time period. The default
for the time period is 30 days.
If you want to, you can set the focus on a specific application.
When you click on a day in the app usage graph, you get a detailed list of the sign-in activities.
The Sign-ins option gives you a complete overview of all sign-in events to your applications.
By using the column chooser, you can select the data fields you want to display.
Filtering sign-ins
You can filter sign-ins to limit the amount of displayed data using the following fields:
Date and time
User's user principal name
Application name
Client name
Sign-in status
Another method to filter the entries of the sign-in activities is to search for specific entries. The search method
enables you to scope your sign-ins around specific users, groups or applications.
Audit logs
The auditing logs in Azure Active Directory provide records of system activities for compliance.
There are three main categories for auditing related activities in the Azure portal:
Users and groups
Applications
Directory
For a complete list of audit report activities, see the list of audit report events.
Your entry point to all auditing data is Audit logs in the Activity section of Azure Active Directory.
An audit log has a list view that shows the actors (who), the activities (what) and the targets.
By clicking an item in the list view, you can get more details about it.
Users and groups audit logs
With user and group-based audit reports, you can get answers to questions such as:
What types of updates have been applied the users?
How many users were changed?
How many passwords were changed?
What has an administrator done in a directory?
What are the groups that have been added?
Are there groups with membership changes?
Have the owners of group been changed?
What licenses have been assigned to a group or a user?
If you just want to review auditing data that is related to users and groups, you can find a filtered view under Audit
logs in the Activity section of Users and Groups.
Application audit logs
With application-based audit reports, you can get answers to questions such as:
What are the applications that have been added or updated?
What are the applications that have been removed?
Has a service principle for an application changed?
Have the names of applications been changed?
Who gave consent to an application?
If you just want to review auditing data that is related to applications, you can find a filtered view under Audit logs
in the Activity section of Enterprise applications.
Filtering audit logs
You can filter sign-ins to limit the amount of displayed data using the following fields:
Date and time
Actor's user principal name
Activity type
Activity
The content of the Activity Type list, is tied to your entry point to this blade.
If your entry point is Azure Active Directory, this list contains all possible activity types:
Application
Group
User
Device
Directory
Policy
Other
The listed activities are scoped by activity type. For example, if you have Group selected as Activity Type, the
Activity list only contains group related activities.
Another method to filter the entries of a audit log is to search for specific entries.
Next steps
See the Azure Active Directory Reporting Guide.
Getting started with the Azure Active Directory
reporting API
1/17/2017 1 min to read Edit on GitHub
Learning map
1. Prepare - Before you can test your API samples, you need to complete the prerequisites to access the Azure
AD reporting API.
2. Explore - Get a first impression of the reporting APIs:
Using the samples for the audit API
Using the samples for the sign-in activity report API
3. Customize - Create your own solution:
Using the audit API reference
Using the sign-in activity report API reference
Next Steps
If you are curious to see all of the available Azure AD Graph API endpoints by navigating to
https://graph.windows.net/tenant-name/reports/$metadata?api-version=beta.
Azure Active Directory audit API reference
1/17/2017 3 min to read Edit on GitHub
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access audit data using code or related tools. The
scope of this topic is to provide you with reference information about the audit API.
See:
Audit logs for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
For questions, issues or feedback, please contact AAD Reporting Help.
Prerequisites
In order to access this report through the Reporting API, you must have:
An Azure Active Directory Free or better edition
Completed the prerequisites to access the Azure AD reporting API.
API Endpoint
You can access this API using the following URI:
https://graph.windows.net/contoso.com/activities/audit?api-version=beta
There is no limit on the number of records returned by the Azure AD audit API (using OData pagination). For
retention limits on reporting data, check out Reporting Retention Policies.
This call returns the data in batches. Each batch has a maximum of 1000 records.
To get the next batch of records, use the Next link. Get the skiptoken information from the first set of returned
records. The skip token will be at the end of the result set.
https://graph.windows.net/contoso.com/activities/audit?api-version=beta&%24skiptoken=-1339686058
Supported filters
You can narrow down the number of records that are returned by an API call in form of a filter.
For sign-in API related data, the following filters are supported:
$top=<number of records to be returned> - to limit the number of returned records. This is an expensive
operation. You should not use this filter if you want to return thousands of objects.
$filter=<your filter statement> - to specify, on the basis of supported filter fields, the type of records you
care about
activityDate
Supported operators: eq, ge, le, gt, lt
Example:
Notes:
datetime should be in UTC format
activityType
Supported operators: eq
Example:
$filter=activityType eq 'User'
Notes:
case-sensitive
activity
Supported operators: eq, contains, startsWith
Example:
Notes:
case-sensitive
actor/name
Supported operators: eq, contains, startsWith
Example:
Notes:
case-insensitive
actor/objectId
Supported operators: eq
Example:
$filter=actor/objectId eq 'e8096343-86a2-4384-b43a-ebfdb17600ba'
target/name
Supported operators: eq, contains, startsWith
Example:
Notes:
Case-insensitive
target/upn
Supported operators: eq, startsWith
Example:
$filter=targets/any(t:
startswith(t/Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.TargetResourceUserEntity/
userPrincipalName,'abc'))
Notes:
Case-insensitive
You need to add the full namespace when querying
Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.TargetResourceUserEntity
target/objectId
Supported operators: eq
Example:
actor/upn
Supported operators: eq, startsWith
Example:
$filter=startswith(actor/Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.ActorUserEnti
ty/userPrincipalName,'abc')
Notes:
Case-insensitive
You need to add the full namespace when querying
Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.ActorUserEntity
Next Steps
Do you want to see examples for filtered system activities? Check out the Azure Active Directory audit API
samples.
Do you want to know more about the Azure AD reporting API? See Getting started with the Azure Active
Directory Reporting API.
Azure Active Directory reporting audit API samples
1/17/2017 3 min to read Edit on GitHub
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access audit data using code or related tools. The
scope of this topic is to provide you with sample code for the audit API.
See:
Audit logs for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
For questions, issues or feedback, please contact AAD Reporting Help.
Prerequisites
Before you can use the samples in this topic, you need to complete the prerequisites to access the Azure AD
reporting API.
Known issue
App Auth will not work if your tenant is in the EU region. Please use User Auth for accessing the Audit API as a
workaround until we fix the issue.
PowerShell script
# This script will require registration of a Web Application in Azure Active Directory (see
https://azure.microsoft.com/documentation/articles/active-directory-reporting-api-getting-started/)
# Constants
$ClientID = "your-client-application-id-here" # Insert your application's Client ID, a Globally
Unique ID (registered by Global Admin)
$ClientSecret = "your-client-application-secret-here" # Insert your application's Client Key/Secret string
$loginURL = "https://login.microsoftonline.com" # AAD Instance; for example
https://login.microsoftonline.com
$tenantdomain = "your-tenant-domain.onmicrosoft.com" # AAD Tenant; for example, contoso.onmicrosoft.com
$resource = "https://graph.windows.net" # Azure AD Graph API resource URI
$7daysago = "{0:s}" -f (get-date).AddDays(-7) + "Z" # Use 'AddMinutes(-5)' to decrement minutes, for
example
Write-Output "Searching for events starting $7daysago"
# Create HTTP header, get an OAuth2 access token based on client id, secret and tenant domain
$body =
@{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body
$body
# Parse audit report items, save output to file(s): auditX.json, where X = 0 thru n for number of nextLink
pages
if ($oauth.access_token -ne $null) {
$i=0
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$url = 'https://graph.windows.net/' + $tenantdomain + 'activities/audit?api-
version=beta&`$filter=activityDate gt ' + $7daysago
Bash script
#!/bin/bash
URL="https://graph.windows.net/$TENANT_DOMAIN/activities/audit?api-
version=beta&$filter=activityDate%20gt%20$YESTERDAY"
Python script
# Author: Michael McLaughlin (michmcla@microsoft.com)
# Date: January 20, 2016
# This requires the Python Requests module: http://docs.python-requests.org
import requests
import datetime
import sys
client_id = 'your-application-client-id-here'
client_secret = 'your-application-client-secret-here'
login_url = 'https://login.windows.net/'
tenant_domain = 'your-directory-name-here.onmicrosoft.com'
access_token = token_response.json().get('access_token')
token_type = token_response.json().get('token_type')
if response.status_code is 200:
print response.content
else:
print 'ERROR: API request failed'
Next steps
Would you like to customize the samples in this topic? Check out the Azure Active Directory audit API reference.
If you want to see a complete overview of using the Azure Active Directory reporting API, see Getting started
with the Azure Active Directory reporting API.
If you would like to find out more about Azure Active Directory reporting, see the Azure Active Directory
Reporting Guide.
Prerequisites to access the Azure AD reporting API
1/17/2017 3 min to read Edit on GitHub
The Azure AD reporting APIs provide you with programmatic access to the data through a set of REST-based APIs.
You can call these APIs from a variety of programming languages and tools.
The reporting API uses OAuth to authorize access to the web APIs.
To prepare your access to the reporting API, you must:
1. Create an application in your Azure AD tenant
2. Grant the application appropriate permissions to access the Azure AD data
3. Gather configuration settings from your directory
For questions, issues or feedback, please contact AAD Reporting Help.
IMPORTANT
Applications running under credentials with "admin" privileges like this can be very powerful, so please be sure to keep the
application's ID/secret credentials secure.
1. In the Azure classic portal, on the left navigation pane, click Active Directory.
5. On the What do you want to do? dialog, click Add an application my organization is developing.
6. On the Tell us about your application dialog, perform the following steps:
6. In the Permissions to other applications section, for the Azure Active Directory resource, click the
Application Permissions drop-down list, and then select Read directory data.
Next Steps
Would you like to access the data from the Azure AD reporting API in a programmatic manner? Check out
Getting started with the Azure Active Directory Reporting API.
If you would like to find out more about Azure Active Directory reporting, see the Azure Active Directory
Reporting Guide.
Azure Active Directory sign-in activity report API
reference
1/17/2017 3 min to read Edit on GitHub
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access sign-in activity report data using code or
related tools. The scope of this topic is to provide you with reference information about the sign-in activity report
API.
See:
Sign-in activities for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
For questions, issues or feedback, please contact AAD Reporting Help.
Prerequisites
To access this report through the reporting API, you must have:
An Azure Active Directory Premium P1 or P2 edition
Completed the prerequisites to access the Azure AD reporting API.
API Endpoint
You can access this API using the following base URI:
https://graph.windows.net/contoso.com/activities/signinEvents?api-version=beta
Due to the volume of data, this API has a limit of one million returned records.
This call returns the data in batches. Each batch has a maximum of 1000 records.
To get the next batch of records, use the Next link. Get the skiptoken information from the first set of returned
records. The skip token will be at the end of the result set.
https://graph.windows.net/$tenantdomain/activities/signinEvents?api-version=beta&%24skiptoken=-1339686058
Supported filters
You can narrow down the number of records that are returned by an API call in form of a filter.
For sign-in API related data, the following filters are supported:
$top=<number of records to be returned> - to limit the number of returned records. This is an expensive
operation. You should not use this filter if you want to return thousands of objects.
$filter=<your filter statement> - to specify, on the basis of supported filter fields, the type of records you
care about
NOTE
When using Graph Explorer, you the need to use the correct case for each letter is your filter fields.
To narrow down the scope of the returned data, you can build combinations of the supported filters and filter fields.
For example, the following statement returns the top 10 records between July 1st 2016 and July 6th 2016:
https://graph.windows.net/contoso.com/activities/signinEvents?api-
version=beta&$top=10&$filter=signinDateTime+ge+2016-07-01T17:05:21Z+and+signinDateTime+le+2016-07-07T00:00:00Z
signinDateTime
Supported operators: eq, ge, le, gt, lt
Example:
Using a specific date
$filter=signinDateTime+eq+2016-04-25T23:59:00Z
$filter=signinDateTime+ge+2016-07-01T17:05:21Z+and+signinDateTime+le+2016-07-07T17:05:21Z
Notes:
The datetime parameter should be in the UTC format
userId
Supported operators: eq
Example:
$filter=userId+eq+00000000-0000-0000-0000-000000000000
Notes:
The value of userId is a string value
userPrincipalName
Supported operators: eq
Example:
$filter=userPrincipalName+eq+'audrey.oliver@wingtiptoysonline.com'
Notes:
The value of userPrincipalName is a string value
appId
Supported operators: eq
Example:
$filter=appId+eq+00000000-0000-0000-0000-000000000000
Notes:
The value of appId is a string value
appDisplayName
Supported operators: eq
Example:
$filter=appDisplayName+eq+'Azure+Portal'
Notes:
The value of appDisplayName is a string value
loginStatus
Supported operators: eq
Example:
$filter=loginStatus+eq+'1'
Notes:
There are two options for the loginStatus: 0 - success, 1 - failure
Next steps
Do you want to see examples for filtered sign-in activities? Check out the Azure Active Directory sign-in activity
report API samples.
Do you want to know more about the Azure AD reporting API? See Getting started with the Azure Active
Directory Reporting API.
Azure Active Directory sign-in activity report API
samples
1/17/2017 2 min to read Edit on GitHub
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access sign-in activity data using code or related
tools.
The scope of this topic is to provide you with sample code for the sign-in activity API.
See:
Audit logs for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
For questions, issues or feedback, please contact AAD Reporting Help.
Prerequisites
Before you can use the samples in this topic, you need to complete the prerequisites to access the Azure AD
reporting API.
PowerShell script
# This script will require the Web Application and permissions setup in Azure Active Directory
$ClientID = "<clientId>" # Should be a ~35 character string insert your info here
$ClientSecret = "<clientSecret>" # Should be a ~44 character string insert your info here
$loginURL = "https://login.windows.net/"
$tenantdomain = "<tenantDomain>"
$ daterange # For example, contoso.onmicrosoft.com
Write-Output $7daysago
# Get an Oauth 2 access token based on client id, secret and tenant domain
$body =
@{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$url = "https://graph.windows.net/$tenantdomain/activities/signinEvents?api-
version=beta&`$filter=signinDateTime ge $7daysago"
$i=0
Do{
Write-Output "Fetching data using Uri: $url"
$myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url)
Write-Output "Save the output to a file SigninActivities$i.json"
Write-Output "---------------------------------------------"
$myReport.Content | Out-File -FilePath SigninActivities$i.json -Force
$url = ($myReport.Content | ConvertFrom-Json).'@odata.nextLink'
$i = $i+1
} while($url -ne $null)
} else {
Next Steps
Would you like to customize the samples in this topic? Check out the Azure Active Directory sign-in activity API
reference.
If you want to see a complete overview of using the Azure Active Directory reporting API, see Getting started
with the Azure Active Directory reporting API.
If you would like to find out more about Azure Active Directory reporting, see the Azure Active Directory
Reporting Guide.
Azure Active Directory audit report events
1/17/2017 15 min to read Edit on GitHub
User events
Set license properties Set the license properties for a user in the directory.
Reset user password Reset the password for a user in the directory.
Change user password Changed the password for a user in the directory.
Change user license Changed the license assigned to a user in the directory. To see
what licenses were updated, look at the Update user
properties below
Update user Updated a user in the directory. See below for attributes that
can be updated.
Set force change user password Set the property that forces a user to change their password
on login.
Group events
Application events
Role events
Remove role member from Role Removed a user from a directory role.
B2B events
Batch invites processed. A file containing invitations to partner users has been
processed.
Invite external user. An external user has been invited to the directory.
Redeem external user invite. An external user has redeemed their invitation to the
directory.
EVENTS EVENT DESCRIPTION
Add external user to group. An external user has been assigned membership to a group in
the directory.
Assign external user to application. An external user has been assigned direct access to an
application.
Viral tenant creation. A new tenant has been created in Azure AD by the invitation
redemption.
Viral user creation. A user has been created in an existing tenant in Azure AD by
the invitation redemption.
Directory events
Set domain authentication Changed the default domain setting for the company.
Set Company contact information Set company-level contact preferences. This includes email
addresses for marketing, as well as technical notifications
about Microsoft Online Services.
Set federation settings on domain Updated the federation settings for a domain.
Verify email verified domain Verified a domain on the directory using email verification.
Set DirSyncEnabled flag on company Set the property that enables a directory for Azure AD Sync.
Set Password Policy Set length and character constraints for user passwords.
Set Company Information Updated the company-level information. See the Get-
MsolCompanyInformation PowerShell cmdlet for more details.
Date and Time The date and time that the audit event occurred
Target The user or service principal that the action was performed on
ATTRIBUTE DESCRIPTION
AssignedPlan Service plans resulting from the licenses assigned to the user.
PreferredDataLocation The preferred location for the user's, group's, contact's, public
folder's, or device's data.
MailNickname Moniker for an address book object, typically the portion of its
email name preceding the "@" symbol.
CloudDeviceOSType Type of the device based on the OS e.g. Windows RT, iOS.
When set by a cloud service (such as Intune), this attribute
becomes authoritative in the directory for DeviceOSType.
DeviceOSType Type of the device based on the OS e.g. Windows RT, iOS.
Written by the Registration Service and intended to be
updated by the MDM management service or STS light
management service.
AppLogoUrl The url for the application logo image stored in a CDN.
PublicClient True if the client cannot keep secret (i.e. non-confidential client
in OAuth2.0)
BelongsToFirstLoginObjectSet If true, indicates that this object belongs to the set of objects
required to enable login of the first admin of a new tenant.
MailNickname Moniker for an address book object, typically the portion of its
email name preceding the "@" symbol.
DirSyncFeatures Bit flag to keep track of set of enabled and disabled dirsync
features for the tenant.
ATTRIBUTE DESCRIPTION
IsMnc A Boolean flag set to "true" iff the company is enabled for the
multinational company feature.
TenantType The type of a tenant. If this value is not specified, the tenant is
a Company. Otherwise, possible values are: MicrosoftSupport
(0), SyndicatePartner (1), BreadthPartner (2)
BreadthPartnerDelegatedAdmin (3)
ResellerPartnerDelegatedAdmin (4)
ValueAddedResellerPartnerDelegatedAdmin (5).
Initial Indicates whether the domain is the initial domain for the
company, as allocated by OCP. The initial domain is a unique
sub-domain of a Microsoft Online domain;
e.g.contoso3.microsoftonline.com.
Audit records are a required control for many compliance regulations. For customers using the Azure Active
Directory Audit Report to meet their compliance regulations, it is recommended that the customer submit a copy
of this help topic with the copy of the customer's exported audit report to help explain the report details. If the
auditor would like to understand the compliance regulations that Azure currently meets, direct the auditor to the
Compliance page of the Microsoft Azure Trust Center.
Azure Active Directory report retention policies
1/17/2017 1 min to read Edit on GitHub
Free The first time you open the Azure Active Directory blade or
use the reporting APIs
Security Signals
Security Reports
Application Reports
RMS Reports
What's next
Curious about what security, audit, and activity reports are available? Check out Azure AD Security, Audit, and
Activity Reports
Getting started with Azure Active Directory Premium
Add company branding to your Sign In and Access Panel pages
Irregular sign-in activity
1/17/2017 1 min to read Edit on GitHub
Irregular sign-ins are those that have been identified by our machine learning algorithms, on the basis of an
"impossible travel" condition combined with an anomalous sign in location and device. This may indicate that a
hacker has successfully signed in using this account. We will send an email notification to the global admins if we
encounter 10 or more anomalous sign-in events within a span of 30 days or less. Please be sure to include aad-
alerts-noreply@mail.windowsazure.com in your safe senders list.
Sign-ins after multiple failures
1/17/2017 1 min to read Edit on GitHub
This report indicates users who have successfully signed in after multiple consecutive failed sign in attempts.
Possible causes include:
User had forgotten their password
User is the victim of a successful password guessing brute force attack
Results from this report will show you the number of consecutive failed sign-in attempts made prior to the
successful sign-in and a timestamp associated with the first successful sign-in.
Report Settings: You can configure the minimum number of consecutive failed sign in attempts that must occur
before it can be displayed in the report. When you make changes to this setting it is important to note that these
changes will not be applied to any existing failed sign ins that currently show up in your existing report. However,
they will be applied to all future sign-ins. Changes to this report can only be made by licensed admins.
Sign ins from IP addresses with suspicious activity
1/17/2017 1 min to read Edit on GitHub
This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity in
this case is defined to be an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that
an IP address is being used for malicious purposes.
Sign-ins from multiple geographies
1/17/2017 1 min to read Edit on GitHub
This report includes successful sign-ins from a user where two sign-ins appeared to originate from different
regions and the time between the sign-ins makes it impossible for the user to have traveled between those
regions. Possible causes include:
User is sharing their password with other users
User is using a remote desktop to launch a web browser for sign-in
A hacker has signed in to the account of a user from a different country
User is using a VPN or proxy
User is signed in from multiple devices at the same time, such as a desktop and a mobile phone, and the IP
address of the mobile phone is unusual.
Results from this report will show you the successful sign-in events, together with the time between the sign-ins,
the regions where the sign-ins appeared to originate from, and the estimated travel time between those regions.
The travel time shown is only an estimate and may be different from the actual travel time between the locations.
Sign ins from possibly infected devices
1/17/2017 1 min to read Edit on GitHub
This report attempts to identify your users' devices that that have become infected and are now part of a botnet.
We correlate IP addresses of users' sign-ins against IP addresses that we know to be in contact with botnet servers.
Recommendation: This report flags IP addresses, not user devices. We recommend that you contact the user and
scan all the user's devices to be certain. It is also possible that a user's personal device is infected, or that someone
other than the user, who was using the same IP address as the user, has an infected device.
For more information about how to address malware infections, see the Malware Protection Center.
Sign ins from unknown sources
1/17/2017 1 min to read Edit on GitHub
This report indicates users who have successfully signed in to your directory while assigned a client IP address that
has been recognized by Microsoft as an anonymous proxy IP address (for example, a Tor IP address). These proxies
are often used by users that want to hide their computers IP address, and may be used for malicious intent.
Results from this report will show the number of times a user successfully signed in to your directory from that
address and the proxys IP address.
Users with anomalous sign in activity
1/17/2017 1 min to read Edit on GitHub
This is an aggregate report that combines suspicious sign-ins from the following reports:
Sign ins from unknown sources
Sign-ins after multiple failures
Sign-ins from multiple geographies
Sign-ins from IP addresses with suspicious activity
Sign-ins from possibly infected devices
Irregular sign-in activity
Manage passwords in Azure Active Directory
1/17/2017 1 min to read Edit on GitHub
If you are an administrator, you can reset a users password in Azure Active Directory (Azure AD) in the Azure
classic portal. Click the name of your directory and on the Users page, click the name of the user and at the bottom
of the portal click Reset Password.
This rest of this topic covers the full set of password management capabilities that Azure AD supports, including:
Self-service password change allows end users or administrators to change their expired or non-expired
passwords without calling an administrator or helpdesk for support.
Self-service password reset allows end users or administrators to reset their passwords automatically
without calling an administrator or helpdesk for support. Self-service password reset requires Azure AD
Premium or Basic. For more information, see Azure Active Directory editions.
Administrator-initiated password reset allows an administrator to reset an end users or another
administrators password from within the Azure classic portal.
Password management activity reports give administrators insights into password reset and registration
activity occurring in their organization.
Password writeback allows management of on-premises passwords from the cloud so all of the above
scenarios can be performed by, or on the behalf of, federated or password synchronized users. Password
writeback requires Azure AD Premium. For more information, see Getting started with Azure Active Directory
Premium.
NOTE
Azure AD Premium is available for Chinese customers using the world wide instance of Azure AD. Azure AD Premium is not
currently supported in the Microsoft Azure service operated by 21Vianet in China. For more information, contact us at the
Azure Active Directory Forum.
Use the following links to jump to the documentation you are most interested in:
Overview: password management in Azure AD
Self-service password reset in Azure AD: how to enable, configure, and test self-service password reset
Self-service password reset in Azure AD: how to customize password reset to meet your needs
Self-service password reset in Azure AD: deployment and management best practices
Password management reports in Azure AD: how to view password management activity in your tenant
Password writeback: how to configure Azure AD to manage on-premises passwords
Troubleshooting Azure AD password management
FAQ for Azure AD password management
What's next
Administering Azure AD
Create or edit users in Azure AD
Manage groups in Azure AD
How to update your own password
1/17/2017 9 min to read Edit on GitHub
If you are unsure how to manage your work or school account password, you've come to the right place! Read
below to learn how to perform common steps, like changing a password, resetting a password, or registering for
password reset.
Dont lose access to your account!
How to change your password from Office 365
How to change your password from the access panel
How to reset your password
How to unlock your account
Common problems and their solutions
4. Select your country code from the dropdown and enter your full phone number + area code.
5. Select one of the text me or call me options. In this case, I'll select text me, which will send a 6 digit
code to my phone. Wait for the code to arrive on your phone.
6. Once the code arrives, enter it into the input box, and then click "verify."
7. When you see thanks, that's it! Now you can use what you registered for to reset your password at any
time by going to https://passwordreset.microsoftonline.com.
IMPORTANT
If your admin lets you register for more than one option, we highly recommend you also register a back-up
option in case you lose your phone or access to your email.
IMPORTANT
This feature is only available to you if your admin has turned it on. If it's not turned on, you'll see a message indicating
your account is not enabled for this feature. You can use the "contact your administrator" link in this case to get in touch
with your admin to unlock your account.
If your admin has enabled you for this feature, you'll first need to sign up before you can use it. You can do that here:
http://aka.ms/ssprsetup.
1. On the any work or school account sign-in page, click on one of the "can't access your account?" or
"forgot your password?" links, or navigate to https://passwordreset.microsoftonline.com directly.
2. On the "who are you?" page, enter your work or school account ID and prove you aren't a robot by
passing the CAPTCHA challenge.
5. We'll use the "text my mobile phone" option as an example. If you are using a phone based option, you'll
need to verify your phone number before we'll send a text. Enter your full phone number and then click
Next to verify it's correct and send a text.
6. When you receive the text, make sure you use the verification code in the message body, not the number
the code was sent from. It might take a few minutes to get the text, so grab a coffee!
7. Now, enter the code you just received on your phone into the input box on the page.
8. Your admin may require a second verification step, in which case repeat step 4 with a different option
selected.
9. On the "choose a new password" screen, select a new password and confirm your choice, then click
Finish.
10. Once you see the success page, you are good to go! You can now sign in with your new password.
Run into a problem resetting your password? Read about common problems and their solutions.
IMPORTANT
This feature is only available to you if your admin has turned it on. If it's not turned on, you'll see a message indicating
your account is not enabled for this feature. You can use the "contact your administrator" link in this case to get in touch
with your admin to unlock your account.
If your admin has enabled you for this feature, you'll first need to sign up before you can use it. You can do that here:
http://aka.ms/ssprsetup.
1. On the any work or school account sign in page, click on one of the "can't access your account?" or
"forgot your password?" links, or navigate to https://passwordreset.microsoftonline.com directly.
2. On the "who are you?" page, enter your work or school account ID and prove you aren't a robot by
passing the CAPTCHA challenge.
5. We'll use the "text my mobile phone" option as an example. If you are using a phone based option, you'll
need to verify your phone number before we'll send a text. Enter your full phone number and then click
Next to verify it's correct and send a text.
6. When you receive the text, make sure you use the verification code in the message body, not the number
the code was sent from. It might take a few minutes to get the text, so grab a coffee!
7. Now, enter the code you just received on your phone into the input box on the page.
8. Your admin may require a second verification step, in which case you must repeat step 4 with a different
option selected.
9. Once you see the success page, you are good to go! Your on-premises account has been unlocked and
you can now sign in once more.
IMPORTANT
Make sure you update all your devices to your newest password, as often times a rogue app with an old password
(like your phone email client) can be the culprit behind why your account got locked out in the first place.
Run into a problem unlocking your account? Read about common problems and their solutions.
I get a "your account is not Your account is not enabled for You are seeing this message
enabled for password reset" error password reset because your administrator has
after entering my user ID not enabled password reset for
We're sorry, but your your organization from the Can't
administrator has not set up your access your account link, or
account for use with this service. hasn't licensed you to use the
feature.
If you'd like, we can contact an
administrator in your organization To reset your password, click the
to reset your password for you. contact an administrator link to
send an email to your company's
admin, and let him or her know
you want to reset your password
from Office 365 so he or she can
enable this feature for you.
I get a "we could not verify your We could not verify your account You are seeing this message
account" error after entering my because you are enabled for
user ID If you'd like, we can contact an password reset, but you have not
administrator in your organization registered to use the service. To
to reset your password for you. register for password reset, go to
http://aka.ms/ssprsetup after you
have regained access to your
account.
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
Password Management in Azure Active Directory is comprised of several logical components that are described
below. Click on each link to learn more about that component.
Password Management Configuration Portal Administrators can control different facets of how
passwords are managed in their tenants by navigating to their directorys Configure tab in the Azure
Management Portal.
User Registration Portal Users can self-register for password reset through this web portal.
User Password Reset Portal Users can reset their own passwords using a number of different challenges in
accordance with the administrator-controlled password reset policy
User Password Change Portal Users can change their own passwords at any time by entering their old
password and selecting a new password using this web portal
Password Management Reports Administrators can view and analyze password reset and registration
activity in their tenant by navigating to the Activity Reports section of their directorys Reports tab in the
Azure Management Portal
Password Writeback Component of Azure AD Connect Administrators can optionally enable the
Password Writeback feature when installing Azure AD Connect to enable management of federated or
password synchronized user passwords from the cloud.
To learn more about how users can reset their own passwords, see Getting Started: Azure AD Password
Management.
User Password Change Portal
If users want to change their own passwords, they can do so by using the password change portal at any time.
Users can access the password change portal via the Access Panel profile page, or clicking the change password
link from within Office 365 applications. In the case when their passwords expire, users will also be asked to
change them automatically when signing in.
In both of these cases, if Password Writeback has been enabled and the user is either federated or password
syncd, these changed passwords are written back to your on-premises Active Directory. Heres what the
password change portal looks like:
To learn more about how users can change their own on-premises Active Directory passwords, see Getting
Started: Azure AD Password Management.
For more information, see Get Insights: Azure AD Password Management Reports.
This article describes the password policies and complexity requirements associated with user accounts stored in
your Azure AD directory.
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
Characters allowed AZ
a-z
09
.-_!#^~
Characters not allowed Any '@' character that is not separating the user name
from the domain.</li> <li>Cannot contain a period
character '.' immediately preceding the '@' symbol
PROPERTY REQUIREMENTS
Characters allowed AZ
a-z
09
@#$%^&*-_!+=[]{}|\:,.?/`~();
PROPERTY REQUIREMENTS
Next Steps
Are you here because you're having problems signing in? If so, here's how you can change and reset your
own password.
Manage your passwords from anywhere
How Password Management works
Getting started with Password Mangement
Customize Password Management
Password Management Best Practices
How to get Operational Insights with Password Management Reports
Password Management FAQ
Troubleshoot Password Management
Learn More
Reset the password for a user in Azure Active
Directory preview
1/17/2017 1 min to read Edit on GitHub
What's next
Add a user
Assign a user to a role in your Azure AD
Change a user's work information
Manage user profiles
Delete a user in your Azure AD
Reset the password for a user
1/17/2017 1 min to read Edit on GitHub
Whether you're responding to a user requesting a password reset after a lockout, or just attending to routine
security maintenance, sometimes you need to reset a user's password. Azure Active Directory (Azure AD) makes
this easy.
1. Open your directory.
2. Select the Users tab, and then select the display name of the user you want to change.
3. In the command bar, select Reset Password.
4. In the reset password dialog, click reset.
5. Select the check mark to finish resetting the password.
What's next
Add new users to Azure Active Directory
Administering Azure AD
Manage passwords in Azure AD
Manage groups in Azure AD
Set password expiration policies in Azure Active
Directory
1/17/2017 2 min to read Edit on GitHub
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
As a global administrator for a Microsoft cloud service, you can use the Microsoft Azure Active Directory Module
for Windows PowerShell to set up user passwords not to expire. You can also use Windows PowerShell cmdlets to
remove the never-expires configuration, or to see which user passwords are set up not to expire. This article
provides help for cloud services, such as Microsoft Intune and Office 365, which rely on Microsoft Azure Active
Directory for identity and directory services.
NOTE
Only passwords for user accounts that are not synchronized through directory synchronization can be configured not to
expire. For more information about directory synchronization, see the list of topics in Directory synchronization roadmap.
Next steps
Are you here because you're having problems signing in? If so, here's how you can change and reset your
own password.
Getting started with Password Management
1/17/2017 19 min to read Edit on GitHub
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
Enabling your users to manage their own cloud Azure Active Directory or on-premises Active Directory
passwords takes just a few simple steps. After ensuring that you've met a few simple prerequisites, you'll have
password change and reset enabled for your entire organization before you know it. This article will walk you
through the following concepts:
How to enable users to reset their cloud Azure Active Directory passwords
Self-service password reset prerequisites
Step 1: Configure password reset policy
Step 2: Add contact data for your test user
Step 3: Reset your password as a user
How to enable users to reset or change their on-premises Active Directory passwords
Password Writeback prerequisites
Step 1: Download the latest version of Azure AD Connect
Step 2: Enable Password Writeback in Azure AD Connect through the UI or PowerShell and verify
Step 3: Configure your firewall
Step 4: Set up the appropriate permissions
Step 5: Reset your AD password as a user and verify
Create at least one administrator account and one user account in your AAD directory.
Assign an AAD Premium, Basic, or O365 paid license to the administrator and user account that you created.
Step 1: Configure password reset policy
To configure user password reset policy, complete the following steps:
1. Open a browser of your choice and go to the Azure classic portal.
2. In the Azure classic portal, find the Active Directory extension on the navigation bar on the left hand
side.
3. Under the Directory tab, click the directory in which you want to configure the user password reset
policy, for example, Wingtip Toys.
NOTE
This policy applies only to end users in your organization, not administrators. For security reasons,
Microsoft controls the password reset policy for administrators. If you do not see this section, make sure that you
have signed up for the Azure Active Directory Premium or Basic and assigned a license to the administrator
account that is configuring this feature.
6. To configure the user password reset policy, slide the users enabled for password reset toggle to the
yes setting. This reveals several more controls which enable you to configure how this feature works in
your directory. Feel free to customize password reset as you see fit. If youd like to learn more about
what each of the password reset policy controls does, please see Customize: Azure AD Password
Management.
7. After configuring user password reset policy as desired for your tenant, click the Save button at the
bottom of the screen.
NOTE
A two challenge user password reset policy is recommended so that you can see how the functionality works in
the most complex case.
Step 2: Add contact data for your test user
You have several options on how to specify data for users in your organization to be used for password reset.
Edit users in the Azure classic portal or the Office 365 Admin Portal
Use AAD Connect to synchronize user properties into Azure AD from an on-premises Active Directory
domain
Use Windows PowerShell to edit user properties
Allow users to register their own data by guiding them to the registration portal at http://aka.ms/ssprsetup
Require users to register for password reset when they sign in to the Access Panel at
http://myapps.microsoft.com by setting the Require users to register when signing in to the access
panel SSPR configuration option to Yes.
If you want to learn more about what data is used by password reset, as well as any formatting requirements
for this data, please see What data is used by password reset?.
To add user contact data via the User Registration Portal
1. In order to use the password reset registration portal, you must provide the users in your organization
with a link to this page (http://aka.ms/ssprsetup) or turn on the option to require users to register
automatically. Once they click this link, they are asked to sign in with their organizational account. After
doing so, they see the following page:
2. Here, users can provide and verify their mobile phone, alternate email address, or security questions.
This is what verifying a mobile phone looks like.
3. After a user specifies this information, the page will update to indicate that the information is valid (it has
been obfuscated below). By clicking the finish or cancel buttons, the user will be brought to the Access
Panel.
4. Once a user verifies both of these pieces of information, his or her profile will be updated with the data
he or she provided. In this example, the Office Phone number has been specified manually, so the user
can also use that as a contact method for resetting his or her password.
3. Since the user has specified an office phone, mobile phone, and alternate email in this case, you see
that he or she has been given all of those as options to pass the first challenge.
4. In this case, choose to call the office phone first. Note that when selecting a phone-based method,
users will be asked to verify their phone number before they can reset their passwords. This is to
prevent malicious individuals from spamming phone numbers of users in your organization.
5. Once the user confirms their phone number, clicking call wall cause a spinner to appear and his or her
phone to ring. A message will play once he or she picks up your phone indicating that the user should
press # to verify his or her account. Pressing this key will automatically verify that the user possesses
the first challenge and advance the UI to the second verification step.
6. Once youve passed the first challenge, the UI is automatically updated to remove it from the list of
choices the user has. In this case, because you used your Office Phonefirst, only Mobile Phone and
Alternate Email remain as valid options to use as the challenge for the second verification step. Click on
the Email my alternate email option. After you have done that, pressing email will email the alternate
email on file.
7. Here is a sample of an email that users will see notice the tenant branding:
8. Once the email arrives, the page will update, and youll be able to enter the verification found in the
email in the input box shown below. After a proper code is entered, the next button lights up, and you
are able to pass through the second verification step.
9. Once youve met the requirements of the organizational policy, you are allowed to choose a new
password. The password is validated based it meets AAD strong password requirements (see Password
policy in Azure AD), and a strength validator appears to indicate to the user whether the password
entered meets that policy.
10. Once you provide matching passwords that meet the organizational policy, your password is reset and
you can log in with your new password immediately.
NOTE
Make sure that the administrator account that you use to enable Password Writeback is a cloud administrator
account (created in Azure AD), not a federated account (created in on-premises AD and synchronized into Azure
AD).
You have a single or multi-forest AD on-premises deployment running Windows Server 2008, Windows
Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 with the latest service packs
installed.
NOTE
If you are running an older version of Windows Server 2008 or 2008 R2, you can still use this feature, but will
need to download and install KB 2386717 before being able to enforce your local AD password policy in the
cloud.
You have the Azure AD Connect tool installed and you have prepared your AD environment for
synchronization to the cloud. For more information, see Use your on-premises identity infrastructure in
the cloud.
NOTE
Before you test password writeback, make sure that you first complete a full import and a full sync from both AD
and Azure AD in Azure AD Connect.
If you are using Azure AD Sync or Azure AD Connect TCP 443 outbound (and in some cases TCP 9350-
9354) need to be open. See Step 3: Configure your firewall for more information. Using DirSync for this
scenario is no longer supported. If you are still using DirSync, please upgrade to the latest version of
Azure AD Connect before deploying password writeback.
NOTE
We highly recommend anyone using the Azure AD Sync or DirSync tools upgrades to the latest version of Azure
AD Connect to ensure the best possible experience and new features as they are released.
NOTE
If this is your first time installing the Azure AD Connect tool, it is recommended that you follow a few best practices to
prepare your environment for directory synchronization. Before you install the Azure AD Connect tool, you must activate
directory synchronization in either the Office 365 Admin Portal or the Azure classic portal. For more information, see
Managing Azure AD Connect.
NOTE
You can disable Password Writeback at any time by either re-running this wizard and deselecting the feature, or by
setting the Write Passwords Back to On-Premises Directory setting to No in the User Password Reset Policy
section of your directorys Configure tab in the Azure classic portal. For more information about customizing your
password reset experience, check out Customize: Azure AD Password Management.
NOTE
If prompted for a credential, make sure that the administrator account that you specify for AzureADCredential is a cloud
administrator account (created in Azure AD), not a federated account (created in on-premises AD and synchronized
into Azure AD.
NOTE
You can disable Password Writeback through PowerShell by repeating the same instructions above but passing $false
in step or by setting the Write Passwords Back to On-Premises Directory setting to No in the User Password Reset
Policy section of your directorys Configure tab in the Azure classic portal.
NOTE
If you have configured Password Writeback by following the instructions above and do not see any errors in the Azure
AD Connect event log, but you're getting connectivity errors when testing, then it may be the case that a networking
appliance in your environment is blocking HTTPS connections to IP addresses. For example, while a connection to
https://.servicebus.windows.net* is allowed, a connection to a specific IP address within that range may be blocked. To
resolve this, you'll need to either configure your networking environment to allow all outbound HTTPS connections over
port 443 to any URL or IP address (Option 1 above), or work with your networking team to explicitly allow HTTPS
connections to specific IP addresses (Option 2 above).
NOTE
If you are on a version of Azure AD Connect prior to 1.0.8667.0, Microsoft highly recommends you upgrade to the latest
version of Azure AD Connect, which includes a number of writeback networking enhancements to make configuration
easier.
Once the network appliances have been configured, reboot the machine running Azure AD Connect tool.
Step 4: Set up the appropriate Active Directory permissions
For every forest that contains users whose passwords will be reset, if X is the account that was specified for that
forest in the configuration wizard (during initial configuration), then X must be given the Reset Password,
Change Password, Write Permissions on lockoutTime , and Write Permissions on pwdLastSet , extended
rights on the root object of each domain in that forest. The right should be marked as inherited by all user
objects.
If you are not sure what account the above refers to, open the Azure Active Directory Connect configuration UI
and click on the Review Your Solution option. The account you need to add permission to is underlined in red
in the screenshot below.
Make sure you set this permission for each domain in each forest in your system, otherwise password
writeback will not work properly.
Setting these permissions will allow the MA service account for each forest to manage passwords on behalf of
user accounts within that forest. If you neglect to assign these permissions, then, even though writeback will
appear to be configured correctly, users will encounter errors when attempting to manage their on-premises
passwords from the cloud. Here are the detailed steps on how you can do this using the Active Directory
Users and Computers management snap-in:
NOTE
It could take up to an hour for these permissions to replicate to all objects in your directory.
7. Select the account you want to give permissions to (this is the same account that was specified while setting
up sync for that forest).
8. In the drop down on the top, select Descendent User objects.
9. In the Permission Entry dialog box that shows up, check the box for Reset Password, Change
Password, Write Permissions on lockoutTime , and Write Permissions on pwdLastSet .
10. Then click Apply/Ok through all the open dialog boxes.
Step 5: Reset your AD password as a user
Now that Password Writeback has been enabled, you can test that it works by resetting the password of a user
whose account has been synchronized into your cloud tenant.
To verify Password Writeback is working properly
1. Navigate to https://passwordreset.microsoftonline.com or go to any organizational ID login screen and
click the Cant access your account? link.
2. You should now see a new page which asks for a user ID for which you want to reset a password. Enter your
test user ID and proceed through the password reset flow.
3. After you reset your password, you will see a screen that looks similar to this. It means you have
successfully reset your password in your on-premises and/or cloud directories.
4. To verify the operation was successful or diagnose any errors, go to your Directory Sync computer,
open Event Viewer, navigate to the application event log, and look for event 31002 -
PasswordResetSuccess from the source PasswordResetService for your test user.
Links to password reset documentation
Below are links to all of the Azure AD Password Reset documentation pages:
Are you here because you're having problems signing in? If so, here's how you can change and reset
your own password.
How it works - learn about the six different components of the service and what each does
Customize - learn how to customize the look & feel and behavior of the service to your organization's
needs
Best practices - learn how to quickly deploy and effectively manage passwords in your organization
Get insights - learn about our integrated reporting capabilities
FAQ - get answers to frequently asked questions
Troubleshooting - learn how to quickly troubleshoot problems with the service
Learn more - go deep into the technical details of how the service works
Deploying Password Management and training users
to use it
1/17/2017 8 min to read Edit on GitHub
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
After enabling password reset, the next step you need to take is to get users using the service in your
organization. To do this, you'll need to make sure your users are configured to use the service properly and also
that your users have the training they need to be successful in managing their own passwords. This article will
explain to you the following concepts:
How to get your users configured for Password Management
What makes an account configured for password reset
Ways you can to populate authentication data yourself
The best ways to roll out password reset to your organization
Email-based rollout + sample email communications
Create your own custom password management portal for your users
How to use enforced registration to force users to register at sign in
How to upload authentication data for user accounts
Sample user and support training materials (coming soon!)
What is the best way to roll out password reset for users?
The following are the general rollout steps for password reset:
1. Enable password reset in your directory by going to the Configure tab in the Azure Management Portal and
selecting Yes for the Users Enabled for Password Reset option.
2. Assign the appropriate licenses to each user to whom youd like to offer password reset in the by going to the
Licenses tab in the Azure Management Portal.
3. Optionally restrict password reset to a group of users to roll out the feature slowly over time by setting the
Restrict Access to Password Reset toggle to Yes and selecting a security group to enable for password reset
(note these users must all have licenses assigned to them).
4. Instruct your users to use password reset by either sending them an email instructing them to register,
enabling enforced registration on the access panel, or by uploading the appropriate authentication data for
those users yourself via DirSync, PowerShell, or the Azure Management Portal. More details on this are
provided below.
5. Over time, review users registering by navigating to the Reports tab and viewing the Password Reset
Registration Activity report.
6. Once a good number of users have registered, watch them use password reset by navigating to the Reports
tab and viewing the Password Reset Activity report.
There are several ways to inform your users that they can register for and use password reset in your
organization. They are detailed below.
Email-based rollout
Perhaps the simplest approach to inform your users about to register for or use password reset is by sending
them an email instructing them to do so. Below is a template you can use to do this. Feel free to replace the
colors / logos with those of your own choosing to customize it to fit your needs.
You can download the email template here.
Creating your own password portal
One strategy that works well for larger customers deploying password management capabilities is to create a
single "password portal" that your users can use to manage all things related to their passwords in a single place.
Many of our largest customers choose to create a root DNS entry, like https://passwords.contoso.com with links
to the Azure AD password reset portal, password reset registration portal, and password change pages. This way,
in any email communications or fliers you send out, you can include a single, memorable, URL that users can go
to when they have a second to get started with the service.
To get going here, we've created a simple page that uses the latest responsive UI design paradigms, and will
work on all browsers and mobile devices.
You can download the website template here. We recommend customizing the logo and colors to the need of
your organization.
Using enforced registration
If you want your users to register for password reset themselves, you can also force them to register when they
sign in to the access panel at http://myapps.microsoft.com. You can enable this option from your directorys
Configure tab by enabling the Require Users to Register when Signing in to the Access Panel option.
You can also optionally define whether or not they will be asked to re-register after a configurable period of time
by modifying the Number of days before users must confirm their contact data option to be a non-zero
value. See Customizing User Password Management Behavior for more information.
After you enable this option, when users sign in to the access panel, they will see a popup that informs them that
their administrator has required them to verify their contact information. They can use it to reset their password
if they ever lose access to their account.
Clicking Verify Now brings them to the password reset registration portal at http://aka.ms/ssprsetup and
requires them to register. Registration via this method can be dismissed by clicking the cancel button or closing
the window, but users are reminded every time they sign in if they do not register.
See What data is used by password reset to see how each of these properties can be used.
See How to access password reset data for your users from PowerShell to see how you can read and set this data
with PowerShell.
IMPORTANT
Are you here because you want to reset your Azure or O365 password? If so, please skip to this section.
Self-service has long been a key goal for IT departments across the world as a cost-reduction and labor-saving
measure. Indeed, the market is flooded with products that let you manage your on-premises groups, passwords, or
user profiles from the cloud or on-premises. Azure AD sets itself apart from these offerings by providing some of
the easiest to use and most powerful self-service capabilities available today.
Azure AD Password Management is a set of capabilities that allow your users to manage any password from
any device, at any time, from any location, while remaining in compliance with the security policies you define.
TOPIC
How do I enable password reset for cloud users? Enable users to reset their cloud Azure Active Directory
passwords
How do I enable password reset and change for on-premises Enable users to reset or change their on-premises Active
users? Directory passwords
How do I scope password reset to a specific set of users? Restrict password reset to specific users
TOPIC
How do I test cloud password reset? Reset your Azure AD password as a user
How do I test on-premises password reset? Reset your on-premises AD password as a user
How do I disable password reset at a later time? Setting: users enabled for password reset
How do I change what authentication methods are Setting: authentication methods available to users
supported?
How do I change number of authentication methods Setting: number of authentication methods required
required?
How do I set up pre-canned localized security questions? Setting: knowledge-based security questions
How can I change how many security questions are required? Setting: number of security questions for registration or reset
How can I customize how a user gets in touch with an admin? Setting: customize the "contact your administrator" link
How can I allow users to unlock AD accounts without Setting: enable users to unlock their AD accounts without
resetting a password? resetting a password
How can I enable password reset notifications for users? Setting: notify users when their passwords have been reset
How can I enable password reset notifications for admins? Setting: notify other admins when an admin reset their own
password
How can I customize password reset look and feel? Setting: company name, branding, and logo
How do I know if an account is configured for password reset? What makes an account configured for password reset?
How do I get my users configured for password reset? Ways to populate password reset authentication data for your
users
How do I manually upload data for my users? Uploading password reset data yourself
How do I use PowerShell to read or set data for my users? How to access password reset data for your users
How can I synchronize password reset data from on- What data is used by password reset
premises?
TOPIC
How can I use an email campaign to get my users to register Email-based rollout of password reset
for and use password reset?
How can I force my users to register when signing in? Enforced registration-based rollout of password reset
How can I force my users to re-confirm their registered Setting: number of days before users must re-confirm their
periodically? authentication data
What are best practices around communicating password Creating your own password portal for your users to use
reset to end users?
Where can I see how users are using password reset in my View password reset activity
organization?
Where can I see how many users are registering, and what View password reset registration activity
they are registering for?
How can I get password reset reports from an API? Creating an azure ad application to access the reporting API
What kind of password reset reporting information is available Password reset and registration events available in the
through an API? reporting API
How do I reset a user's password from the O365 Reset a user's password in Office 365
management portal?
How do I reset a user's password using PowerShell? Reset a user's password with Set-MsolUserPassword
How do I set organization password expiration policy from Set password expiration policy
Office 365?
How do I set a specific user's passwords to never expire with Set individual user's password to never expire using
PowerShell? PowerShell
How do I find out whether a user's password is set to never Check individual user's password expiration status using
expire using PowerShell PowerShell
Troubleshoot a problem
TOPIC
What information should I provide to support if I need help? Information to include when you need help
How can I fix a problem with password reset Troubleshoot the password reset portal
How can I fix a problem with password writeback Troubleshoot password writeback
How can I fix a problem with password writeback connectivity Troubleshoot password writeback connectivity
How can I fix a problem with password reset configuration Troubleshoot password reset configuration in the azure
management portal
How can I fix a problem with password reset reports Troubleshoot password management reports in the azure
management portal
How can I fix a problem with password reset registration Troubleshoot the password reset registration portal
Password writeback event log error codes Password writeback event log error codes
Read a FAQ
TOPIC
I want to read a FAQ about password reset registration Password reset registration FAQ
I want to read a FAQ about password reset reports Password management reports FAQ
I want to learn about how password writeback works How does password writeback work?
I want to learn about what scenarios are supported by Scenarios supported for password writeback
password writeback
I want to learn about how password writeback is secured Password writeback security model
I want to learn about how the password reset portal works How does the password reset portal work?
I want to learn about what data is used by password reset What data is used by password reset?
Recent service updates
Enforce Password Reset Registration at Sign-In to Office 365 Apps - November 2015
Now, after enabling the enforced registration feature, your users will be required to register from anywhere
they sign in with a work or school account. This dramatically increases the speed at which many organizations
can onboard to password reset. With this new feature we've seen large organizations onboarding in as little as
2 weeks!
Support for Unlocking Active Directory Accounts without Resetting a Password - November 2015
Unlock only (without reset) is a huge helpdesk driver these days. In fact, many organizations spend up to 70%
of their password reset budget unlocking accounts! To meet this demand, now with Azure AD Password reset,
you can enable a feature to let your users unlock AD accounts separately from password reset. Check out how
to turn it on here: Setting: enable users to unlock their AD accounts without resetting a password.
Usability updates to Registration Page - October 2015
Now, when a user has data already registered, he or she can just click "looks good" to update the data without
needing to re-send the email or phone call.
Improved Reliability of Password Writeback - September 2015
As of the September release of Azure AD Connect, the password writeback agent will now more aggressively
retry connections and additional, more robust, failover capabilities.
API for Retrieving Password Reset Reporting Data - August 2015
Now, the data behind the password reset reports can be retrieved directly from the Azure AD Reports and
Events API.
Support for Azure AD Password Reset During Cloud Domain Join - August 2015
Now, any cloud user can reset his or her password right from the Windows 10 sign in screen during the cloud
domain join onboarding experience. Note, this is not yet exposed on the Windows 10 sign in screen.
Enforce Password Reset Registration at Sign-In to Azure and Federated Apps - July 2015
In addition to enforcing registration when signing into myapps.microsoft.com, we now support enforcing
registration during sign ins to the Azure Management Portal and any of your federated single-sign on
applications
Security Question Localization Support - May 2015
Now, you have the option to select pre-defined security questions which are localized in the full O365 language
set when configuring Security Questions for password reset.
Account Unlock Support during Password Reset - June 2015
If you're using password writeback and you reset your password when your account is locked, we'll
automatically unlock your Active Directory account!
Branded SSPR Registration - April 2015
The password reset registration page is now branded with your company logo!
Security Questions - March 2015
We released security questions to GA!
Account Unlock - March 2015
Now users can unlock their accounts when password reset occurs
Coming soon
Below are some of the cool features we're working on right now!
Support for Reminding Users to Update their Registered Data During Sign-in - Work in progress
Today, we support reminding users to update their registered data when accessing myapps.microsoft.com, but
we're working on the ability to do so for all sign ins.
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
In order to give your users the best possible experience, we recommend that you explore and play with all of the
Password Management configuration options available to you. In fact, you can start exploring this right away by
going to the configuration tab of the Active Directory extension in the Azure classic portal. This topic walks
you through all of the different Password Management customizations you can make as an administrator from
within Configure tab of your directory within the Azure classic portal, including:
TOPIC
How do I enable or disable password reset? Setting: users enabled for password reset
How do I scope password reset to a specific set of users? Restrict password reset to specific users
How do I change what authentication methods are Setting: authentication methods available to users
supported?
How do I change number of authentication methods Setting: number of authentication methods required
required?
How do I set up pre-canned localized security questions? Setting: knowledge-based security questions
How can I change how many security questions are Setting: number of security questions for registration or reset
required?
How can I force my users to register when signing in? Enforced registration-based rollout of password reset
How can I force my users to re-confirm their registered Setting: number of days before users must re-confirm their
periodically? authentication data
How can I customize how a user gets in touch with an Setting: customize the "contact your administrator" link
admin?
How can I allow users to unlock AD accounts without Setting: enable users to unlock their AD accounts without
resetting a password? resetting a password
How can I enable password reset notifications for users? Setting: notify users when their passwords have been reset
How can I enable password reset notifications for admins? Setting: notify other admins when an admin reset their own
password
TOPIC
How can I customize password reset look and feel? Setting: company name, branding, and logo
NOTE
The administrator account you are using must have an AAD Premium license assigned in order to see these policy
controls.
These policy controls only apply to end users resetting their passwords, not administrators. Administrators have a
default policy of alternate email and/or mobile phone that is specified for them by Microsoft which cannot be
changed.
Policy Control Description Affects?
Users enabled for password reset Determines if password reset is Registration portal:
enabled for users in this directory.
If set to no, no users can
register their own challenge
data.
Group that can perform password Determines what group of end Note:
reset users is allowed to use password
reset. If no group is specified and you
click Save, an empty group
(Only visible if restrict access to called
password reset is set to yes). SSPRSecurityGroupUsers will
be created for you.
Registration portal:
This setting does not affect
users' access to the password
reset registration portal. If
Users enabled for password
reset is set to yes, all end users
in your directory can register
for password reset at
http://aka.ms/ssprsetup.
Password reset portal:
If restrict access to password
reset is set to yes, then only
end users in this group will be
able to reset their passwords.
Registration portal:
Affects which authentication
methods are displayed when
users are registering. If you do
not enable a given
authentication method, users
will not be able to self-register
for that authentication method.
Registration portal:
Determines the minimum
number of questions a user
must answer before the user is
considered fully registered for
password reset.
Number of questions required to Determines the minimum number Note:
reset of questions a user must answer
when resetting a password. Can be set to 3 5 questions
required to reset.
(Only visible if the Security
Questions checkbox is enabled). Number of questions required
to reset must be less than or
equal to the number of
questions required to register.
Registration portal:
Determines which questions a
user is able to provide answers
for when registering for
password reset.
Registration portal:
Determines which questions a
user is able to provide answers
for when registering for
password reset.
Number of days before users must When require users to register is Note:
confirm their contact data turned on, this setting determines
the period of time which can Values between 0-730 days are
elapse before a user must re- accepted, with 0 days meaning
confirm their data. that users will never be asked
to re-confirm their contact
(Only visible if require users to data.
register when signing in to the
access panel is set to yes).
Registration portal:
This setting does not affect the
behavior of the registration
portal itself, rather, it
determines whether or not the
registration portal is shown to
users when their contact data
needs to be reconfirmed.
Customize the contact your Controls whether or not the Note:
administrator link? contact your administrator link
(shown to the left) that appears on If you enable this setting, you
the password reset portal when an must choose a custom URL or
error occurs or a user waits too email address by filling out the
long on an operation points to a custom email address or url
custom URL or email address. field immediately below this
setting.
(Only visible if users enabled for
password reset is set to yes).
Password reset portal:
If set to no, users clicking the
highlighted link will dispatch an
email to the primary email
address of all tenant
administrators requesting that
his or her password be reset.
This email is dispatched by
following the logic below:
Configured
everything is working as
expected
Registration portal:
If writeback is deployed and
configured and this switch is set
to no, then writeback will be
disabled, and federated and
password hash syncd users will
not be able to register for
password reset their passwords.
Example:
If this option was enabled when
admin A resets his password,
and there are 3 other admins in
the tenant, B, C, and D, then
admins B, C, and D would
receive an email indicating
admin A reset his password.
Notify users and admins when Determines whether or not end Password reset portal:
their own password has been reset users or admins who reset their
own passwords will receive an If set to no, then no
email notification that their notifications will be sent.
password has been reset.
If set to yes, then whenever a
user or admin resets his own
password, he or she will receive
a notification indicating his or
her password has been reset.
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
This section describes how you can use Azure Active Directorys Password Management reports to view how
users are using password reset and change in your organization.
Password Management reports overview
How to view Password Management reports
View password reset registration activity in your organization
View password reset activity in your organization
User abandoned after starting the office voice call verification Abandoned
option
User entered too many invalid SMS verification codes and is Blocked
blocked for 24 hours
User tried mobile phone voice verification too many times Blocked
and is blocked for 24 hours
User tried office phone voice verification too many times and Blocked
is blocked for 24 hours
User tried to answer security questions too many times and Blocked
is blocked for 24 hours
User tried to verify a phone number too many times and is Blocked
blocked for 24 hours
User contacted an admin after trying the email verification Contacted admin
option
User contacted an admin after trying the mobile SMS Contacted admin
verification option
User contacted an admin after trying the mobile voice call Contacted admin
verification option
User contacted an admin after trying the office voice call Contacted admin
verification option
User contacted an admin after trying the security question Contacted admin
verification option
Password reset is not enabled for this user. Enable password Failed
reset under the configure tab to resolve this
User does not have a license. You can add a license to the Failed
user to resolve this
Password reset has been disabled entirely for this tenant. See Failed
here to resolve this.
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
If you have already deployed Password Management, or are just looking to learn more about the technical nitty
gritty of how it works before deploying, this section will give you a good overview of the technical concepts
behind the service. We'll cover the following:
Password writeback overview
How pasword writeback works
Scenarios supported for password writeback
Password writeback security model
Password writeback bandwidth usage
How does the password reset portal work?
What data is used by password reset?
How to access password reset data for your users
When a federated or password hash syncd user comes to reset or change his or her password in the cloud, the
following occurs:
1. We check to see what type of password the user has. If we see the password is managed on premises, then we
ensure the writeback service is up and running. If it is, we let the user proceed, if it is not, we tell the user that
their password cannot be reset here.
2. Next, the user passes the appropriate authentication gates and reaches the reset password screen.
3. The user selects a new password and confirms it.
4. Upon clicking submit, we encrypt the plaintext password with a symmetric key that was created during the
writeback setup process.
5. After encrypting the password, we include it in a payload that gets sent over an HTTPS channel to your tenant
specific service bus relay (that we also set up for you during the writeback setup process). This relay is
protected by a randomly generated password that only your on-premises installation knows.
6. Once the message reaches service bus, the password reset endpoint automatically wakes up and sees that it
has a reset request pending.
7. The service then looks for the user in question by using the cloud anchor attribute. For this lookup to succeed,
the user object must exist in the AD connector space, it must be linked to the corresponding MV object, and it
must be linked to the corresponding AAD connector object. Finally, in order for sync to find this user account,
the link from AD connector object to MV must have the sync rule Microsoft.InfromADUserAccountEnabled.xxx
on the link. This is needed because when the call comes in from the cloud, the sync engine uses the
cloudAnchor attribute to look up the AAD connector space object, then follows the link back to the MV object,
and then follows the link back to the AD object. Because there could be multiple AD objects (multi-forest) for
the same user, the sync engine relies on the Microsoft.InfromADUserAccountEnabled.xxx link to pick the correct
one.
8. Once the user account is found, we attempt to reset the password directly in the appropriate AD forest.
9. If the password set operation is successful, we tell the user their password has been modified and that they
can go on their merry way.
10. If the password set operation fails, we return the error to the user and let them try again. The operation might
fail because the service was down, because the password they selected did not meet organization policies,
because we could not find the user in the local AD, or any number of reasons. We have a specific message for
many of these cases and tell the user what they can do to resolve the issue.
Scenarios supported for password writeback
The table below describes which scenarios are supported for which versions of our sync capabilities. In general, it
is highly recommended that you install the latest version of Azure AD Connect if you want to use password
writeback.
NOTE
Office Phone does not appear in the registration portal because users are currently not able to edit this property in the
directory.
Connect-MsolService
Set-MsolUser -UserPrincipalName user@domain.com -AlternateEmailAddresses @("email@domain.com")
Mobile Phone
Connect-MsolService
Set-MsolUser -UserPrincipalName user@domain.com -MobilePhone "+1 1234567890"
O ffi c e P h o n e
Connect-MsolService
Set-MsolUser -UserPrincipalName user@domain.com -PhoneNumber "+1 1234567890"
Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | select AlternateEmailAddresses
Mobile Phone
Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | select MobilePhone
O ffi c e P h o n e
Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | select PhoneNumber
A u t h en t i c at i o n Ph o n e
Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select
PhoneNumber
A u t h e n t i c a t i o n Em a i l
Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select
Email
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
The following are some frequently asked questions for all things related to password management.
If you find yourself with a question that you don't know the answer to, or are looking for help with a particular
problem you are facing, you can read on below to see if we've covered it already. If we haven't already, don't
worry! Feel free to ask any question you have that's not covered here on the Azure AD Forums and we'll get
back to you as soon as we can.
This FAQ is split into the following sections:
Questions about Password Reset Registration
Questions about Password Reset
Questions about Password Management Reports
Questions about Password Writeback
A: Yes, as long as password reset is enabled and they are licensed, they can go to the Password Reset
Registration portal at http://aka.ms/ssprsetup to register their authentication information to be used
with password reset. Users can also register by going to the access panel at
http://myapps.microsoft.com, clicking the profile tab, and clicking the Register for Password Reset
option. Learn more about how to get your users configured for password reset by reading How to get
users configured for password reset.
A: Yes, you can do so with DirSync or PowerShell, or through the Azure Management Portal or Office
Admin portal. Learn more about this feature on the blog post Improved Privacy for Azure AD MFA
and Password Reset Phone Numbers and by reading Learn how data is used by password reset.
Q: Can my users register data in such a way that other users cannot see this data?
A: Yes, when users register data using the Password Reset Registration Portal it gets saved into
private authentication fields that are only visible by Global Administrators and the user himself. Learn
more about this feature on the blog post Improved Privacy for Azure AD MFA and Password Reset
Phone Numbers and by reading Learn how data is used by password reset.
Q: Do my users have to be registered before they can use password reset?
A: No, if you define enough authentication information on their behalf, users will not have to register.
Password reset will work just fine as long as you have properly formatted data stored in the
appropriate fields in the directory. Learn more about by reading Learn how data is used by password
reset.
Q: How does the registration portal know which options to show my users?
A: The password reset registration portal only shows the options that you have enabled for your
users under the User Password Reset Policy section of your directorys Configure tab. This means that
if you do not enable, say, security questions, then users will not be able to register for that option.
A: A user is considered registered when he or she has at least N pieces of authentication info defined,
where N is the Number of Authentication Methods Required that you have set in the Azure
Management Portal. To learn more, see Customizing User Password Reset Policy.
Password reset
Q: How long should I wait to receive an email, SMS, or phone call from password reset?
A: Email, SMS messages, and phone calls should arrive in under 1 minute, with the normal case being
5-20 seconds. If you do not receive the notification in this timeframe, check your junk folder, that the
number / email being contacted is the one you expect, and that the authentication data in the
directory is correctly formatted. To learn more about formatting phone numbers and email addresses
for use with password reset see Learn how data is used by password reset.
A: The password reset UI, SMS messages, and voice calls are localized in the same 40 languages that
are supported in Office 365. Those are: Arabic, Bulgarian, Chinese Simplified, Chinese Traditional,
Croatian, Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Hebrew, Hindi,
Hungarian, Indonesian, Italian, Japanese, Kazakh, Korean, Latvian, Lithuanian, Malay (Malaysia),
Norwegian (Bokml), Polish, Portuguese (Brazil), Portuguese (Portugal), Romanian, Russian, Serbian
(Latin), Slovak, Slovenian, Spanish, Swedish, Thai, Turkish, Ukrainian, and Vietnamese.
Q: What parts of the password reset experience get branded when I set organizational branding
in my directorys configure tab?
A: The password reset portal will show your organizational logo and will also allow you to configure
the Contact your administrator link to point to a custom email or URL. Any email that gets sent by
password reset will include your organizations logo, colors (in this case red), name in the body of the
email, and customized from name. See an example with all the branded elements below. To learn
more, read Customizing Password Reset Look and Feel.
Q: How can I educate my users about where to go to reset their passwords?
A: You can send your users to https://passwordreset.microsoftonline.com directly, or you can instruct
them to click on the Cant access your account link found on any School or Work ID sign in screen.
You can feel free to publish these links (or create URL redirects to them) in any place that is easily
accessible to your users.
Q: Do you support unlocking local active directory accounts when users reset their passwords?
A: Yes, when a user resets his or her password and Password Writeback has been deployed with all
versions of Azure AD Connect, or versions of Azure AD Sync 1.0.0485.0222 or later, then that users
account will be automatically unlocked when that user resets his or her password.
Q: How can I integrate password reset directly into my users desktop sign-in experience?
A: This is not possible today. However, if you absolutely need this capability and are an Azure AD
Premium customer, you can install Microsoft Identity Manager at no additional cost and deploy the
on-premises password reset solution found therein to solve this requirement.
Q: How many questions can we configure for the Security Questions authentication option?
A: You can configure up to 20 custom security questions in the Azure Management Portal.
Q: May a user register more than one of the same security question?
A: No, once a user registers a particular question, he or she may not register for that question a
second time.
Q: Is it possible to set a minimum limit of security questions for registration and reset?
A: Yes, one limit can be set for registration and another for reset. 3-5 security questions may be
required for registration and 3-5 may be required for reset.
Q: If a user has registered more than the maximum number of questions required to reset, how
are security questions selected during reset?
A: N security questions are selected at random out of the total number of questions a user has
registered for, where N is the minimum number of questions required for password reset. For
example, if a user has 5 security questions registered, but only 3 are required to reset, 3 of those 5 will
be selected randomly and presented to the user at the time of reset. If the user gets the answers to the
questions wrong, the selection process re-occurs to prevent question hammering.
Q: Do you prevent users from attempting password reset many times in a short time period?
A: Yes, there are several security features built into password reset. Users may only try 5 password
reset attempts within an hour before being locked out for 24 hours. Users may only try to validate a
phone number 5 times within an hour before being locked out for 24 hours. Users may only try a
single authentication method 5 times within an hour before being locked out for 24 hours.
Q: For how long are the email and SMS one-time passcode valid?
A: The session lifetime for password reset is 105 minutes. This means that from the beginning of the
password reset operation, the user has 105 minutes to reset his or her password. The email and SMS
one-time passcode are invalid after this time period expires.
A: Data should appear on the password management reports within 5-10 minutes. It some instances
it may take up to an hour to appear.
A: You can filter the password management reports by clicking the small magnifying glass to the
extreme right of the column labels, towards the top of the report (see screenshot). If you want to do
richer filtering, you can download the report to excel and create a pivot table.
Q: What is the maximum number of events are stored in the password management reports?
A: Up to 1,000 password reset or password reset registration events are stored in the password
management reports. We are working to expand this number to include more events.
A: The password management reports show operations occurring within the last 30 days. We are
currently investigating how to make this a longer time period. For now, if you need to archive this
data, you can download the reports periodically and save them in a separate location.
Q: Is there a maximum number of rows that can appear on the password management reports?
A: Yes, a maximum of 1,000 rows may appear on either of the Password Management reports,
whether they are being shown in the UI or being downloaded. We are currently investigating how to
increase this limit.
A: Yes, please see the following documentation to learn how you can access the password reset
reporting data stream. Learn how to access password reset reporting events programmatically.
Password Writeback
Q: How does Password Writeback work behind the scenes?
A: See How Password Writeback works for a detailed explanation of what happens when you enable
Password Writeback, as well as how data flows through the system back into your on-premises
environment. See Password Writeback security model in How Password Writeback works to learn
how we ensure Password Writeback is a highly secure service.
Q: How long does Password Writeback take to work? Is there a synchronization delay like with
password hash sync?
A: Password Writeback works for Federated and Password Hash Syncd users.
A: Yes, Password Writeback enforces password age, history, complexity, filters and any other
restriction you may put in place on passwords in your local domain.
A: Yes, Password Writeback is extremely secure. To read more about the 4 layers of security
implemented by the Password Writeback service, check out the Password Writeback security model in
How Password Writeback works.
IMPORTANT
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
If you are having issues with Password Management, we're here to help. Most problems you may run into can be
solved with a few simple troubleshooting steps which you can read about below to troubleshoot your
deployment:
Information to include when you need help
Problems with Password Management configuration in the Azure Management Portal
Problems with Password Managment reports in the Azure Management Portal
Problems with the Password Reset Registration Portal
Problems with the Password Reset Portal
Problems with Password Writeback
Password Writeback event log error codes
Problems with Password Writeback connectivity
If you've tried the troubleshooting steps below and are still running into problems, you can post a question on
the Azure AD Forums or contact support and we'll take a look at your problem as soon as we can.
I dont see the User Password The User Password Reset Policy This can occur if you do not have
Reset Policy section under the section is not visible on the an AAD Premium or AAD Basic
Configure tab in the Azure Configure tab in the Azure license assigned to the admin
management portal Management Portal. performing this operation.
To rectify this, assign an AAD
Premium or AAD Basic license to
the admin account in question by
navigating to the Licenses tab and
try again.
I dont see any of the configuration The User Password Reset Policy The rest of the UI will appear when
options under the User Password section is visible, but the only flag you switch the Users Enabled for
Reset Policy section that are that appears under it is the Users Password Reset flag to Yes.
described in the documentation. Enabled for Password Reset flag.
I dont see a particular For example, I do not see the Many elements of UI are hidden
configuration option. Number of days before a user until they are needed. Try enabling
must confirm their contact data all the options on the page if you
option when I scroll through the want to see.
User Password Reset Policy
section (or other examples of the See Password Management
same issue). behavior for more info about all of
the controls that are available to
you.
I dont see the Write Back The Write Back Passwords to This option is only visible if you
Passwords to On-Premises On-Premises option is not visible have downloaded Azure AD
configuration option under the Configure tab in the Connect and configured Password
Azure Management Portal Writeback. When you have done
this, that option appears and
allows you to enable or disable
writeback from the cloud.
See Enable Password Writeback in
Azure AD Connect for more
information on how to do this.
I dont see any password The Password reset activity and This can occur if you do not have
management reports Password reset registration an AAD Premium or AAD Basic
activity reports are not visible license assigned to the admin
under the Activity Log reports in performing this operation.
the Reports tab.
To rectify this, assign an AAD
Premium or AAD Basic license to
the admin account in question by
navigating to the Licenses tab and
try again.
User registrations show multiple When a user registers alternate Currently, when a user registers,
times email, mobile phone, and security we cannot assume that they will
questions, they each show up as register everything present on the
separate lines instead of a single registration page. As a result, we
line. currently log each individual piece
of data that is registered as a
separate event.
If you want to aggregate this data,
you can download the report and
open the data as a pivot table in
excel to have more flexibility.
Directory is not enabled for Your administrator has not Switch the Users Enabled for
password reset enabled you to use this feature. Password Reset flag to Yes and
hit Save in the Azure
Management Portal directory
configuration tab. You must have
an Azure AD Premium or Basic
License assigned to the admin
performing this operation.
User does not have an AAD Your administrator has not Assign an Azure AD Premium or
Premium or AAD Basic license enabled you to use this feature. Azure AD Basic license to the user
assigned under the Licenses tab in the
Azure Management Portal. You
must have an Azure AD Premium
or Basic License assigned to the
admin performing this operation.
Error processing request User sees an error that states: This can be caused by many issues,
but generally this error is caused
Error processing request by either a service outage or
When attempting to reset a configuration issue that cannot be
password. resolved.
If you see this error and it is
impacting your business, please
contact support and we will assist
you ASAP. See Information to
include when you need help to see
what you should provide to the
support engineer to aid in a
speedy resolution.
Directory is not enabled for Your account is not enabled for Switch the Users Enabled for
password reset password reset Password Reset flag to Yes and
hit Save in the Azure
We're sorry, but your Management Portal directory
administrator has not set up your configuration tab. You must have
account for use with this service. an Azure AD Premium or Basic
If you'd like, we can contact an License assigned to the admin
administrator in your organization performing this operation.
to reset your password for you.
User does not have an AAD While we cannot reset non-admin Assign an Azure AD Premium or
Premium or AAD Basic license account passwords automatically, Azure AD Basic license to the user
assigned we can contact your organization's under the Licenses tab in the
admin to do it for you. Azure Management Portal. You
must have an Azure AD Premium
or Basic License assigned to the
admin performing this operation.
Directory is enabled for password Your account is not enabled for Ensure that user has properly
reset, but user has missing or mal- password reset formed contact data on file in the
formed authentication information directory before proceeding. See
We're sorry, but your What data is used by password
administrator has not set up your reset for information on how to
account for use with this service. configure authentication
If you'd like, we can contact an information in the directory so that
administrator in your organization users do not see this error.
to reset your password for you.
Directory is enabled for password Your account is not enabled for Ensure that user has at least two
reset, but a user only has one password reset properly configured contact
piece of contact data on file when methods (e.g., both Mobile Phone
policy is set to require two We're sorry, but your and Office Phone) before
verification steps administrator has not set up your proceeding. See What data is used
account for use with this service. by password reset for information
If you'd like, we can contact an on how to configure
administrator in your organization authentication information in the
to reset your password for you. directory so that users do not see
this error.
Directory is enabled for password Oops! We encountered an This could be the result of a
reset, and user is properly unexpected error while contacting temporary service error or
configured, but user is unable to you. misconfigured contact data that
be contacted we could not properly detect. If the
user waits 10 seconds, a try again
and contact your administrator
link appears. Clicking try again will
re-dispatch the call, whereas
clicking contact your
administrator will send a form
email to user, password, or global
admins (in that precedence order)
requesting a password reset to be
performed for that user account.
User never receives the password User clicks text me or call me This could be the result of a mal-
reset SMS or phone call and then never receives anything. formed phone number in the
directory. Make sure the phone
number is in the format +ccc
xxxyyyzzzzXeeee. To learn more
about formatting phone numbers
for use with password reset see
What data is used by password
reset.
If you require an extension to be
routed to the user in question,
note that password reset does not
support extensions, even if you
specify one in the directory (they
are stripped before the call is
dispatched). Try using a number
without an extension, or
integrating the extension into the
phone number in your PBX.
User never receives password reset User clicks email me and then The most common cause for this
email never receives anything. issue is that the message is
rejected by a spam filter. Check
your spam, junk, or deleted items
folder for the email.
Also ensure that you are checking
the right email for the message
lots of people have very similar
email addresses and end up
checking the wrong inbox for the
message. If neither of these
options work, its also possible that
the email address in the directory
is malformed, check to make sure
the email address is the right one
and try again. To learn more about
formatting email addresses for use
with password reset see What data
is used by password reset.
I have set a password reset policy, Admin accounts resetting their The options configured under the
but when an admin account uses passwords see the same options User Password Reset Policy
password reset, that policy is not enabled for password reset, email section of the Configure tab only
applied and mobile phone, no matter what apply to end users in your
policy is set under the User organization.
Password Reset Policy section of
the Configure tab. Microsoft manages and controls
the Admin password reset policy in
order to ensure the highest level of
security
User prevented from attempting User sees an error stating: We implement an automatic
password reset too many times in throttling mechanism to block
a day Please use another option. users from attempting to reset
You've tried to verify your account their passwords too many times in
too many times in the last 1 a short period of time. This occurs
hour(s). For security reasons, you'll when:
have to wait 24 hour(s) before you 1. User attempts to validate a
can try again. phone number 5 times in one
If you'd like, we can contact an hour.
administrator in your organization 2. User attempts to use the
to reset your password for you. security questions gate 5 times
in one hour.
3. User attempts to reset a
password for the same user
account 5 times in one hour.
To fix this, instruct the user to wait
24 hours after the last attempt,
and the user will then be able to
reset his or her password.
User sees an error when validating When attempting to verify a This error occurs when the phone
his or her phone number phone to use as an authentication number entered does not match
method, the user sees an error the phone number on file.
stating:
Make sure the user is entering the
Incorrect phone number specified. complete phone number, including
area and country code, when
attempting to use a phone-based
method for password reset.
Error processing request User sees an error that states: This can be caused by many issues,
but generally this error is caused
Error processing request by either a service outage or
When attempting to reset a configuration issue that cannot be
password. resolved.
If you see this error and it is
impacting your business, please
contact support and we will assist
you ASAP. See Information to
include when you need help to see
what you should provide to the
support engineer to aid in a
speedy resolution.
When a user attempts to reset a This can occur if you had upgraded Find the Active Directory account
password or unlock an account from older versions of Azure AD for Azure AD Connect and reset
with password writeback enabled, Connect or DirSync. Upgrading to the password to contain no more
the operation fails. In addition, you older versions of Azure AD than 127 characters. Then open
see an event in the Azure AD Connect set a 254 character Synchronization Service from
Connect event log containing: password for the Azure AD the Start menu. Navigate to
Synchronization Engine returned Management Agent account Connectors and find the Active
an error hr=800700CE, (newer versions will set a 127 Directory Connector. Select it
message=The filename or character length password). Such and click Properties. Navigate to
extension is too long after the long passwords work for AD the page Credentials and enter
unlock operation occurs. Connector Import and Export the new password. Select OK to
operations but they are not close the page.
supported by the Unlock
operation.
Error configuring writeback during At the last step of the Azure AD This error occurs in the following
Azure AD Connect installation. Connect installation process, you two cases:
see an error indicating that
Password Writeback could not be You have specified an incorrect
configured. password for the global
administrator account specified
The Azure AD Connect Application at the beginning of the Azure
event log contains error 32009 AD Connect installation
with text Error getting auth process.
token.
You have attempted to use a
federated user for the global
administrator account specified
at the beginning of the Azure
AD Connect installation
process.
To fix this error, please ensure that
you are not using a federated
account for the global
administrator you specified at the
beginning of the Azure AD
Connect installation process, and
that the password specified is
correct.
Error configuring writeback during The Azure AD Connect machine The root cause of this error is that
Azure AD Connect installation. event log contains error 32002 the password reset service running
thrown by the in your on-premises environment
PasswordResetService. is not able to connect to the
service bus endpoint in the cloud.
The error reads: Error Connecting This error is normally normally
to ServiceBus, The token provider caused by a firewall rule blocking
was unable to provide a security an outbound connection to a
token particular port or web address.
Make sure your firewall allows
outbound connections for the
following:
All traffic over TCP 443 (HTTPS)
Outbound connections to
Once you have updated these
rules, reboot the Azure AD
Connect machine and Password
Writeback should start working
again.
Password Writeback endpoint on- After working for some time, In some rare cases, the Password
prem not reachable federated or password hash Writeback service may fail to re-
synced users cannot reset their start when Azure AD Connect has
passwords. re-started. In these cases, first,
check whether Password Writeback
appears to be enabled on-prem.
This can be done using the Azure
AD Connect wizard or powershell
(See HowTos section above).If the
feature appears to be enabled, try
enabling or disabling the feature
again either through the UI or
PowerShell. See Step 2: Enable
Password Writeback on your
Directory Sync computer &
configure firewall rules in How to
enable/disable Password Writeback
for more information on how to do
this.
If this doesnt work, try completely
uninstalling and re-installing Azure
AD Connect.
Permissions errors Federated or password hash syncd If you see these errors in your
users who attempt to reset their event log, confirm that the AD MA
passwords see an error after account (that was specified in the
submitting the password indicating wizard at the time of configuration)
there was a service problem. has the necessary permissions for
Password Writeback.
In addition to this, during
password reset operations, you NOTE that once this permission is
may see an error regarding given it can take up to 1 hour for
management agent was denied the permissions to trickle down via
access in your on premises event sdprop background task on the
logs. DC.
For password reset to work, the
permission needs to be stamped
on the security descriptor of the
user object whose password is
being reset. Until this permission
shows up on the user object,
password reset will continue to fail
with access denied.
Error when configuring Password Unable to Locate MA error in There is a known bug in the
Writeback from the Azure AD Wizard while enabling/disabling released version of Azure AD
Connect configuration wizard Password Writeback Connect which manifests in the
following situation:
1. You configure Azure AD
Connect for tenant abc.com
(Verified domain) using creds .
This results in AAD connector
with name abc.com AAD
being created.
2. You then then change the AAD
creds for the connector (using
old sync UI) to (note its the
same tenant but different
domain name).
3. Now you try to enable/disable
Password Writeback. The wizard
will construct the name of the
connector using the creds, as
abc.onmicrosoft.com AAD
and pass to the Password
Writeback cmdlet. This will fail
because there is no connector
created with this name.
This has been fixed in our latest
builds. If you have an older build,
the one workaround is to use the
powershell cmdlet to
enable/disable the feature. See
Step 2: Enable Password
Writeback on your Directory Sync
computer & configure firewall
rules in How to enable/disable
Password Writeback for more
information on how to do this.
Unable to reset password for users Federated or password hash syncd Privileged users in Active Directory
in special groups such as Domain users who are part of protected are protected using
Admins / Enterprise Admins etc. groups and attempt to reset their AdminSDHolder. See
passwords see an error after http://technet.microsoft.com/maga
submitting the password indicating zine/2009.09.sdadminholder.aspx
there was a service problem. for more details.
This means the security descriptors
on these objects are periodically
checked to match the one specified
in AdminSDHolder and are reset if
they are different. The additional
permissions that are needed for
Password Writeback therefore do
not trickle to such users. This can
result in Password Writeback not
working for such users.As a result,
we do not support managing
passwords for users within these
groups because it breaks the AD
security model.
Reset operations fails with Object Federated or password hash syncd This error usually indicates that the
could not be found users who attempt to reset their sync engine is unable to find either
passwords see an error after the user object in the AAD
submitting the password indicating connector space or the linked MV
there was a service problem. or AD connector space object.
In addition to this, during To troubleshoot this, make sure
password reset operations, you that the user is indeed synced
may see an error in your event from on-prem to AAD via the
logs from the Azure AD Connect current instance of Azure AD
service indicating an Object could Connect and inspect the state of
not be found error. the objects in the connector spaces
and MV. Confirm that the AD CS
object is connector to the MV
object via the
Microsoft.InfromADUserAccountE
nabled.xxx rule.
Reset operations fails with Multiple Federated or password hash syncd This indicates that the sync engine
matches found eror users who attempt to reset their detected that the MV object is
passwords see an error after connected to more than one AD
submitting the password indicating CS objects via the
there was a service problem. Microsoft.InfromADUserAccountE
nabled.xxx. This means that the
In addition to this, during user has an enabled account in
password reset operations, you more than one forest.
may see an error in your event
logs from the Azure AD Connect Currently this scenario is not
service indicating a Multiple supported for Password Writeback.
maches found error.
Password operations fail with a Password operations fail with a This occurs if the Azure AD
configuration error. configuration error. The application Connect configuration is changed
event log contains Azure AD to add a new AD forest (or to
Connect error 6329 with text: remove and re-add an existing
0x8023061f (The operation failed forest) after the Password
because password synchronization Writeback feature has already been
is not enabled on this enabled. Password operations for
Management Agent.) users in such newly added forests
will fail. To fix the problem, disable
and re-enable the Password
Writeback feature after the forest
configuration changes have been
completed.
Writing back passwords that have When attempting to reset a This occurs when the version of
been reset by users works password on behalf of a user from the synchronization engine does
properly, but writing back the Azure Management Portal, you not support the particular
passwords changed by a user or see a message stating: The Password Writeback operation that
reset for a user by an password reset service running in was used. Versions of Azure AD
administrator fails. your on-premises environment Connect later than 1.0.0419.0911
does not support administrators support all password management
resetting user passwords. Please operations, including password
upgrade to the latest version of reset writeback, password change
Azure AD Connect to resolve this. writeback, and administrator-
initiated password reset writeback
from the Azure Management
Portal. DirSync versions later than
1.0.6862 support password reset
writeback only. To resolve this
issue, we highly recommend that
you install the latest version of
Azure AD Connect or Azure Active
Directory Connect. For more
information, see Integrating your
on-premises identities to resolve
this issue and to get the most out
of Password Writeback in your
organization.
These steps will re-establish your connection with the cloud service and resolve any interruptions you may be
experiencing. If restarting the Sync Service does not resolve your issue, we recommend that you try to disable
and re-enable the Password Writeback feature as a next step.
Disable and re -enable the Password Writeback feature
Disabling and re-enabling the Password Writeback feature can help to resolve connectivity issues.
1. As an administrator, open the Azure AD Connect configuration wizard.
2. On the Connect to Azure AD dialog, enter your Azure AD global admin credentials
3. On the Connect to AD DS dialog, enter your AD Domain Services admin credentials.
4. On the Uniquely identifying your users dialog, click the Next button.
5. On the Optional features dialog, uncheck the Password write-back checkbox.
6. Click Next through the remaining dialog pages without changing anything until you get to the Ready to
configure page.
7. Ensure that the configure page shows the Password write-back option as disabled and then click the
green Configure button to commit your changes.
8. On the Finished dialog, deselect the Synchronize now option, and then click Finish to close the wizard.
9. Re-open the Azure AD Connect configuration wizard.
10. Repeat steps 2-8, except ensure you check the Password write-back option on the Optional
features screen to re-enable the service.
These steps will re-establish your connection with our cloud service and resolve any interruptions you may be
experiencing.
If disabling and re-enabling the Password Writeback feature does not resolve your issue, we recommend that
you try to re-install Azure AD Connect as a next step.
Install the latest Azure AD Connect release
Re-installing the Azure AD Connect package will resolve any configuration issues which may be affecting your
ability to either connect to our cloud services or to manage passwords in your local AD environment. We
recommend, you perform this step only after attempting the first two steps described above.
1. Download the latest version of Azure AD Connect here.
2. Since you have already installed Azure AD Connect, you will only need to perform an in-place upgrade to
update your Azure AD Connect installation to the latest version.
3. Execute the downloaded package and follow the on-screen instructions to update your Azure AD Connect
machine. No additional manual steps are required unless you have customized the out of box sync rules, in
which case you should back these up before proceeding with upgrade and manually re-deploy them
after you are finished.
These steps will re-establish your connection with our cloud service and resolve any interruptions you may be
experiencing.
If installing the latest version of the Azure AD Connect server does not resolve your issue, we recommend that
you try disabling and re-enabling Password Writeback as a final step after installing the latest sync QFE.
If that does not resolve your issue, then we recommend that you take a look at Troubleshoot Password
Writeback and the Azure AD password Management FAQ to see if your issue may be discussed there.
Links to password reset documentation
Below are links to all of the Azure AD Password Reset documentation pages:
Are you here because you're having problems signing in? If so, here's how you can change and reset
your own password.
How it works - learn about the six different components of the service and what each does
Getting started - learn how to allow you users to reset and change their cloud or on-premises passwords
Customize - learn how to customize the look & feel and behavior of the service to your organization's needs
Best practices - learn how to quickly deploy and effectively manage passwords in your organization
Get insights - learn about our integrated reporting capabilities
FAQ - get answers to frequently asked questions
Learn more - go deep into the technical details of how the service works
Join a personal device to your organization
1/17/2017 1 min to read Edit on GitHub
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Authenticating identities without passwords through Microsoft Passport
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Set up a Windows 10 device with Azure AD from
Settings
1/17/2017 1 min to read Edit on GitHub
If you are already using Windows 7 or Windows 8, and your computer or device has been upgraded to Windows
10, you can join to Azure Active Directory (Azure AD) through the Settings menu.
4. Provide your sign-in credentials. This sign-in experience will include all the steps that are required to complete
authentication. If you are part of a federated tenant, your administrator will provide you with the federation
experience that's hosted by your organization.
5. If your organization has configured Azure Multi-Factor Authentication for joining to Azure AD, provide the
second factor before proceeding.
6. Click Accept on the Allow this device to be managed screen.
7. You should see the message "Your device is now joined to your organization in Azure AD".
Additional information
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Authenticating identities without passwords through Microsoft Passport
Conditional access in Azure Active Directory
1/17/2017 4 min to read Edit on GitHub
The control capabilities in Azure Active Directory (Azure AD) conditional access offer simple ways to help secure
resources in the cloud and on-premises. Conditional access policies like multi-factor authentication can help
protect against the risk of stolen and phished credentials. Other conditional access policies can help keep your
organization's data safe. For example, in addition to requiring credentials, you might have a policy that only
devices that are enrolled in a mobile device management system like Microsoft Intune can access your
organization's sensitive services.
Prerequisites
Azure AD conditional access is a feature of Azure Active Directory Premium. Each user who accesses an
application that has conditional access policies applied must have an Azure AD Premium license. You can learn
more about license requirements in Unlicensed user report.
Conditions
These are conditions that you can include in a conditional access policy:
Group membership. Control a user's access based on membership in a group.
Location. Use the location of the user to trigger multi-factor authentication, and use block controls when a
user is not on a trusted network.
Device platform. Use the device platform, such as iOS, Android, Windows Mobile, or Windows, as a
condition for applying policy.
Device-enabled. Device state, whether enabled or disabled, is validated during device policy evaluation. If
you disable a lost or stolen device in the directory, it can no longer satisfy policy requirements.
Sign-in and user risk. You can use Azure AD Identity Protection for conditional access risk policies.
Conditional access risk policies help give your organization advance protection based on risk events and
unusual sign-in activities.
Controls
These are controls that you can use to enforce a conditional access policy:
Multi-factor authentication. You can require strong authentication through multi-factor authentication.
You can use multi-factor authentication with Azure Multi-Factor Authentication or by using an on-premises
multi-factor authentication provider, combined with Active Directory Federation Services (AD FS). Using
multi-factor authentication helps protect resources from being accessed by an unauthorized user who might
have gained access to the credentials of a valid user.
Block. You can apply conditions like user location to block user access. For example, you can block access
when a user is not on a trusted network.
Compliant devices. You can set conditional access policies at the device level. You might set up a policy so
that only computers that are domain-joined, or mobile devices that are enrolled in a mobile device
management application, can access your organization's resources. For example, you can use Intune to check
device compliance, and then report it to Azure AD for enforcement when the user attempts to access an
application. For detailed guidance about how to use Intune to protect apps and data, see Protect apps and
data with Microsoft Intune. You also can use Intune to enforce data protection for lost or stolen devices. For
more information, see Help protect your data with full or selective wipe using Microsoft Intune.
Applications
You can enforce a conditional access policy at the application level. Set access levels for applications and services
in the cloud or on-premises. The policy is applied directly to the website or service. The policy is enforced for
access to the browser, and to applications that access the service.
Resources
See the following resource categories and articles to learn more about setting conditional access for your
organization.
Multi-factor authentication and location policies
Getting started with conditional access to Azure AD-connected apps based on group, location, and multi-
factor authentication policies
Applications that are supported
Device -based conditional access
Set device-based conditional access policy for access control to Azure Active Directory-connected applications
Set up automatic registration of Windows domain-joined devices with Azure Active Directory
Troubleshooting for Azure Active Directory access issues
Help protect data on lost or stolen devices by using Microsoft Intune
Protect resources based on sign-in risk
Azure AD identity protection
Next steps
Conditional access FAQs
Technical reference
Getting started with Azure Active Directory
Conditional Access
1/17/2017 4 min to read Edit on GitHub
Azure Active Directory Conditional Access for SaaS apps and Azure AD connected apps lets you configure
conditional access based on group, location, and application sensitivity.
With conditional access based on application sensitivity, you can set multi-factor authentication (MFA) access rules
per application. MFA per application provides the ability to block access for users who are not on a trusted
network. You can apply MFA rules to all users that are assigned to the application, or only for users within
specified security groups. Users may be excluded from the MFA requirement if they are accessing the application
from an IP address that is inside the organizations network.
These capabilities will be available to customers that have purchased an Azure Active Directory Premium license.
Scenario prerequisites
License for Azure Active Directory Premium
Federated or managed Azure Active Directory tenant
Federated tenants require that multi-factor authentication be enabled.
In addition to setting this flag, the federated tenant AD FS instance must be configured to perform multi-factor
authentication. Follow the instructions for deploying Azure Multi-Factor Authentication on-premises.
Related Articles
Securing access to Office 365 and other apps connected to Azure Active Directory
Article Index for Application Management in Azure Active Directory
Applications that use conditional access rules in Azure
Active Directory
1/17/2017 4 min to read Edit on GitHub
Conditional access rules are supported in Azure Active Directory (Azure AD)-connected applications, pre-integrated
federated software as a service (SaaS) applications, applications that use password single sign-on (SSO), line-of-
business applications, and applications that use Azure AD Application Proxy. For a detailed list of applications for
which you can use conditional access, see Services enabled with conditional access. Conditional access works both
with mobile and desktop applications that use modern authentication. In this article, we cover how conditional
access works in mobile and desktop apps.
You can use Azure AD sign-in pages in applications that use modern authentication. With a sign-in page, a user is
prompted for multi-factor authentication. A message is shown if the user's access is blocked. Modern
authentication is required for the device to authenticate with Azure AD, so that device-based conditional access
policies are evaluated.
It's important to know which applications can use conditional access rules, and the steps that you might need to
take to secure other application entry points.
The following applications support conditional access for Office 365 and other Azure AD-connected service
applications:
Office 365 Exchange Online Windows 8.1, Windows 7 Outlook 2016, Outlook 2013 (with
modern authentication), Skype for
Business (with modern authentication)
Office 365 SharePoint Online Windows 10 Office 2016 apps, Universal Office apps,
Office 2013 (with modern
authentication), OneDrive sync client
(see notes), Office Groups support
planned for the future, SharePoint app
support planned for the future
Office 365 SharePoint Online Windows 8.1, Windows 7 Office 2016 apps, Office 2013 (with
modern authentication), OneDrive sync
client (see notes)
Office 365 SharePoint Online Mac OS X Office 2016 apps for multi-factor
authentication and location only;
device-based policy support planned for
the future
Office 365 Yammer Windows 10, iOS, and Android Office Yammer app
Dynamics CRM Windows 10, Windows 8.1, Windows 7, Dynamics CRM app
iOS, and Android
Azure Remote App service Windows 10, Windows 8.1, Windows 7, Azure Remote app
iOS, Android, and Mac OS X
Any My Apps app service Android and iOS Any My Apps app service
Ru l e 2
Ru l e 3
@RuleName = "Allow all intranet traffic only for browser and modern authentication clients"
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] &&
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~
"(/adfs/ls)|(/adfs/oauth2)"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
Ru l e 2
Ru l e 3
Azure Active Directory Device Registration is the foundation for device-based conditional access scenarios. When a
device is registered, Azure Active Directory Device Registration provides the device with an identity which is used
to authenticate the device when the user signs in. The authenticated device, and the attributes of the device, can
then be used to enforce conditional access policies for applications that are hosted in the cloud and on-premises.
When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes
in Azure Active Directory are updated with additional information about the device. This allows you to create
conditional access rules that enforce access from devices to meet your standards for security and compliance. For
more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune.
NOTE
For latest instructions on how to set up automatic device registration see, How to setup automatic registration of Windows
domain joined devices with Azure Active Directory.
NOTE
Enrollment with Microsoft Intune or Mobile Device Management for Office 365 requires Workplace Join. If you have
configured either of these services, ALL is selected and the NONE button is disabled.
By default, two-factor authentication is not enabled for the service. However, two-factor authentication is
recommended when registering a device.
Before requiring two-factor authentication for this service, you must configure a two-factor authentication
provider in Azure Active Directory and configure your user accounts for Multi-Factor Authentication, see
Adding Multi-Factor Authentication to Azure Active Directory
If you are using AD FS with Windows Server 2012 R2, you must configure a two-factor authentication module
in AD FS, see Using Multi-Factor Authentication with Active Directory Federation Services.
Additional topics
You can register your Windows 7 and Windows 8.1 Domain Joined devices with Azure AD Device Registration. The
following topics provides more information about the prerequisites and the steps required to configure device
registration on Windows 7 and Windows 8.1 devices.
Automatic Device Registration with Azure Active Directory for Windows Domain-Joined Devices
Configure automatic device registration for Windows 7 domain joined devices
Configure automatic device registration for Windows 8.1 domain joined devices
Automatic device registration with Azure Active Directory for Windows 10 domain-joined devices
Automatic device registration with Azure Active
Directory for Windows domain-joined devices
1/17/2017 4 min to read Edit on GitHub
As an IT Administrator, you can choose to automatically and silently register your domain-joined Windows devices
with Azure Active Directory (Azure AD). This can be useful if you have configured device based conditional access
polices to Office365 applications or applications managed on-premises by AD FS. You can learn more about the
device registration scenarios by reading the Azure Active Directory Device Registration Overview.
NOTE
For latest instructions on how to set up automatic device registration see, How to setup automatic registration of Windows
domain joined devices with Azure Active Directory.
Automatic Device Registration with Azure Active Directory is available for Windows 7 and Windows 8.1 machines
that have been joined to an Active Directory domain. These are typically corporate owned machines that have been
provided to information workers.
To begin registering your domain joined Windows devices with Azure AD, follow the prerequisites below. Once
you complete the prerequisites, configure automatic device registration for your domain joined Windows devices.
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"]
=> issue(claim = c);
Where is the relying party object name for your Azure Active Directory relying party trust object. This object is
typically named Microsoft Office 365 Identity Platform.
Network Connectivity
Domain joined Windows devices must have connectivity to AD FS and an Active Directory Domain Controller to
automatically register with Azure AD. This typically means the machine must be connected to the corporate
network. This can include a wired connection, a Wi-Fi connection, DirectAccess, or VPN.
Additional topics
Azure Active Directory Device Registration overview
Configure automatic device registration for Windows 7 domain joined devices
Configure automatic device registration for Windows 8.1 domain joined devices
Automatic device registration with Azure Active Directory for Windows 10 domain-joined devices
How to configure automatic registration of Windows
domain-joined devices with Azure Active Directory
1/17/2017 11 min to read Edit on GitHub
To use Azure Active Directory device-based conditional access, your computers must be registered with Azure
Active Directory (Azure AD). This article provides you with the steps for configuring the automatic registration of
Windows domain-joined devices with Azure AD in your organization.
NOTE
The Windows 10 November Update offers some of the enhanced user experiences in Azure AD, but the Windows 10
Anniversary Update fully supports device-based conditional access. For more information about conditional access, see
Azure Active Directory device-based conditional access. For more information about Windows 10 devices in the workplace
and how a user registers a Windows 10 device with Azure AD, see Windows 10 for the enterprise: Use devices for work.
For devices running Windows, you can register some earlier versions of Windows, including:
Windows 8.1
Windows 7
For devices running Windows Server, you can register the following platforms:
Windows Server 2016
Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2
Prerequisites
The main requirement for automatic registration of domain-joined devices by using Azure AD is to have an up-to-
date version of Azure Active Directory Connect (Azure AD Connect).
Depending on how you deployed Azure AD Connect, and whether you used an express or custom installation or
an in-place upgrade, the following prerequisites might have been configured automatically:
Service connection point in on-premises Active Directory - For discovery of Azure AD tenant
information by computers that register for Azure AD.
Active Directory Federation Services (AD FS) issuance transform rules - For computer authentication
on registration (applicable to federated configurations).
If some devices in your organizations are not Windows 10 domain-joined devices, perform the following steps:
Set a policy in Azure AD to enable users to register devices
Set Integrated Windows Authentication (IWA) as a valid alternative to multi-factor authentication in AD FS
$scp.Keywords;
The $scp.Keywords output shows the Azure AD tenant information, for example:
azureADName:microsoft.com
azureADId:72f988bf-86f1-41af-91ab-2d7cd011db47
If the service connection point doesnt exist, create it by running the following PowerShell script on your Azure AD
Connect server:
$aadAdminCred = Get-Credential;
Remarks:
When you run $aadAdminCred = Get-Credential, you are required to type a user name. For the user
name, use the following format: user@example.com
When you run the Initialize-ADSyncDomainJoinedComputerSync cmdlet, replace [connector account
name] with the domain account that's used in the Active Directory connector account.
The cmdlet uses the Active Directory PowerShell module, which relies on Active Directory Web Services in a
domain controller. Active Directory Web Services is supported on domain controllers in Windows Server
2008 R2 and later. For domain controllers in Windows Server 2008 or earlier versions, use the
System.DirectoryServices API via PowerShell to create the service connection point, and then assign the
Keywords values.
Windows 10 and Windows Server 2016 domain joined computers authenticate using Windows Integrated
authentication to an active WS-Trust endpoint hosted by AD FS. Ensure that this endpoint is enabled. If you are
using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. The end-point
is adfs/services/trust/13/windowstransport.
It should be enabled in the AD FS management console under Service > Endpoints. If you dont have AD FS as
your on-premises federation server, follow the instructions of your vendor to make sure the corresponding end-
point is enabled.
NOTE
If you dont use AD FS for your on-premises federation server, follow your vendor's instructions to create the rules that
issue these claims.
<#----------------------------------------------------------------------
| Modify the Azure AD Relying Party to include the claims needed
| for DomainJoin++. The rules include:
| -ObjectGuid
| -AccountType
| -ObjectSid
+---------------------------------------------------------------------#>
$rule4 = '@RuleName = "Issue AccountType with the value User when its not a computer account"
$rule5 = '@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
<RPObjectName> is the relying party object name for your Azure AD relying party trust object. This object
usually is named Microsoft Office 365 Identity Platform.
NOTE
Windows 10 domain-joined computers running Windows 10 November Update will automatically register with Azure AD,
only if the rollout Group Policy object is set.
You can use a Group Policy object to control the rollout of automatic registration of Windows 10 and Windows
Server 2016 domain-joined computers.
To roll out automatic registration of non-Windows 10 domain-joined computers, you can deploy a Windows
Installer package to computers that you select.
NOTE
For all non-Windows 10/Windows Server 2016 computers it is recommended to use the Windows Installer package as
described below in this document.
NOTE
This Group Policy template has been renamed from earlier versions of the Group Policy Management console. If you
are using an earlier version of the console, go to Computer Configuration > Policies > Administrative
Templates > Windows Components > Workplace Join > Automatically workplace join client computers.
Next steps
Azure Active Directory conditional access
Configure automatic device registration for Windows
7 domain joined devices
1/17/2017 2 min to read Edit on GitHub
As an IT admin, you can configure your Windows 7 domain joined devices to automatically register with Azure AD.
To do so, you must deploy the device registration software package to your Windows 7 domain joined devices
using a software distribution system such as System Center Configuration Manager. Be sure to read through and
complete the prerequisites listed in Automatic Device Registration with Azure Active Directory for Windows
Domain-Joined devices.
NOTE
For latest instructions on how to set up automatic device registration see, How to setup automatic registration of Windows
domain joined devices with Azure Active Directory.
1. A user (information worker) logs on to a Windows 7 client computer using Active Directory domain credentials.
2. The Workplace Join scheduled task is executed.
3. The user is silently authenticated with AD FS using Windows Integrated Authentication.
4. The Windows 7 PC is registered to the user in Azure AD.
5. A device object and certificate is created in Azure AD. The object represents the user@device.
6. The Workplace Join certificate is stored on the machine.
NOTE
This command must be run in the context of each domain user that has signed into the machine. Event Viewer and Errors
for Windows 7 domain joined devices.
The Windows Event Log on the Windows 7 machine will display messages related to Workplace Join. You can find
messages for both successful and unsuccessful Workplace Join events. The Event Log can be found in the Event
Viewer under Applications and Services Logs> Microsoft-Workplace Join.
Additional topics
Azure Active Directory Device Registration overview
Automatic device registration with Azure Active Directory for Windows Domain-Joined Devices
Configure automatic device registration for Windows 8.1 domain joined devices
Automatic device registration with Azure Active Directory for Windows 10 domain-joined devices
Configure automatic device registration for Windows
8.1 domain joined devices
1/17/2017 3 min to read Edit on GitHub
You can use an Active Directory Group Policy to configure your Windows 8.1 domain joined devices to
automatically register with Azure AD. To configure the Group Policy, you must have at least one domain joined
Windows Server 2012 R2 or Windows 8.1 machine with the Group Policy Management feature installed. Once this
Group Policy is enabled for your domain, any domain user that logs into the machine will be automatically and
silently registered with a device object in Azure AD. There will be one device object in Azure AD for every
registered user of the physical device.Be sure to read through and complete the prerequisites from the Automatic
Device Registration with Azure Active Directory for Windows Domain-Joined Devices.
NOTE
For latest instructions on how to set up automatic device registration see, How to setup automatic registration of Windows
domain joined devices with Azure Active Directory.
Configure the Group Policy for your Windows 8.1 domain joined
devices
1. Open Server Manager and navigate to Tools > Group Policy Management.
2. From Group Policy Management, navigate to the domain node that corresponds to the domain in which you
would like to enable Automatic Workplace Join.
3. Right-click Group Policy Objects and select New. Give your Group Policy object a name, for example,
Automatic Workplace Join. Click OK.
4. Right-click on your new Group Policy object and then select Edit.
5. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components
> Workplace Join.
6. Right-click Automatically workplace join client computers and then select Edit.
7. Select the Enabled radio button and then click Apply. Click OK.
8. You may now link the Group Policy object to a location of your choice. To enable this policy for all of the
domain joined Windows 8.1 devices at your organization, link the Group Policy to the domain.
%SystemRoot%\System32\AutoWorkplace.exe leave
This command must be run in the context of each domain user that has signed into the machine.
Event Viewer & Errors for Windows 8.1 domain joined devices
The Windows Event Log on a Windows 8.1 machine displays messages related to device registration. You will find
messages for both successful and unsuccessful events.
The Event Log can be found in the Event Viewer under Applications and Services Logs > Microsoft > Windows >
Workplace Join.
Additional details
The Group Policy enables a Scheduled Task on the system that runs in the users context and is triggered on user
sign-in. The task will silently register the user and device with Azure AD after the sign-in is complete. The
Scheduled Task can be found on Windows 8.1 devices in the Task Scheduler Library under Microsoft > Windows
> Workplace Join. The task will run and register any and all Active Directory users that sign-into.
Additional topics
Azure Active Directory Device Registration overview
Automatic device registration with Azure Active Directory for Windows 10 domain-joined devices
Configure automatic device registration for Windows 7 domain joined devices
Azure Authenticator for Android
1/17/2017 6 min to read Edit on GitHub
Your IT administrator may have recommended you to use the Microsoft Azure Authenticator to sign-in to access
your work resources. This application provides these two sign-in options:
Multi-Factor Authentication allows you to secure your work or school accounts with two-step verification. You
sign-in using something you know (for example, your password) and protect the account even further with
something you have (a security key from this app). The Azure Authenticator app notifies you of a pending two-
factor verification request by displaying an alert to your mobile device. You need to simply view the request in
the app and tap verify or cancel. Alternately, you may be prompted to enter the passcode displayed in the app.
Work Account allows you to turn your Android phone or tablet into a trusted device and provide Single Sign-On
(SSO) to company applications. Your IT administrator may require you to add a work account in order to access
company resources. SSO lets you sign in once and automatically avail of signing in across all applications your
company has made available to you.
NOTE
You are allowed a single work account on your device.
NOTE
You are allowed a single work account on your device.
After you have installed the Azure Authenticator app, you can also create a work account from the Android Account
Manager.
1. From the Settings menu, navigate to Accounts and click Add Account.
2. Follow steps 2-7 in the procedure, Adding the work account through the app home screen**, to add a work
account.
How to find out which version is installed
1. You can find out which version of the Azure Authenticator app and associated service versions are installed on
your device.
2. From the pop up menu, click About.
3. The About screen displays the services of the app and the versions installed on your device.
Sending log files to report issues
1. Follow the guidance on Microsoft Support to report an incident with the Azure Authenticator app, obtain an
incident number, and send log files against the assigned incident number as follows:
2. From the pop up menu, click Logging.
3. If you have an open incident with Microsoft Support, make note of the incident number (you'll need it for a later
step). If you have not already created a support incident and would like assistance, follow the guidance at
Microsoft Support to open a new incident.
4. On the logging screen, click Send Now.
5. Select the email provider you want to use.
6. If you already have an open incident Microsoft Support, contact the Support Engineer assigned to your issue to
find out how to send the log data and have it associated with your incident. The Support Engineer will provide
you with information for the email address and subject line. If you do not already have a support incident, please
follow the guidance at Microsoft Support to open a new incident.
7. Edit the To line and Subject line with the information you have received from Microsoft Support.
8. The Azure Authenticator app attaches the log file to the email you are sending. Describe the problem you are
experiencing, update recipient list (optional), and send the email.
Deleting the work account and leaving your workplace
You can remove the work account you created at any time as follows:
To delete the work account from the Settings menu
1. From the accounts manager, select Work account.
2. On the Work Account screen, in General Settings, select Account Settings Leave your workplace
network.
3. Select Leave on the Workplace Join screen.
4. Click OK when the message Are you sure you want to leave workplace is displayed.
5. This ensures that you have deleted your work account from your workplace.
NOTE
It is recommended that you do not use the Remove Account option to delete a work account as this option might not work
in some earlier versions of Android.
Troubleshooting
If you see the Keystore Error, this could be because you dont have the lock screen set up with a PIN. To work
around this issue, uninstall the Azure Authenticator app, configure a PIN for your lock screen, and reinstall the app.
Conditional access device policies for Office 365
services
1/17/2017 3 min to read Edit on GitHub
The term, Conditional access has many conditions associated with it such as multi-factor authenticated user,
authenticated device, compliant device etc. This topic primarily focusses on device-based conditions to control
access to Office 365 services. While Information Workers (IWs) want to access Office 365 services like Exchange
and SharePoint Online at work or school from their personal devices, their IT admin wants the access to be secure.
IT admins can provision conditional access device policies to secure corporate resources, while at the same time
allowing IWs on compliant devices to access the services. Conditional access policies to Office 365 may be
configured from Microsoft Intune conditional access portal.
Azure Active Directory enforces conditional access policies to secure access to Office 365 services. A tenant admin
can create a conditional access policy that blocks a user on a non-compliant device from accessing an O365
service. The user must conform to companys device policies before access can be granted to the service.
Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an
O365 service. Policies may be applied to all users of an organization, or limited to a few target groups and
enhanced over time to include additional target groups.
A prerequisite for enforcing device policies is for users to register their devices with Azure Active Directory Device
Registration service. You can opt to enable Multi-factor authentication (MFA) for registering devices with Azure
Active Directory Device Registration service. MFA is recommended for Azure Active Directory Device Registration
service. When MFA is enabled, users registering their devices with Azure Active Directory Device Registration
service are challenged for second factor authentication.
Deployment Considerations:
Must use Azure Active Directory Device Registration service for device registration.
When users are to be authenticated on premises, Active Directory Federation Services (AD FS) (1.0 and above) is
required. Multi-Factor Authentication for Workplace Join will fail when the identity provider is not capable of multi-
factor authentication. For example, AD FS 2.0 is not multi-factor authentication-capable. Tenant admin must ensure
that the on-premises AD FS is MFA capable and a valid MFA method is enabled, before enabling MFA on Azure
Active Directory Device Registration service. For example, AD FS on Windows Server 2012 R2 has MFA capabilities.
You must also enable an additional valid authentication (MFA) method on the AD FS server before enabling MFA
on Azure Active Directory Device Registration service. For more information on supported MFA methods in AD FS,
see Configure Additional Authentication Methods for AD FS.
Azure Active Directory (Azure AD) device-based conditional access can help you protect organization resources
from:
Access attempts from unknown or unmanaged devices.
Devices that dont meet the security policies of your organization.
For an overview of conditional access, see Azure Active Directory conditional access.
You can set device-based conditional access policies to protect these applications:
Office 365 SharePoint Online, to protect your organization's sites and documents
Office 365 Exchange Online, to protect your organization's email
Software as a service (SaaS) applications that are connected to Azure AD for authentication
On-premises applications that are published by using Azure AD Application Proxy services
To set a device-based conditional access policy, in the Azure portal, go to the specific application in the directory.
Select the application, and then click the Configure tab to set the conditional access policy.
To set a device-based conditional access policy, in the Device based access rules section, in Enable Access
Rules, select On.
A device-based conditional access policy has three components:
Apply To. The scope of users the policy applies to.
Device Rules. The conditions a device must meet before it can access the application.
Application Enforcement. The client applications (native versus browser) the policy applies to.
To exclude a user from a policy, select the Except check box. This is helpful when you need to give permissions to a
specific user to temporarily access the application. Select this option, for example, if some of your users have
devices that are not ready for conditional access. The devices might not be registered yet, or they are about to be
out of compliance.
NOTE
For information about the differences between domain-joined and Azure AD-joined devices, see Using Windows 10 devices
in your workplace.
Windows personal devices are compliant if they are marked as compliant in the directory by Intune or by a third-
party mobile device management system that integrates with Azure AD.
Non-Windows devices are compliant if they are marked as compliant in the directory by Intune.
NOTE
For more information about how to set up Azure AD for device compliance in different management systems, see Azure
Active Directory conditional access.
You can select one or multiple device platforms for a device-based access policy. This includes Android, iOS,
Windows Mobile (Windows 8.1 phones and tablets), and Windows (all other Windows devices, including all
Windows 10 devices). Policy evaluation occurs only on the selected platforms. If a device that attempts access is not
running one of the selected platforms, the device can access the application if the user has access. No device policy
is evaluated.
NOTE
For more information about browser support and other considerations for a user who is accessing a device-based, certificate
authority-protected application, see Azure Active Directory conditional access.
Next steps
Azure Active Directory conditional access
Setting up on-premises conditional access using
Azure Active Directory Device Registration
1/17/2017 12 min to read Edit on GitHub
Personally owned devices of your users can be marked known to your organization by requiring the users to work
place join their devices to the Azure Active Directory Device Registration service. Below is a step-by-step guide to
enable conditional access to on-premises applications using Active Directory Federation Service (AD FS) in
Windows Server 2012 R2.
NOTE
Office 365 license or Azure AD Premium license is required when using devices registered in Azure Active Directory Device
Registration service conditional access policies. This includes policies enforced by Active Directory Federation Services (AD FS)
to on-premises resources.
For more information on the conditional access scenarios for on-premises, see Join to Workplace from Any Device
for SSO and Seamless Second Factor Authentication Across Company Applications.
These capabilities are available to customers that purchase an Azure Active Directory Premium license.
Supported Devices
Windows 7 domain joined devices.
Windows 8.1 personal and domain joined devices.
iOS 6 and later, for Safari browser
Android 4.0 or later, Samsung GS3 or above phones, Samsung Note2 or above tablets.
Scenario Prerequisites
Subscription to Office 365 or Azure Active Directory Premium
An Azure Active Directory tenant
Windows Server Active Directory (Windows Server 2008 or above)
Updated schema in Windows Server 2012 R2
License for Azure Active Directory Premium
Windows Server 2012 R2 Federation Services, configured for SSO to Azure AD
Windows Server 2012 R2 Web Application Proxy Microsoft Azure Active Directory Connect (Azure AD Connect).
Download Azure AD Connect here.
Verified domain.
Scenario assumptions
This scenario assumes that you have a hybrid environment consisting of an Azure AD tenant and a on-premises
Active Directory. These tenants should be connected using Azure AD Connect and with a verified domain and AD
FS for SSO. The checklist below will help you configure your environment to the stage described above.
TASK REFERENCE
Enable Device Registration in your Azure Active Directory Enable Azure Active Directory Device Registration
tenant to allow devices to join the workplace. By default,
multi-factor authentication is not enabled for the service.
However, multi-factor authentication is recommended when
registering a device. Before enabling multi-factor
authentication in ADRS, ensure that AD FS is configured for a
multi-factor authentication provider.
Devices will discover your Azure Active Directory Device Configure Azure Active Directory Device Registration
Registration Service by looking for well-known DNS records. discovery.
You must configure your company DNS so that devices can
discover your Azure Active Directory Device Registration
Service.
Deploy Active Directory Domain Services domain with the Upgrade your Active Directory Domain Services Schema
Windows Server 2012 R2 schema extensions. You do not need
to upgrade any of your domain controllers to Windows Server
2012 R2. The schema upgrade is the only requirement.
Devices will discover your Azure Active Directory Device Prepare your Active Directory support devices
Registration Service by looking for well-known DNS records.
You must configure your company DNS so that devices can
discover your Azure Active Directory Device Registration
Service.
Part 3: Enable device writeback in Azure AD
TASK REFERENCE
Complete part 2 of Enabling device writeback in Azure AD Enabling device writeback in Azure AD Connect
Connect. Upon completion, return this this guide.
Part 5: Verification
The deployment is now complete. You can now try out some scenarios. Follow the links below to experiment with
the service and become familiar with the features
TASK REFERENCE
Join some devices to your workplace using Azure Active Join devices to your workplace using Azure Active Directory
Directory Device Registration. You can join iOS, Windows, and Device Registration
Android devices
You can view and enable/disable registered devices using the Azure Active Directory Device Registration Overview
Administrator Portal. In this task you will view some registered
devices using the Administrator Portal.
Verify that device objects are written back from Azure Active Verify registered devices are written-back to Active Directory
Directory to Windows Server Active Directory.
Now that users can register their devices, you can create Create an application access policy and custom access denied
application access polices in AD FS that allow only registered message
devices. In this task you will create an application access rule
and a custom access denied message
1. Log in to your domain controller with an account that has both Enterprise Admin and Schema Admin rights.
2. Copy the [media]\support\adprep directory and sub-directories to one of your Active Directory domain
controllers.
3. Where [media] is the path to the Windows Server 2012 R2 installation media.
4. From a command prompt, navigate to the adprep directory and execute: adprep.exe /forestprep. Follow the
onscreen instructions to complete the schema upgrade.
https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/"yourdomainname"
Where yourdomainname is the domain name that you have configured with Azure Active Directory. For example, if
your domain name is contoso.com, the URL would be:
https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/contoso.com
There are many different ways to communicate this URL to your users. One recommended way is to publish this
URL in a custom application access denied message in AD FS. This is covered in the upcoming section: Create an
application access policy and custom access denied message.
Join a Windows 8.1 device using Azure Active Directory Device Registration
1. On your Windows 8.1 device, navigate to PC Settings > Network > Workplace.
2. Enter your user name in UPN format. For example, dan@contoso.com..
3. Select Join.
4. When prompted, sign-in with your credentials. The device is now joined.
Join a Windows 7 device using Azure Active Directory Device Registration
To register Windows 7 domain joined devices you need to deploy the device registration software package. The
software package is called Workplace Join for Windows 7 and is available for download at the Microsoft Connect
website. Instructions how to use the package are available at Configure automatic device registration for Windows
7 domain joined devices.
Join an Android device using Azure Active Directory Device Registration
The Azure Authenticator for Android topic has instructions on how to install Azure authenticator app on your
Android device and add a work account. When a work account is created successfully on an Android device, that
device is workplace joined to the organization.
NOTE
This section assumes that you have already configured a Relying Party Trust for your application in AD FS.
1. Open the AD FS MMC tool and navigate to AD FS > Trust Relationships > Relying Party Trusts.
2. Locate the application for which this new access rule will apply. Right-click the application and select Edit Claim
Rules
3. Select the Issuance Authorization Rules tab and then select Add Rule
4. From the Claim rule template drop down list, select Permit or Deny Users Based on an Incoming Claim.
Select Next.
5. In the Claim Rule name: field type: Permit access from registered devices
6. From the Incoming claim type: drop down list, select Is Registered User.
7. In the Incoming claim value: field, type: true
8. Select the Permit access to users with this incoming claim radio button.
9. Select Finish and then select Apply.
10. Remove any rules that are more permissive than the rule you just created. For example, remove the default
Permit Access to all Users rule.
Your application is now configured to allow access only when the user is coming from a device that they registered
and joined to the workplace. For more advanced access polices, see Manage Risk with Multi-Factor Access Control.
Next, you will configure a custom error message for your application. The error message will let users know that
they must join their device to the workplace before they are allowed access to the application. You can create a
custom application access denied message using custom HTML and Windows PowerShell.
On your federation server, open a Windows PowerShell command window and type the following command.
Replace portions of the command with items that are specific to your system:
You must register your device before you can access this application.
If you are using an iOS device, select this link to join your device:
a href='https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/yourdomain.com
Related Articles
Article Index for Application Management in Azure Active Directory
Azure Active Directory Conditional Access FAQ
1/17/2017 1 min to read Edit on GitHub
You try to access your organization's SharePoint Online intranet, and you get an "access denied" error message.
What do you do?
This article covers remediation steps that can help you resolve access issues with your organization's online
resources.
For help resolving Azure Active Directory (Azure AD) access issues, go to the section in the article that covers your
device platform:
Windows device
iOS device (Check back soon for assistance with iPhones and iPads.)
Android device (Check back soon for assistance with Android phones and tablets.)
Next steps
Azure Active Directory conditional access
Azure Active Directory Conditional Access technical
reference
1/17/2017 3 min to read Edit on GitHub
At work networks
Conditional access rules that use an At work network, rely on trusted IP address ranges that have been
configured in Azure AD, or use of the "inside corpnet" claim from AD FS. These rules include:
Require multi-factor authentication when not at work
Block access when not at work
Options for specifiying at work networks
1. Configure trusted IP address ranges in the multi-factor authentication configuration page. Conditional Access
policy will use the configured ranges on each authentication request and token issuance to evaluate rules.
2. Configure use of the inside corpnet claim, this option can be used with federated directories, using AD FS. Learn
more about the inside coronet claims.
3. Configure public IP address ranges. On the configure tab, for your directory, you can set public IP addresses.
Conditional Access will use these as at work IP addresses, this allows additional ranges to be configure, above
the 50 IP address limit that is enforced by the MFA setting page.
Related topics
Securing access to Office 365 and other apps connected to Azure Active Directory
Article Index for Application Management in Azure Active Directory
Extending cloud capabilities to Windows 10 devices
through Azure Active Directory Join
1/17/2017 6 min to read Edit on GitHub
Users can sign into Windows with work Users can sign in to Windows with work Users sign in to Windows with their
credentials (as they do today). credentials that are managed in Azure personal Microsoft account credentials
AD. This is relevant for corporate (no change).
devices in three cases: 1)The
organization doesnt have Active
Directory on premises (for example, a
small business). 2)The organization
doesnt create all user accounts in
Active Directory (for example, accounts
for students, consultants, or seasonal
workers are not created in Active
Directory). 3)The organization has
corporate devices that cant be joined
to an (on-premises) domain, like
phones or tablets running a Mobile SKU
(for example, a secondary device taken
to a factory/retail floor). Azure AD Join
supports joining of corporate devices
for both managed and federated
organizations.
Users have access to roaming settings Users can do self-service setup. They Users can easily add a work account
and the enterprise Windows Store. can go through the first-run experience thats managed in Active Directory or
These services work with work accounts (FRX) via their work account as an Azure AD.
and don't require a personal Microsoft alternative to having IT provision the
account. This requires organizations to devices, although both methods are
connect their on-premises Active supported.
Directory to Azure AD.
Users have SSO ability from the Devices are automatically registered in Users have SSO ability across apps and
desktop to work apps, websites, and the enterprise directory (Azure AD) and to websites/resources with this work
resources--including both on-premises automatically enrolled in mobile device account.
resources and cloud apps that use management. (Azure AD Premium
Azure AD for authentication. feature).
Users can add their personal Microsoft Users can do a self-service password Users have access to the enterprise
accounts to access their personal reset (SSPR) on winlogon, meaning they Windows Store so that they can acquire
pictures and files without impacting can reset a forgotten password. (Azure and use line-of-business apps on their
enterprise data. (Roaming settings AD Premium feature). personal devices.
continue to work with their work
accounts.) The Microsoft account
enables SSO and no longer drives the
roaming of settings.
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Authenticating identities without passwords through Microsoft Passport
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Usage scenarios and deployment considerations for
Azure AD Join
1/17/2017 3 min to read Edit on GitHub
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Authenticating identities without passwords through Microsoft Passport
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Setting up Azure AD Join in your organization
1/17/2017 1 min to read Edit on GitHub
Before you set up Azure Active Directory Join (Azure AD Join), you need to either sync up your on-premises
directory of users to the cloud or manually create managed accounts in Azure AD.
Detailed instructions for syncing your on-premises users to Azure AD is covered in Integrating your on-premises
identities with Azure Active Directory.
To manually create and manage users in Azure AD, refer to User management in Azure AD.
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Set up a new device with Azure AD during Setup
1/17/2017 2 min to read Edit on GitHub
In Windows 10, users can join their devices to Azure Active Directory (Azure AD) in the first-run experience (FRX).
This allows organizations to distribute shrink-wrapped devices to their employees or students, or let them choose
their own devices (CYOD). If either Windows 10 Professional or Windows 10 Enterprise editions is installed on a
device, the experience defaults to the setup process for company-owned devices.
3. Select the network you want to use for connecting to the Internet.
4. Select whether you're using a personal device or a company-owned device. If it's company-owned, click This
device belongs to my organization. This starts the Azure AD Join experience. Following is a screen that you'll
see if you're using Windows 10 Professional.
NOTE
Joining an on-premises Windows Server Active Directory domain in the Windows out-of-box experience is not supported.
Therefore, if you plan to join a computer to a domain, you should select the link Set up Windows with a local account
instead. You can then join the domain from the settings on your computer as youve done before.
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Authenticating identities without passwords through Microsoft Passport
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Connect domain-joined devices to Azure AD for
Windows 10 experiences
1/17/2017 2 min to read Edit on GitHub
Domain join is the traditional way organizations have connected devices for work for the last 15 years and
more. It has enabled users to sign in to their devices by using their Windows Server Active Directory (Active
Directory) work or school accounts and allowed IT to fully manage these devices. Organizations typically rely on
imaging methods to provision devices to users and generally use System Center Configuration Manager
(SCCM) or Group Policy to manage them.
Domain join in Windows 10 will provide the following benefits after you connect devices to Azure Active
Directory (Azure AD):
Single sign-on (SSO) to Azure AD resources from anywhere
Access to the enterprise Windows Store by using work or school accounts (no Microsoft account required)
Enterprise-compliant roaming of user settings across devices by using work or school accounts (no
Microsoft account required)
Strong authentication and convenient sign-in for work or school accounts with Microsoft Passport and
Windows Hello
Ability to restrict access only to devices that comply with organizational device Group Policy settings
Prerequisites
Domain join continues to be useful. However, to get the Azure AD benefits of SSO, roaming of settings with
work or school accounts, and access to Windows Store with work or school accounts, you will need the
following:
Azure AD subscription
Azure AD Connect to extend the on-premises directory to Azure AD
Policy that's set to connect domain-joined devices to Azure AD
Windows 10 build (build 10551 or newer) for devices
To enable Microsoft Passport for Work and Windows Hello, you will also need the following:
Public key infrastructure (PKI) for user certificates issuance.
System Center Configuration Manager version 1509 for Technical Preview. For more information, see
Microsoft System Center Configuration Manager Technical Preview and System Center Configuration
Manager Team Blog. This is required to deploy user certificates based on Microsoft Passport keys.
As an alternative to the PKI deployment requirement, you can do the following:
Have a few domain controllers with Windows Server 2016 Active Directory Domain Services.
To enable conditional access, you can create Group Policy settings that allow access to domain-joined devices
with no additional deployments. To manage access control based on compliance of the device, you will need the
following:
System Center Configuration Manager version 1509 for Technical Preview for Passport scenarios
Deployment instructions
To deploy, follow the steps listed in How to configure automatic registration of Windows domain-joined devices
with Azure Active Directory
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Authenticating identities without passwords through
Microsoft Passport
1/17/2017 3 min to read Edit on GitHub
The current methods of authentication with passwords alone are not sufficient to keep users safe. Users reuse and
forget passwords. Passwords are breachable, phishable, prone to cracks, and guessable. They also get difficult to
remember and prone to attacks like pass the hash.
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Enable Microsoft Windows Hello for Business in your
organization
1/17/2017 3 min to read Edit on GitHub
After connecting Windows 10 domain-joined devices with Azure Active Directory, do the following to enable
Microsoft Windows Hello for Business in your organization:
1. Deploy System Center Configuration Manager
2. Configure policy settings
3. Configure the certificate profile
2. In the toolbar on the top, click Create Windows Hello for business Profile.
Next steps
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Authenticating identities without passwords through Microsoft Passport
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Windows 10 for the enterprise: Ways to use devices
for work
1/17/2017 1 min to read Edit on GitHub
Windows 10 gives you the ability to leverage Azure Active Directory (Azure AD). You can connect Windows 10
devices to Azure AD so that users can sign in to Windows by using Azure AD accounts or by adding their Azure
IDs to gain access to business apps and resources.
TOPICS
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Get started with certificate based authentication on
Android
1/17/2017 6 min to read Edit on GitHub
This topic shows you how to configure and utilize certificate based authentication (CBA) on an Android device for
users of tenants in Office 365 Enterprise, Business, and Education plans.
CBA enables you to be authenticated by Azure Active Directory with a client certificate on an Android or iOS device
when connecting your Exchange online account to:
Office mobile applications such as Microsoft Outlook and Microsoft Word
Exchange ActiveSync (EAS) clients
Configuring this feature eliminates the need to enter a username and password combination into certain mail and
Microsoft Office applications on your mobile device.
OneNote
OneDrive
Outlook
Yammer
Getting started
To get started, you need to configure the certificate authorities in Azure Active Directory. For each certificate
authority, upload the following:
The public portion of the certificate, in .cer format
The Internet facing URLs where the Certificate Revocation Lists (CRLs) reside
Below is the schema for a certificate authority:
class TrustedCAsForPasswordlessAuth
{
CertificateAuthorityInformation[] certificateAuthorities;
}
class CertificateAuthorityInformation
{
CertAuthorityType authorityType;
X509Certificate trustedCertificate;
string crlDistributionPoint;
string deltaCrlDistributionPoint;
string trustedIssuer;
string trustedIssuerSKI;
}
enum CertAuthorityType
{
RootAuthority = 0,
IntermediateAuthority = 1
}
To upload the information, you can use the Azure AD module through Windows PowerShell.
Below are examples for adding, removing or modifying a certificate authority.
Configuring your Azure AD tenant for certificate based authentication
1. Start Windows PowerShell with administrator privileges.
2. Install the Azure AD module. You need to install Version 2.0.0.33 or higher.
Connect-AzureAD
Get-AzureADTrustedCertificateAuthority
Get-AzureADTrustedCertificateAuthority
$c[0].AuthorityType=1
Revocation
To revoke a client certificate, Azure Active Directory fetches the certificate revocation list (CRL) from the URLs
uploaded as part of certificate authority information and caches it. The last publish timestamp (Effective Date
property) in the CRL is used to ensure the CRL is still valid. The CRL is periodically referenced to revoke access to
certificates that are a part of the list.
If a more instant revocation is required (for example, if a user loses a device), the authorization token of the user
can be invalidated. To invalidate the authorization token, set the StsRefreshTokenValidFrom field for this
particular user using Windows PowerShell. You must update the StsRefreshTokenValidFrom field for each user
you want to revoke access for.
To ensure that the revocation persists, you must set the Effective Date of the CRL to a date after the value set by
StsRefreshTokenValidFrom and ensure the certificate in question is in the CRL.
The following steps outline the process for updating and invalidating the authorization token by setting the
StsRefreshTokenValidFrom field.
1. Connect with admin credentials to the MSOL service:
$msolcred = get-credential
connect-msolservice -credential $msolcred
This topic shows you how to configure and utilize certificate based authentication (CBA) on an iOS device for users
of tenants in Office 365 Enterprise, Business, and Education plans.
CBA enables you to be authenticated by Azure Active Directory with a client certificate on an Android or iOS device
when connecting your Exchange online account to:
Office mobile applications such as Microsoft Outlook and Microsoft Word
Exchange ActiveSync (EAS) clients
Configuring this feature eliminates the need to enter a username and password combination into certain mail and
Microsoft Office applications on your mobile device.
OneNote
OneDrive
Outlook
Yammer
Getting started
To get started, you need to configure the certificate authorities in Azure Active Directory. For each certificate
authority, upload the following:
The public portion of the certificate, in .cer format
The Internet facing URLs where the Certificate Revocation Lists (CRLs) reside
Below is the schema for a certificate authority:
class TrustedCAsForPasswordlessAuth
{
CertificateAuthorityInformation[] certificateAuthorities;
}
class CertificateAuthorityInformation
{
CertAuthorityType authorityType;
X509Certificate trustedCertificate;
string crlDistributionPoint;
string deltaCrlDistributionPoint;
string trustedIssuer;
string trustedIssuerSKI;
}
enum CertAuthorityType
{
RootAuthority = 0,
IntermediateAuthority = 1
}
To upload the information, you can use the Azure AD module through Windows PowerShell.
Below are examples for adding, removing or modifying a certificate authority.
Configuring your Azure AD tenant for certificate based authentication
1. Start Windows PowerShell with administrator privileges.
2. Install the Azure AD module. You need to install Version 2.0.0.33 or higher.
Connect-AzureAD
Get-AzureADTrustedCertificateAuthority
Get-AzureADTrustedCertificateAuthority
$c[0].AuthorityType=1
Revocation
To revoke a client certificate, Azure Active Directory fetches the certificate revocation list (CRL) from the URLs
uploaded as part of certificate authority information and caches it. The last publish timestamp (Effective Date
property) in the CRL is used to ensure the CRL is still valid. The CRL is periodically referenced to revoke access to
certificates that are a part of the list.
If a more instant revocation is required (for example, if a user loses a device), the authorization token of the user
can be invalidated. To invalidate the authorization token, set the StsRefreshTokenValidFrom field for this
particular user using Windows PowerShell. You must update the StsRefreshTokenValidFrom field for each user
you want to revoke access for.
To ensure that the revocation persists, you must set the Effective Date of the CRL to a date after the value set by
StsRefreshTokenValidFrom and ensure the certificate in question is in the CRL.
The following steps outline the process for updating and invalidating the authorization token by setting the
StsRefreshTokenValidFrom field.
1. Connect with admin credentials to the MSOL service:
$msolcred = get-credential
connect-msolservice -credential $msolcred
Beyond the actual workflow or content, businesses have two basic requirements for all applications:
1. To increase productivity, applications should be easy to discover and access
2. To enable security and governance, the organization needs control and oversight on who can and actually is
accessing each application
In the world of cloud applications this can best be achieved using identity to control WHO is allowed to do WHAT.
In computing terminology:
Who is known as identity - the management of users and groups
What is known as access management the management of access to protected resources
Both components together are known as Identity and Access Management (IAM), which is defined by the Gartner
group as the security discipline that enables the right individuals to access the right resources at the right times for
the right reasons.
Okay, so whats the problem? If IAM is not managed in one place with an integrated solution:
Identity administrators have to individually create and update user accounts in all applications separately, a
redundant and time consuming activity.
Users have to memorize multiple credentials to access the applications they need to work with. As a result,
users tend to write down their passwords or use other password management solutions which introduces other
data security risks.
Redundant, time consuming activities reduce the amount of time users and administrators are working on
business activities that increase your businesss bottom line.
So, what generally prevents organizations from adopting integrated IAM solutions?
Most technical solutions are based on software platforms that need to be deployed and adapted by each
organization for their own applications.
Cloud applications are often adopted at a higher rate than IT organization can integrate with existing IAM
solutions.
Security and monitoring tooling require additional customization and integration to achieve comprehensive E2E
scenarios.
Access detection
In modern enterprises, IT departments are often not aware of all the cloud applications that are being used. In
conjunction with Cloud App Discovery, Azure AD provides you with a solution to detect these applications.
Account management
Traditionally, managing accounts in the various applications is a manual process performed by IT or support
personal in the organization. Azure AD fully automated account management across all service provider integrated
applications and those applications pre-integrated by Microsoft supporting automated user provisioning or SAML
JIT.
Access management
Using Azure AD you can manage access to applications using individual or rule driven assignments. You can also
delegate access management to the right people in the organization ensuring the best oversight and reducing the
burden on helpdesk.
On-premises applications
The built in application proxy enables you to publish your on-premises applications to your users resulting in both
consistent access experience with modern cloud application and the benefits from Azure AD monitoring, reporting,
and security capabilities.
Related capabilities
With Azure AD you can secure your applications with granular access policies and pre-integrated MFA. To learn
more about Azure MFA see Azure MFA.
Getting started
To get started integrating applications with Azure AD, take a look at the Integrating Azure Active Directory with
applications getting started guide.
See also
Article Index for Application Management in Azure Active Directory
Integrating Azure Active Directory with applications
getting started guide
1/17/2017 3 min to read Edit on GitHub
Overview
This topic is intended to give you a roadmap for integrating applications with Azure Active Directory (AD). Each of
the sections below contain a brief summary of a more detailed topic so you can identify which parts of this getting
started guide are relevant to you. Follow the links for a deeper dive on each subject.
See also
Article Index for Application Management in Azure Active Directory
Finding unmanaged cloud applications with Cloud
App Discovery
1/17/2017 1 min to read Edit on GitHub
Overview
In modern enterprises, IT departments are often not aware of all the cloud applications that members of their
organization use to do their work. It is easy to see why administrators would have concerns about unauthorized
access to corporate data, possible data leakage and other security risks. This lack of awareness can make creating
a plan for dealing with these security risks seem daunting.
Cloud App Discovery is a feature of Azure Active Directory (AD) Premium that enables you to discover cloud
applications being used by the people in your organization.
With Cloud App Discovery, you can:
Find the cloud applications being used and measure that usage by number of users, volume of traffic or
number of web requests to the application.
Identify the users that are using an application.
Export data for offline analysis.
Bring these applications under IT control and enable single sign on for user management.
How it works
1. Application usage agents are installed on user's computers.
2. The application usage information captured by the agents is sent over a secure, encrypted channel to the cloud
app discovery service.
3. The Cloud App Discovery service evaluates the data and generates reports.
To get started with Cloud App Discovery, see Getting Started With Cloud App Discovery
Related articles
Cloud App Discovery Security and Privacy Considerations
Cloud App Discovery Group Policy Deployment Guide
Cloud App Discovery System Center Deployment Guide
Cloud App Discovery Registry Settings for Proxy Servers with Custom Ports
Cloud App Discovery Agent Changelog
Cloud App Discovery Frequently Asked Questions
Article Index for Application Management in Azure Active Directory
Cloud App Discovery Registry Settings for Proxy
Services
1/17/2017 1 min to read Edit on GitHub
By default, the Cloud App Discovery agent is configured to use only the ports 80 or 443. If you are planning on
installing Cloud App Discovery in an environment with a proxy server that is using a custom port (neither 80 nor
443), you need to configure your agents to use this port. The configuration is based on a registry key.
The objective of this topic is to provide you with the steps you need to perform to set the required port on the
computers running the Cloud App Discovery agent.
To modify the port used by the computer running the Cloud App Discovery agent, perform the following
steps:
1. Start the registry editor.
80
8080
8118
8888
81
12080
6999
30606
31595
4080
443
1110
Microsoft is committed to protecting your privacy and securing your data, while delivering software and services
that help you manage the security of your organization.
We recognize that when you entrust your data to others, that trust requires rigorous security engineering
investments and expertise to back it. Microsoft adheres to strict compliance and security guidelines from secure
software development lifecycle practices to operating a service.
Securing and protecting data is a top priority at Microsoft.
This topic explains how data is collected, processed, and secured within Azure Active Directory Cloud App Discovery
Overview
Cloud App Discovery is a feature of Azure AD and is hosted in Microsoft Azure.
The Cloud App Discovery endpoint agent is used to collect application discovery data from IT managed machines.
The collected data is sent securely over an encrypted channel to the Azure AD Cloud App Discovery service.
The Cloud App Discovery data for an organization is then visible in the Azure portal.
The following sections follow the flow of information and describe how it is secured as it moves from your
organization to the Cloud App Discovery service and ultimately to the Cloud App Discovery portal.
NOTE
The HTTP information above is collected for all non-encrypted connections. For TLS connections, this information is only
captured when the Deep Inspection setting is turned on in the portal. The setting is ON by default. For more details, see
below, and Getting Started With Cloud App Discovery
In addition to the data that the agent collects about the network activity, it also collects anonymous information
about the software and hardware configuration, error reports, and information about how the agent is being used.
How the agent works
The agent installation includes two components:
A user-mode component
A kernel-mode driver component (Windows Filtering Platform driver)
When the agent is first installed it stores a machine-specific trusted certificate on the machine which it then uses to
establish a secure connection with the Cloud App Discovery service.
The agent periodically retrieves policy configuration from the Cloud App Discovery service over this secure
connection.
The policy includes information about which cloud applications to monitor and whether auto-updating should be
enabled, among other things.
As Web traffic is sent and received on the machine from Internet Explorer and Chrome, the Cloud App Discovery
agent analyzes the traffic and extracts the relevant metadata (see the Data collected by the agent section above).
Every minute, the agent uploads the collected metadata to the Cloud App Discovery service over an encrypted
channel.
The driver component intercepts the encrypted traffic and inserts itself into the encrypted stream. More details in
the Intercepting data from encrypted connections (Deep inspection) section below.
Respecting user privacy
Our goal is to provide administrators the tools to set the balance between detailed optics into application usage
and user privacy as appropriate for their organization. To that end, we provide the following knobs in the settings
page in the Portal:
Data Collection: Administrators can choose to specify which applications or application categories they want
to get discovery data on.
Deep Inspection: Administrators can chose to specify if the agent collects HTTP traffic for SSL/TLS connections
(aka 'Deep Inspection'). More on this in the next section.
Consent Options: Administrators can use the Cloud App Discovery portal to choose whether to notify users of
the data collection by the agent, and whether to require user consent before the agent starts collecting user
data.
The Cloud App Discovery endpoint agent only collects the information described in the Data collected by the
agent section above.
Intercepting data from encrypted connections (Deep inspection)
As we mentioned earlier, administrators can configure the agent to monitor data from encrypted connections
('deep inspection'). TLS (Transport Layer Security) is one of the most common protocols in use on the Internet
today. By encrypting communication with TLS, a client can establish a secure and private communication channel
with a web server; TLS provides essential protection for passing authentication credentials and prevent the
disclosure of sensitive information.
While the end-to-end secure encrypted channel provided by TLS enables important security and privacy protection,
the protocol is often abused for malicious or nefarious purposes. So much so, in fact, that TLS is often referred to as
the universal firewall-bypass protocol. The root of the problem is that most firewalls are unable to inspect TLS
communication because the application-layer data is encrypted with SSL. Knowing this, attackers frequently
leverage TLS to deliver malicious payloads to a user confident that even the most intelligent application-layer
firewalls are completely blind to TLS and must simply relay TLS communication between hosts. End users
frequently leverage TLS to bypass access controls enforced by their corporate firewalls and proxy servers, using it
to connect to public proxies and for tunneling non-TLS protocols through the firewall that might otherwise be
blocked by policy.
Deep inspection allows the Cloud App Discovery agent to act as a trusted man-in-the-middle. When a client request
is made to access an HTTPS protected resource, the Endpoint Agent driver intercepts the connection and
establishes a new connection to the destination server to retrieves its SSL certificate on behalf of the client. The
agent then verifies that the certificate can be trusted (by checking that it was not revoked, and performing other
certificate checks), and if these pass, the Endpoint Agent then copies the information from the server certificate and
creates its own server certificate -- known as an interception certificate -- using that information. The interception
certificate is signed on-the-fly by the endpoint agent with a root certificate, which is installed in the Windows
trusted certificate store. This self-signed root certificate is marked non-exportable and is ACLd to administrators. It
is intended to never leave the machine on which it was created. When the end-users client application receives the
interception certificate, it will trust it because it can successfully validate the certificate chain all the way to the root
certificate. This process is mostly transparent from an end-users point of view with a few caveats as described
below.
By enabling deep inspection, the Cloud App Discovery Endpoint Agent can decrypt and inspect TLS encrypted
communications, allowing the service to reduce noise and provide insights about the usage of the encrypted cloud
apps.
A word of caution
Before turning on deep inspection, it is strongly suggested that you communicate your intentions to your legal and
HR departments and obtain their consent. Inspecting end users private encrypted communications can be a
sensitive subject, for obvious reasons. Before a production roll-out of deep inspection, make certain that your
corporate security and acceptable use policies have been updated to indicate that encrypted communication will be
inspected. User notification and exemption of sites deemed sensitive (e.g. banking and medical sites) may also be
necessary if you configure Cloud App Discovery to monitor them. As mentioned above, administrators can use the
Cloud App Discovery portal to choose whether to notify users of the data collection by the agent, and whether to
require user consent before the agent starts collecting user data.
Known issues and drawbacks
There are a few cases where TLS interception may impact the end user experience:
Extended Validation (EV) certificates render the address bar of the web browser green to act as a visual clue that
you are visiting a trusted web site. TLS inspection cannot duplicate EV in the certificate it issues to the client, so
web sites that use EV certificates will work normally but the address bar will not display green.
Public key pinning (also known as certificate pinning) are designed to help protect users from man-in-the-
middle attacks and rogue certificate authorities. When the root certificate for a pinned site does not match one
of the known good CA's, the browser rejects the connection with an error. Since TLS interception is, in fact, a
man-in-the-middle, these connections will fail.
If users click the lock icon in the browser address bar browser to inspect the site information, they will not see a
chain ending in the certificate authority used to sign the website certificate, but instead a certificate chain ending
with the Windows trusted certificate store.
To reduce the occurrences of these issues, we keep track of cloud services and client applications known to use
extended validation or public key pinning and instruct the Endpoint Agent to avoid intercepting impacted
connections. Even in these cases, however, you will still receive reports of the use of these cloud apps and the
volume of data being transferred, but since they are not deep inspected, no details about how the apps were used
will be available.
NOTE
For more details, see Getting Started With Cloud App Discovery
Any user accessing the data in the portal, must be licensed with an Azure AD Premium license.
Additional Resources
How can I discover unsanctioned cloud apps that are used within my organization
Article Index for Application Management in Azure Active Directory
How to provide secure remote access to on-premises
applications
1/17/2017 4 min to read Edit on GitHub
NOTE
Application Proxy is a feature that is available only if you upgraded to the Premium or Basic edition of Azure Active
Directory. For more information, see Azure Active Directory editions.
Employees today want to be productive at any place, at any time, and from any device. They want to work on their
own devices, whether they be tablets, phones, or laptops. And they expect to be able to access all their
applications, both SaaS apps in the cloud and corporate apps on-premises. Providing access to on-premises
applications has traditionally involved virtual private networks (VPNs), demilitarized zones (DMZs), or on-
premises reverse proxies. Not only are these solutions complex and hard to make secure, but they are costly to
set up and manage.
There is a better way!
A modern workforce in the mobile-first, cloud-first world needs a modern remote access solution. Azure AD
Application Proxy is a feature of the Azure Active Directory Premium offering, and offers remote access as a
service. That means it's easy to deploy, use, and manage.
1. The user accesses the application through the Application Proxy and is directed to the Azure AD sign-in page
to authenticate.
2. After a successful sign-in, a token is generated and sent to the user.
3. The user sends the token to Application Proxy, which retrieves the user principal name (UPN) and security
principal name (SPN) from the token, then directs the request to the connector.
4. On behalf of the user, the connector requests a Kerberos ticket that can be used for internal (Windows)
authentication. This is known as Kerberos Constrained Delegation.
5. Active Directory retrieves the Kerberos ticket.
6. The ticket is sent to the application server and verified.
7. The response is sent through Application Proxy to the user.
Single sign-on
Azure AD Application Proxy provides single sign-on (SSO) to applications that use Integrated Windows
Authentication (IWA), or claims-aware applications. If your application uses IWA, Application Proxy impersonates
the user using Kerberos Constrained Delegation to provide SSO. If you have a claims-aware application that trusts
Azure Active Directory, SSO is achieved because the user was already authenticated by Azure AD.
What's next?
There's a lot more you can do with Application Proxy:
Publish applications using your own domain name
Enable single-sign on
Working with claims aware applications
Enable conditional access
For the latest news and updates, check out the Application Proxy blog
Enable Application Proxy in the Azure portal
1/17/2017 3 min to read Edit on GitHub
This article walks you through the steps to enable Microsoft Azure AD Application Proxy for your cloud directory
in Azure AD.
If you're unfamiliar with what Application Proxy can help you do, learn more about How to provide secure remote
access to on-premises applications.
If your firewall enforces traffic according to originating users, open these ports for traffic coming from
Windows services running as a Network Service. Also, make sure to enable port 8080 for NT
Authority\System.
If your organization uses proxy servers to connect to the internet, please take a look at the blog post Working
with existing on-premises proxy servers for details on how to configure them.
3. Select Configure from the directory page, and scroll down to Application Proxy.
4. Toggle Enable Application Proxy Services for this Directory to Enabled.
5. Select Download now. This takes you to the Azure AD Application Proxy Connector Download. Read and
accept the license terms and click Download to save the Windows Installer file (.exe) for the connector.
Next steps
You are now ready to Publish applications with Application Proxy.
If you have applications that are on separate networks or different locations, you can use connector groups to
organize the different connectors into logical units. Learn more about Working with Application Proxy connectors.
Publish applications using Azure AD Application
Proxy - Public Preview
1/17/2017 3 min to read Edit on GitHub
Azure Active Directory (AD) Application Proxy helps you support remote workers by publishing on-premises
applications to be accessed over the internet. Through the Azure portal, you can publish applications that are
running on your local network and provide secure remote access from outside your network.
This article walks you through the steps to publish an on-premises app with Application Proxy. After you complete
this article, you'll be ready to configure the application with single sign-on, personalized information, or security
requirements.
If you're new to Application Proxy, learn more about this feature with the article How to provide secure remote
access to on-premises applications.
TIP
If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your
application. For example, if your app is at https://yourapp/app and uses images located at
https://yourapp/media, then you should publish https://yourapp/ as the path.
External URL: The address your users will go to in order to access the app from outside your
network.
Pre Authentication: How Application Proxy verifies users before giving them access to your
application.
Azure Active Directory: Application Proxy redirects users to sign in with Azure AD, which
authenticates their permissions for the directory and application. We recommend keeping this
option as the default.
Passthrough: Users don't have to authenticate against Azure Active Directory to access the
application. You can still set up authentication requirements on the backend.
Translate URL in Headers?: Choose whether to translate the URL in the headers, or keep the original.
Connector Group: Connectors process the remote access to your application, and connector groups
help you organize connectors and apps by region, network, or purpose. If you don't have any connector
groups created yet, your app is assigned to Default and you'll see a warning message asking you to
create a connector group.
8. Select Save.
3. On the Add assignment blade, select Users and groups then choose the account you want to add.
4. Select Assign.
Next steps
Download connectors and create connector groups to publish applications on separate networks and
locations.
Set up single sign-on for your newly-published app
Publish applications using Azure AD Application
Proxy
1/17/2017 4 min to read Edit on GitHub
Azure AD Application Proxy helps you support remote workers by publishing on-premises applications to be
accessed over the internet. By this point, you should already have enabled Application Proxy in the Azure classic
portal. This article walks you through the steps to publish applications that are running on your local network and
provide secure remote access from outside your network. After you complete this article, you'll be ready to
configure the application with personalized information or security requirements.
NOTE
Application Proxy is a feature that is available only if you upgraded to the Premium or Basic edition of Azure Active
Directory. For more information, see Azure Active Directory editions.
3. Click the Applications tab, and then click the Add button at the bottom of the screen
4. Select Publish an application that will be accessible from outside your network.
5. Provide the following information about your application:
Name: The user-friendly name for your application. It must be unique within your directory.
Internal URL: The address that the Application Proxy Connector uses to access the application from
inside your private network. You can provide a specific path on the backend server to publish, while
the rest of the server is unpublished. In this way, you can publish different sites on the same server,
and give each one its own name and access rules.
TIP
If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your
application. For example, if your app is at https://yourapp/app and uses images located at
https://yourapp/media, then you should publish https://yourapp/ as the path.
Preauthentication Method: How Application Proxy verifies users before giving them access to
your application. Choose one of the options from the drop-down menu.
Azure Active Directory: Application Proxy redirects users to sign in with Azure AD, which
authenticates their permissions for the directory and application.
Passthrough: Users don't have to authenticate to access the application.
6. To finish the wizard, click the check mark at the bottom of the screen. The application is now defined in Azure
AD.
2. Search for specific groups in your directory, or show all your users. To display the search results, click the
check mark.
3. Select each user or group you want to assign to this app and click Assign. You are asked to confirm this
action.
NOTE
For Integrated Windows Authentication apps, you can assign only users and groups that are synced from your on-
premises Active Directory. Users who sign in with a Microsoft account and guests cannot be assigned for apps published
with Azure Active Directory Application Proxy. Make sure your users sign in with credentials that are part of the same
domain as the app you are publishing.
After you publish applications using Azure Active Directory Application Proxy, they appear in the Applications list
in Azure AD, and you can manage them there.
If you disable Application Proxy services after you have published applications, they are no longer accessible from
outside your private network. This does not delete the applications.
To view an application and make sure that it is accessible, double-click the name of the application. If the
Application Proxy service is disabled and the application is not available, a warning message appears at the top of
the screen.
To delete an application, select an application in the list and then click Delete.
Next steps
Publish applications using your own domain name
Enable single-sign on
Enable conditional access
Working with claims aware applications
For the latest news and updates, check out the Application Proxy blog
Publish applications on separate networks and
locations using connectors - Public Preview
1/23/2017 2 min to read Edit on GitHub
Connectors and connector groups are useful for various scenarios, including:
Sites with multiple interconnected datacenters. In this case, you want to keep as much traffic within the
datacenter as possible because cross-datacenter links are expensive and slow. You can deploy connectors in
each datacenter to serve only the applications that reside within the datacenter. This approach minimizes cross-
datacenter links and provides an entirely transparent experience to your users.
Managing applications installed on isolated networks that are not part of the main corporate network. You can
use connector groups to install dedicated connectors on isolated networks to also isolate applications to the
network.
For applications installed on IaaS for cloud access, connector groups provide a common service to secure the
access to all the apps. Connector groups don't create additional dependency on your corporate network, or
fragment the app experience. Connectors can be installed on every cloud datacenter and serve only applications
that reside in this network. You can install several connectors to achieve high availability.
Support for multi-forest environments in which specific connectors can be deployed per forest and set to serve
specific applications.
Connector groups can be used in Disaster Recovery sites to either detect failover or as backup for the main site.
Connector groups can also be used to serve multiple companies from a single tenant.
2. Under Application Proxy, click Manage Connector Groups and create a new connector group by giving the
group a name.
Step 2: Assign connectors to your groups
Once the connector groups are created, move the connectors to the appropriate group.
1. Under Application Proxy, click Manage Connectors.
2. Under Group, select the group you want for each connector. It might take the connectors up to 10 minutes to
become active in the new group.
See also
Enable Application Proxy
Enable single-sign on
Enable conditional access
Troubleshoot issues you're having with Application Proxy
For the latest news and updates, check out the Application Proxy blog
Working with custom domains in Azure AD
Application Proxy
1/17/2017 3 min to read Edit on GitHub
Using a default domain enables you to set the same URL as the internal and external URL for accessing the
application so that your users only have one URL to remember to access the app, no matter where they are
accessing from. This also lets you create a single shortcut in the Access Panel for the application. If you use the
default domain provided by Azure AD Application Proxy, theres no additional configuration you need to enable
your domain. In the event that you use a custom domain, there are a few things you need to do to make sure that
Application Proxy recognizes your domain and validates its certificates.
See also
Publish applications with Application Proxy
Enable single sign-on
Enable conditional access
Add your custom domain name to Azure AD
For the latest news and updates, check out the Application Proxy blog
Single sign-on with Application Proxy
1/17/2017 7 min to read Edit on GitHub
Single sign-on is a key element of Azure AD Application Proxy. It provides the best user experience with the
following steps:
1. A user signs in to the cloud
2. All security validations happen in the cloud (preauthentication)
3. When the request is sent to the on-prem application, the Application Proxy Connector impersonates the user.
The backend application thinks this is a regular user coming from a domain-joined device.
Azure AD Application Proxy helps you provide a single sign-on (SSO) experience for your users. Use the following
instructions to publish your apps using SSO:
SSO for on-prem IWA apps using KCD with Application Proxy
You can enable single sign-on to your applications using Integrated Windows Authentication (IWA) by giving
Application Proxy Connectors permission in Active Directory to impersonate users, and send and receive tokens
on their behalf.
Network diagram
This diagram explains the flow when a user attempts to access an on-prem application that uses IWA.
1. The user enters the URL to access the on-prem application through Application Proxy.
2. Application Proxy redirects the request to Azure AD authentication services to preauthenticate. At this point,
Azure AD applies any applicable authentication and authorization policies, such as multifactor authentication.
If the user is validated, Azure AD creates a token and sends it to the user.
3. The user passes the token to Application Proxy.
4. Application Proxy validates the token and retrieves the User Principal Name (UPN) from it, and then sends the
request, the UPN, and the Service Principal Name (SPN) to the Connector through a dually authenticated
secure channel.
5. The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on-prem AD,
impersonating the user to get a Kerberos token to the application.
6. Active Directory sends the Kerberos token for the application to the Connector.
7. The Connector sends the original request to the application server, using the Kerberos token it received from
AD.
8. The application sends the response to the Connector, which is then returned to the Application Proxy service
and finally to the user.
Prerequisites
Before you get started with SSO for Application Proxy, make sure your environment is ready with the following
settings and configurations:
Your apps, like SharePoint Web apps, are set to use Integrated Windows Authentication. For more
information, see Enable Support for Kerberos Authentication, or for SharePoint see Plan for Kerberos
authentication in SharePoint 2013.
All your apps have Service Principal Names.
The server running the Connector and the server running the app are domain joined and part of the same
domain or trusting domains. For more information on domain join, see Join a Computer to a Domain.
The server running the Connector has access to read the TokenGroupsGlobalAndUniversal for users. This is a
default setting that might have been impacted by security hardening the environment. Get more help with this
setting in KB2009157.
Active Directory configuration
The Active Directory configuration varies, depending on whether your Application Proxy Connector and the
published server are in the same domain or not.
Connector and published server in the same domain
1. In Active Directory, go to Tools > Users and Computers.
2. Select the server running the Connector.
3. Right-click and select Properties > Delegation.
4. Select Trust this computer for delegation to specified services only. Under Services to which this
account can present delegated credentials add the value for the SPN identity of the application server.
5. This enables the Application Proxy Connector to impersonate users in AD against the applications defined in
the list.
Connector and published server in different domains
1. For a list of prerequisites for working with KCD across domains, see Kerberos Constrained Delegation across
domains.
2. In Windows 2012 R2, use the principalsallowedtodelegateto property on the Connector server to enable
the Application Proxy to delegate for the Connector server, where the published server is
sharepointserviceaccount and the delegating server is connectormachineaccount .
NOTE
sharepointserviceaccount can be the SPS machine account or a service account under which the SPS app pool is
running.
IMPORTANT
If your on-premises UPN and the UPN in Azure Active Directory are not identical, you need to configure the delegated
login identity in order for preauthentication to work.
Internal Authentication Method If you use Azure AD for preauthentication, you can set an
internal authentication method to enable your users to
benefit from single sign-on (SSO) to this application.
If delegated login identity is used, the value might not be unique for all the domains or forests in your
organization. You can avoid this issue by publishing these applications twice using two different Connector
groups. Since each application has a different user audience, you can join its Connectors to a different domain.
Working with SSO when on-premises and cloud identities are not
identical
Unless otherwise configured, Application Proxy assumes that users have exactly the same identity in the cloud
and on-premises. You can configure, for each application, which identity should be used when performing single
sign-on.
This capability allows many organizations that have different on-prem and cloud identities to have SSO from the
cloud to on-prem apps without requiring the users to enter different usernames and passwords. This includes
organizations that:
Have multiple domains internally (joe@us.contoso.com, joe@eu.contoso.com) and a single domain in the
cloud (joe@contoso.com).
Have non-routable domain name internally (joe@contoso.usa) and a legal one in the cloud.
Do not use domain names internally (joe)
Use different aliases on-prem and in the cloud. E.g. joe-johns@contoso.com vs. joej@contoso.com
It also helps with applications that do not accept addresses in the form of email address, which is a very common
scenario for non-Windows backend servers.
Setting SSO for different cloud and on-prem identities
1. Configure Azure AD Connect settings so the main identity is the email address (mail). This is done as part of
the customize process, by changing the User Principal Name field in the sync settings. These settings also
determine how users log in to Office365, Windows10 devices, and other applications that use Azure AD as
their identity store.
2. In the Application Configuration settings for the application you would like to modify, select the
Delegated Login Identity to be used:
User Principal Name: joe@contoso.com
Alternate User Principal Name: joed@contoso.local
Username part of User Principal Name: joe
Username part of Alternate User Principal Name: joed
On-premises SAM account name: depending on-prem domain controller configuration
See also
Publish applications with Application Proxy
Troubleshoot issues you're having with Application Proxy
Working with claims aware applications
Enable conditional access
For the latest news and updates, check out the Application Proxy blog
Provide single sign-on with Azure AD Application
Proxy - Public Preview
1/17/2017 1 min to read Edit on GitHub
Azure Active Directory Application Proxy helps you improve productivity by publishing on-premises applications so
that remote employees can securely access them, too. In the Azure portal, you can also set up single sign-on (SSO)
to these apps. Now, your users only need to authenticate with Azure AD, and they can access your enterprise
application without having to sign in again.
In this article, we'll use the example of a password-based app to show how password vaulting provides a simple
SSO experience.
You should already have published and tested your app with Application Proxy. If not, follow the steps in Publish
applications using Azure AD Application Proxy - Public Preview then come back here.
Or, if you're new to Application Proxy, learn more about this feature with the article How to provide secure remote
access to on-premises applications.
Next steps
Read about other ways to implement Single sign-on with Application Proxy
Working with claims aware apps in Application Proxy
1/17/2017 1 min to read Edit on GitHub
Claims aware apps perform a redirection to the Security Token Service (STS), which in turn requests credentials
from the user in exchange for a token before redirecting the user to the application. To enable Application Proxy to
work with these redirects, the following steps need to be taken.
Prerequisites
Before performing this procedure, make sure that the STS the claims aware app redirects to is available outside of
your on-premises network.
ADFS configuration
1. Open ADFS Management.
2. Go to Relying Party Trusts, right click on the app you are publishing with Application Proxy, and choose
Properties.
Azure Active Directory Application Proxy is widely used to publish browser applications such as SharePoint,
Outlook Web Access and custom line of business applications. It can also be used to publish native client apps,
which differ from web apps because they get installed on a device. This is done by supporting Azure AD issued
tokens that are sent in standard Authorize HTTP headers.
The recommended method to publish such applications is to use the Azure AD Authentication Library, which takes
care of all the authentication hassle and supports many different client environments. Application Proxy fits into the
Native Application to Web API scenario. The process for accomplishing this is as follows:
See also
Publish applications using your own domain name
Enable conditional access
Working with claims aware applications
Enable single-sign on
For the latest news and updates, check out the Application Proxy blog
Working with conditional access in Azure AD
Application Proxy
1/24/2017 3 min to read Edit on GitHub
You can configure access rules to grant conditional access to applications published using Application Proxy. This
enables you to:
Require multi-factor authentication per application
Require multi-factor authentication only when users are not at work
Block users from accessing the application when they are not at work
These rules can be applied to all users and groups or only to specific users and groups. By default the rule will
apply to all users who have access to the application. However the rule can also be restricted to users that are
members of specified security groups.
Access rules are evaluated when a user accesses a federated application that uses OAuth 2.0, OpenID Connect,
SAML or WS-Federation. In addition, access rules are evaluated with OAuth 2.0 and OpenID Connect when a
refresh token is used to acquire an access token.
See also
Working with claims aware applications
Publish applications with Application Proxy
Enable single-sign on
Publish applications using your own domain name
For the latest news and updates, check out the Application Proxy blog
How to silently install the Azure AD Application Proxy
Connector
1/17/2017 2 min to read Edit on GitHub
You want to be able to send an installation script to multiple Windows servers or to Windows Servers that don't
have user interface enabled. This topic explains how to create a Windows PowerShell script that enables unattended
installation to install and register your Azure AD Application Proxy Connector.
Enabling Access
Application Proxy works by installing a slim Windows Server service called the Connector inside your network. For
the Application Proxy Connector to work it has to be registered with your Azure AD directory using a global
administrator and password. Ordinarily this is entered during Connector installation in a pop up dialog box.
Alternatively, you can use Windows PowerShell to create a credential object to enter your registration information,
or you can create your own token and use it to enter your registration information.
AADApplicationProxyConnectorInstaller.exe REGISTERCONNECTOR="false" /q
$User = "<username>"
$PlainPassword = '<password>'
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object TypeName System.Management.Automation.PSCredential ArgumentList $User,
$SecurePassword
2. Go to C:\Program Files\Microsoft AAD App Proxy Connector and run the script using the PowerShell
credentials object you created, where $cred is the name of the PowerShell credentials object you created:
using System;
using System.Diagnostics;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
class Program
{
#region constants
/// <summary>
/// The AAD authentication endpoint uri
/// </summary>
static readonly Uri AadAuthenticationEndpoint = new Uri("https://login.windows.net/common/oauth2/token?
api-version=1.0");
/// <summary>
/// The application ID of the connector in AAD
/// </summary>
static readonly string ConnectorAppId = "55747057-9b5d-4bd4-b387-abf52a8bd489";
/// <summary>
/// The reply address of the connector application in AAD
/// </summary>
static readonly Uri ConnectorRedirectAddress = new Uri("urn:ietf:wg:oauth:2.0:oob");
/// <summary>
/// The AppIdUri of the registration service in AAD
/// </summary>
static readonly Uri RegistrationServiceAppIdUri = new
Uri("https://proxy.cloudwebappproxy.net/registerapp");
#endregion
token = authResult.AccessToken;
tenantID = authResult.TenantId;
}
2. Once you have the token create a SecureString using the token:
$SecureToken = $Token | ConvertTo-SecureString -AsPlainText -Force
3. Run the following Windows PowerShell command, where SecureToken is the name of the token you created
above and tenantID is your tenant's GUID:
RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft AAD App Proxy Connector\Modules\" -moduleName
"AppProxyPSModule" -Authenticationmode Token -Token $SecureToken -TenantId <tenant GUID>
See also
Enable Application Proxy for Azure Active Directory
Publish applications using your own domain name
Enable single-sign on
Troubleshoot issues you're having with Application Proxy
For the latest news and updates, check out the Application Proxy blog
Troubleshoot Application Proxy
1/17/2017 10 min to read Edit on GitHub
If errors occur in accessing a published application or in publishing applications, check the following options to
see if Microsoft Azure AD Application Proxy is working correctly:
Open the Windows Services console and verify that the Microsoft AAD Application Proxy Connector
service is enabled and running. You may also want to look at the Application Proxy service properties page, as
shown in the following image:
Open Event Viewer and look for Application Proxy connector events in Applications and Services Logs >
Microsoft > AadApplicationProxy > Connector > Admin.
If needed, more detailed logs are available by turning on analytics and debugging logs, and turning on the
Application Proxy connector session log.
General errors
ERROR DESCRIPTION RESOLUTION
This corporate app cant be accessed. You may not have assigned the user Go to the Application tab, and under
You are not authorized to access this for this application. Users and Groups, assign this user or
application. Authorization failed. Make user group to this application.
sure to assign the user with access to
this application.
This corporate app cant be accessed. Your users may get this error when Go to the subscribers Active Directory
You are not authorized to access this trying to access the app you published Licenses tab and make sure that this
application. Authorization failed. Make if they weren't explicitly assigned with a user or user group is assigned a
sure that the user has a license for Premium/Basic license by the Premium or Basic license.
Azure Active Directory Premium or subscribers administrator.
Basic.
Connector troubleshooting
If registration fails during the Connector wizard installation, there are two ways to view the reason for the failure.
Either look in the event log under Applications and Services
Logs\Microsoft\AadApplicationProxy\Connector\Admin, or run the following Windows PowerShell
command.
Get-EventLog application source Microsoft AAD Application Proxy Connector EntryType Error Newest 1
Connector registration failed: Make You closed the registration window Run the Connector wizard again and
sure you enabled Application Proxy in without performing login to Azure AD. register the Connector.
the Azure Management Portal and that
you entered your Active Directory user
name and password correctly. Error:
'One or more errors occurred.'
Connector registration failed: Make Application Proxy is disabled. Make sure you enable Application
sure you enabled Application Proxy in Proxy in the Azure classic portal before
the Azure Management Portal and that trying to register the Connector. For
you entered your Active Directory user more information on enabling
name and password correctly. Error: Application Proxy, see Enable
'AADSTS50001: Resource Application Proxy services.
https://proxy.cloudwebappproxy.net
/registerapp
is disabled.'
Connector registration failed: Make If the registration window opens and Make sure that it is possible to connect
sure you enabled Application Proxy in then immediately closes without from a browser to a public website and
the Azure Management Portal and that allowing you to log in, you will that the ports are open as specified in
you entered your Active Directory user probably get this error. This error Application Proxy prerequisites.
name and password correctly. Error: occurs when there is a networking
'One or more errors occurred.' error on your system.
ERROR DESCRIPTION RESOLUTION
Connector registration failed: Make If you sign in using your Azure AD Make sure that the necessary ports are
sure your computer is connected to username and password but then open. For more information, see
the Internet. Error: 'There was no receive this error, it may be that all Application Proxy prerequisites.
endpoint listening at ports above 8081 are blocked.
https://connector.msappproxy.net
:9090/register/RegisterConnector
that could accept the message. This is
often caused by an incorrect address or
SOAP action. See InnerException, if
present, for more details.'
Clear error is presented in the You entered the wrong username or Try again.
registration window. Cannot proceed password.
only to close the window.
Connector registration failed: Make You are trying to log in using a Make sure that the admin is part of the
sure you enabled Application Proxy in Microsoft Account and not a domain same domain name as the tenant
the Azure Management Portal and that that is part of the organization ID of domain, for example, if the Azure AD
you entered your Active Directory user the directory you are trying to access. domain is contoso.com, the admin
name and password correctly. Error: should be admin@contoso.com.
'AADSTS50059: No tenant-identifying
information found in either the request
or implied by any provided credentials
and search by service principal URI has
failed.
Failed to retrieve the current execution If the Connector installation fails, check Open the Group Policy Editor. Go to
policy for running PowerShell scripts. to make sure that PowerShell execution Computer Configuration >
policy is not disabled. Administrative Templates >
Windows Components > Windows
PowerShell and double-click Turn on
Script Execution. This can be set to
either Not Configured or Enabled. If
set to Enabled, make sure that under
Options, the Execution Policy is set to
either Allow local scripts and
remote signed scripts or to Allow all
scripts.
Connector failed to download the The Connectors client certificate, which Renew trust manually using the
configuration. is used for authentication, expired. This Register-AppProxyConnector cmdlet
may also occur if you have the in Windows PowerShell. If your
Connector installed behind a proxy. In Connector is behind a proxy, it is
this case, the Connector cannot access necessary to grant Internet access to
the Internet and will not be able to the Connector accounts network
provide applications to remote users. services and local system. This can
be accomplished either by granting
them access to the Proxy or by setting
them to bypass the proxy.
Connector registration failed: Make The alias you're trying to log in with Make sure that the admin you are
sure you are a Global Administrator of isn't an admin on this domain. Your trying to log in as has global
your Active Directory to register the Connector is always installed for the permissions to the Azure AD tenant.
Connector. Error: 'The registration directory that owns the users domain.
request was denied.'
Kerberos errors
ERROR DESCRIPTION RESOLUTION
Failed to retrieve the current execution If the Connector installation fails, check Open the Group Policy Editor. Go to
policy for running PowerShell scripts. to make sure that PowerShell execution Computer Configuration >
policy is not disabled. Administrative Templates >
Windows Components > Windows
PowerShell and double-click Turn on
Script Execution. This can be set to
either Not Configured or Enabled. If
set to Enabled, make sure that under
Options, the Execution Policy is set to
either Allow local scripts and
remote signed scripts or to Allow all
scripts.
12008 - Azure AD exceeded the This event may indicate incorrect The backend server declined the
maximum number of permitted configuration between Azure AD and Kerberos ticket created by Azure AD.
Kerberos authentication attempts to the backend application server, or a Verify that Azure AD and the backend
the backend server. problem in time and date configuration application server are configured
on both machines. correctly. Make sure that the time and
date configuration on the Azure AD
and the backend application server are
synchronized.
13016 - Azure AD cannot retrieve a There is a problem with the STS Fix the UPN claim configuration in the
Kerberos ticket on behalf of the user configuration. STS.
because there is no UPN in the edge
token or in the access cookie.
13019 - Azure AD cannot retrieve a This event may indicate incorrect The domain controller declined the
Kerberos ticket on behalf of the user configuration between Azure AD and Kerberos ticket created by Azure AD.
because of the following general API the domain controller server, or a Verify that Azure AD and the backend
error. problem in time and date configuration application server are configured
on both machines. correctly, especially the SPN
configuration. Make sure the Azure AD
is domain joined to the same domain
as the domain controller to ensure that
the domain controller establishes trust
with Azure AD. Make sure that the
time and date configuration on the
Azure AD and the domain controller
are synchronized.
13020 - Azure AD cannot retrieve a This event may indicate incorrect The domain controller declined the
Kerberos ticket on behalf of the user configuration between Azure AD and Kerberos ticket created by Azure AD.
because the backend server SPN is not the domain controller server, or a Verify that Azure AD and the backend
defined. problem in time and date configuration application server are configured
on both machines. correctly, especially the SPN
configuration. Make sure the Azure AD
is domain joined to the same domain
as the domain controller to ensure that
the domain controller establishes trust
with Azure AD. Make sure that the
time and date configuration on the
Azure AD and the domain controller
are synchronized.
ERROR DESCRIPTION RESOLUTION
13022 - Azure AD cannot authenticate This event may indicate incorrect The backend server declined the
the user because the backend server configuration between Azure AD and Kerberos ticket created by Azure AD.
responds to Kerberos authentication the backend application server, or a Verify that Azure AD and the backend
attempts with an HTTP 401 error. problem in time and date configuration application server are configured
on both machines. correctly. Make sure that the time and
date configuration on the Azure AD
and the backend application server are
synchronized.
The website cannot display the page. Your user may get this error when For IWA apps: Make sure that the SPN
trying to access the app you published configured for this application is
if the application is an IWA application. correct.
The defined SPN for this application
may be incorrect.
The website cannot display the page. Your user may get this error when The steps to mitigate accordingly:
trying to access the app you published - Make sure that the SPN configured
if the application is an OWA for this application is correct.
application. This could be caused by - Make sure the user signs in using
one of the following: their corporate account that matches
- The defined SPN for this application is the domain of the published
incorrect. application. Microsoft Account users
- The user who tried to access the and guest cannot access IWA
application is using a Microsoft account applications.
rather than the proper corporate - Make sure that this user has the
account to sign in, or the user is a proper permissions as defined for this
guest user. backend application on the on-prem
- The user who tried to access the machine.
application is not properly defined for
this application on the on-prem side.
This corporate app cant be accessed. Your users may get this error when Microsoft Account users and guests
You are not authorized to access this trying to access the app you published cannot access IWA applications. Make
application. Authorization failed. Make if they use Microsoft accounts instead sure the user signs in using their
sure to assign the user with access to of their corporate account to sign in. corporate account that matches the
this application. Guest users may also get this error. domain of the published application.
This corporate app cant be accessed Your users may get this error when Make sure that your users have the
right now. Please try again laterThe trying to access the app you published proper permissions as defined for this
connector timed out. if they are not properly defined for this backend application on the on-prem
application on the on-prem side. machine.
See also
Enable Application Proxy for Azure Active Directory
Publish applications with Application Proxy
Enable single sign-on
Enable conditional access
For the latest news and updates, check out the Application Proxy blog
What is application access and single sign-on with
Azure Active Directory?
1/17/2017 14 min to read Edit on GitHub
Single sign-on means being able to access all of the applications and resources that you need to do business, by
signing in only once using a single user account. Once signed in, you can access all of the applications you need
without being required to authenticate (e.g. type a password) a second time.
Many organizations rely upon software as a service (SaaS) applications such as Office 365, Box and Salesforce for
end user productivity. Historically, IT staff needs to individually create and update user accounts in each SaaS
application, and users have to remember a password for each SaaS application.
Azure Active Directory extends on-premises Active Directory into the cloud, enabling users to use their primary
organizational account to not only sign in to their domain-joined devices and company resources, but also all of
the web and SaaS applications needed for their job.
So not only do users not have to manage multiple sets of usernames and passwords, their applications access can
be automatically provisioned or de-provisioned based on their organization group members, and also their status
as an employees. Azure Active Directory introduces security and access governance controls that enable you to
centrally manage users' access across SaaS applications.
Azure AD enables easy integration to many of todays popular SaaS applications; it provides identity and access
management, and enables users to single sign-on to applications directly, or discover and launch them from a
portal such as Office 365 or the Azure AD access panel.
The architecture of the integration consists of the following four main building blocks:
Single sign-on enables users to access their SaaS applications based on their organizational account in Azure
AD. Single sign-on is what enables users to authenticate to an application using their single organizational
account.
User provisioning enables user provisioning and de-provisioning into target SaaS based on changes made in
Windows Server Active Directory and/or Azure AD. A provisioned account is what enables a user to be
authorized to use an application, after they have authenticated through single sign-on.
Centralized application access management in the Azure Management Portal enables single point of SaaS
application access and management, with the ability to delegate application access decision making and
approvals to anyone in the organization
Unified reporting and monitoring of user activity in Azure AD
For more information about the Office 365 application launcher, see Have your app appear in the Office 365 app
launcher.
Direct sign-on to federated apps
Most federated applications that support SAML 2.0, WS-Federation, or OpenID connect also support the ability for
users to start at the application, and then get signed in through Azure AD either by automatic redirection or by
clicking on a link to sign in. This is known as service provider -initiated sign-on, and most federated applications in
the Azure AD application gallery support this (see the documentation linked from the apps single sign-on
configuration wizard in the Azure management portal for details).
Direct sign-on links for federated, password-based, or existing apps
Azure AD also supports direct single sign-on links to individual applications that support password-based single
sign-on, existing single sign-on, and any form of federated single sign-on.
These links are specifically-crafted URLs that send a user through the Azure AD sign in process for a specific
application without requiring the user launch them from the Azure AD access panel or Office 365. These Single
Sign-On URLs can be found under the Dashboard tab of any pre-integrated application in the Active Directory
section of the Azure management portal, as shown in the screenshot below.
These links can be copied and pasted anywhere you want to provide a sign-in link to the selected application. This
could be in an email, or in any custom web-based portal that you have set up for user application access. Here's
an example of an Azure AD direct single sign-on URL for Twitter:
https://myapps.microsoft.com/signin/Twitter/230848d52c8745d4b05a60d29a40fced
Similar to organization-specific URLs for the access panel, you can further customize this URL by adding one of
the active or verified domains for your directory after the myapps.microsoft.com domain. This ensures any
organizational branding is loaded immediately on the sign-in page without the user needing to enter their user ID
first:
https://myapps.microsoft.com/contosobuild.com/signin/Twitter/230848d52c8745d4b05a60d29a40fced
When an authorized user clicks on one of these application-specific links, they first see their organizational sign-in
page (assuming they are not already signed in), and after sign-in are redirected to their app without stopping at
the access panel first. If the user is missing pre-requisites to access the application, such as the password-based
single sign browser extension, then the link will prompt the user to install the missing extension. The link URL also
remains constant if the single sign-on configuration for the application changes.
These links use the same access control mechanisms as the access panel and Office 365, and only those users or
groups who have been assigned to the application in the Azure management portal will be able to successfully
authenticate. However, any user who is unauthorized will see a message explaining that they have not been
granted access, and are given a link to load the access panel to view available applications for which they do have
access.
Related Articles
Article Index for Application Management in Azure Active Directory
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
Finding unsanctioned cloud applications with Cloud App Discovery
Introduction to Managing Access to Apps
Comparing Capabilities for Managing External Identities in Azure AD
Preview: Managing single sign-on for enterprise apps
in the new Azure portal
1/17/2017 5 min to read Edit on GitHub
This article describes how to use the Azure portal to manage single sign-on settings for applications, particularly
ones that have been added from the Azure Active Directory (Azure AD) application gallery. The Azure AD
management experience for single sign-on is currently in public preview, and this article describes the new features
as well as a few temporary limitations that will be in place only during the preview period. What's in the preview?
Select All applications to view a list of all apps that have been configured, including apps that had been added
from the gallery. Selecting an app loads the resource blade for that app, where reports can be viewed for that app
and a variety of settings can be managed.
To manage single sign-on settings, select Single sign-on.
Single sign-on modes
The Single sign-on blade begins with a Mode menu, which allows the single sign-on mode to be configured. The
available options include:
SAML-based sign on - This option is available if the application supports full federated single sign-on with
Azure Active Directory using the SAML 2.0 protocol.
Password-based sign on - This option is available if Azure AD supports password form filling for this
application.
Linked sign on - Formerly known as "Existing single sign-on", this option allows administrators to place a link
to this application in their user's Azure AD Access Panel or Office 365 application launcher.
For more information about these modes, see How does single sign-on with Azure Active Directory work.
SAML-based sign on
The SAML-based sign on option displays a blade that is divided in four sections:
Domains and URLs
This is where all details about the application's domain and URLs are added to your Azure AD directory. All inputs
required to make single sign-on work app are displayed directly on the screen, whereas all optional inputs can be
viewed by selecting the Show advanced URL settings checkbox. The full list of supported inputs includes:
Sign On URL Where the user goes to sign-in to this application. If the application is configured to perform
service provider-initiated single sign on, then when a user navigates to this URL, the service provider does the
necessary redirection to Azure AD to authenticate and sign the user in. If this field is populated, then Azure AD
will use this URL to launch the application from Office 365 and the Azure AD Access Panel. If this field is omitted,
then Azure AD instead performs identity provider -initiated sign on when the app is launched from Office 365,
the Azure AD Access Panel, or from the Azure AD single sign-on URL.
Identifier - This URI should uniquely identify the application for which single sign on is being configured. This is
the value that Azure AD sends back to application as the Audience parameter of the SAML token, and the
application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by
the application.
Reply URL - The reply URL is where the application expects to receive the SAML token. This is also referred to as
the Assertion Consumer Service (ACS) URL. After these have been entered, click Next to proceed to the next
screen. This screen provides information about what needs to be configured on the application side to enable it
to accept a SAML token from Azure AD.
Relay State - The relay state is an optional parameter that can help tell the application where to redirect the
user after authentication is completed. Typically the value is a valid URL at the application, however some
applications use this field differently (see the app's single sign on documentation for details). The ability to set
the relay state is a new feature that is unique to the new Azure portal.
User Attributes
This is where admins can view and edit the attributes that are sent in the SAML token that Azure AD issues to the
application each time users sign in.
For the first preview release, the only editable attribute supported is the User Identifier attribute. The value of this
attribute is the field in Azure AD that uniquely identifies each user within the application. For example, if the app
was deployed using the "Email address" as the username and unique identifier, then the value would be set to the
"user.mail" field in Azure AD.
Editing of additional attributes will be supported in a subsequent preview.
SAML Signing Certificate
This section shows the details of the certificate that Azure AD uses to sign the SAML tokens that are issued to the
application each time the user authenticates. It allows the properties of the current certificate to be inspected,
including the expiration date.
The ability to rollover the certificate and manage additional certificate options will be supported in a subsequent
preview release. Note that full management of certificates can still be performed in the Azure classic portal.
Application Configuration
The final section provides the documentation and/or controls required to configure the application itself to use
Azure Active Directory as an identity provider.
The Configure Application fly-out menu provides new concise, embedded instructions for configuring the
application. This is another new feature unique to the new Azure portal.
NOTE
For a complete example of embedded documentation, see the Salesforce.com application. Documentation for additional apps
is being continually added during the preview.
Password-based sign on
If supported for the application, selecting the password-based SSO mode and selecting Save instantly configures it
to do password-based SSO. For more information about deploying password-based SSO, see How does single
sign-on with Azure Active Directory work.
Linked sign on
If supported for the application, selecting the linked SSO mode allows you to enter the URL that you want the Azure
AD Access Panel or Office 365 to redirect to when users click on this app. For more information about linked SSO
(formerly known as "existing SSO"), see How does single sign-on with Azure Active Directory work.
Integrate Azure Active Directory single sign-on with
SaaS apps
1/17/2017 5 min to read Edit on GitHub
Organizations are using more Software as a Service (SaaS) applications for productivity because cloud technology
and tools are becoming more readily available. As the number of SaaS apps grows, it becomes challenging for the
administrators to manage accounts and access rights, and for the users to remember their different passwords.
Managing these applications individually creates extra work and is less secure.
Employees who have to keep track of many passwords tend to use less-secure methods to remember them,
either writing down passwords or using the same passwords across many accounts.
When a new employee arrives or one leaves, all their accounts must be individually provisioned or de-
provisioned.
Additionally, employees may start using SaaS apps for their work without going through IT, which means they
are creating their own accounts on systems that the IT administrators haven't approved and aren't monitoring.
A solution for all of these challenges is single sign-on (SSO). It's the simplest way to manage multiple apps and
provide users with a consistent sign-on experience. Azure Active Directory (Azure AD) provides a robust SSO
solution and has many available pre-integrated applications, with tutorials for admins to quickly set up a new app
and start provisioning users.
Authentication
For applications that support the SAML 2.0, WS-Federation, or OpenID Connect protocols, Azure Active Directory
uses signing certificates to establish trust relationships. For more information about this, see Managing certificates
for federated single sign-on.
For applications that support only HTML forms-based sign-in, Azure Active Directory uses password vaulting to
establish trust relationships. This enables the users in your organization to be automatically signed in to a SaaS
application by Azure AD using the user account information from the SaaS application. Azure AD collects and
securely stores the user account information and the related password. For more information, see Password-based
single sign-on.
Authorization
A provisioned account enables a user to be authorized to use an application after they have authenticated through
single sign-on. User provisioning can be done manually, or in some cases you can add and remove user
information from the SaaS app based on changes made in Azure Active Directory. For more information on using
existing Azure AD connectors for automated provisioning, see Automated user provisioning and de-provisioning
for SaaS applications.
Otherwise, you can manually add user information to an app, or use other provisioning solutions that are available
in the marketplace.
Access
Azure AD provides several customizable ways to deploy applications to end users in your organization. You are not
locked into any particular deployment or access solution. You can use the solution that best suits your needs.
NOTE
To set up SSO for an existing application, you need to have global administrator rights in both Azure AD and the SaaS
application.
See also
Article Index for Application Management in Azure Active Directory
Assign a user or group to an enterprise app in Azure
Active Directory preview
1/17/2017 1 min to read Edit on GitHub
It's easy to assign a user or a group to your enterprise applications in Azure Active Directory (Azure AD) preview.
What's in the preview? You must have the appropriate permissions to manage the enterprise app. In the current
preview, you must be global admin for the directory.
4. On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Users &
Groups.
7. On the appname - User & Group Assignment blade, select the Add command.
8. On the Add Assignment blade, select Users and groups.
9. On the Users and groups blade, select one or more users or groups from the list and then select the Select
button at the bottom of the blade.
10. On the Add Assignment blade, select Role. Then, on the Select Role blade, select a role to apply to the
selected users or groups, and then select the OK button at the bottom of the blade.
11. On the Add Assignment blade, select the Assign button at the bottom of the blade. The assigned users or
groups will have the permissions defined by the selected role for this enterprise app.
Next steps
See all of my groups
Remove a user or group assignment from an enterprise app
Disable user sign-ins for an enterprise app
Change the name or logo of an enterprise app
Change the name or logo of an enterprise app in
Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
It's easy to change the name or logo for a custom enterprise application in Azure Active Directory (Azure AD)
preview. What's in the preview? You must have the appropriate permissions to make these changes. In the current
preview, you must be the creator of the custom app.
4. On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Properties.
7. On the appname - Properties blade, browse for a file to use as a new logo, or edit the app name, or both.
Next steps
See all of my groups
Assign a user or group to an enterprise app
Remove a user or group assignment from an enterprise app
Disable user sign-ins for an enterprise app
Disable user sign-ins for an enterprise app in Azure
Active Directory preview
1/18/2017 1 min to read Edit on GitHub
It's easy to disable an enterprise application so that no users may sign in to it in Azure Active Directory (Azure AD)
preview. What's in the preview? You must have the appropriate permissions to manage the enterprise app. In the
current preview, you must be global admin for the directory.
4. On the Enterprise applications blade, select All applications. You see a list of the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Properties.
7. On the appname - Properties blade, select No for Enabled for users to sign-in?.
8. Select the Save command.
Next steps
See all my groups
Assign a user or group to an enterprise app
Remove a user or group assignment from an enterprise app
Change the name or logo of an enterprise app
Remove a user or group assignment from an
enterprise app in Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
It's easy to remove a user or a group from being assigned access to one of your enterprise applications in Azure
Active Directory (Azure AD) preview. What's in the preview? You must have the appropriate permissions to
manage the enterprise app. In the current preview, you must be global admin for the directory.
4. On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Users &
Groups.
7. On the appname - User & Group Assignment blade, select one of more users or groups and then select
the Remove command. Confirm your decision at the prompt.
Next steps
See all of my groups
Assign a user or group to an enterprise app
Disable user sign-ins for an enterprise app
Change the name or logo of an enterprise app
View all the enterprise apps that I can manage in
Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
You can manage your enterprise applications in the Azure Active Directory (Azure AD) preview. What's in the
preview? This includes viewing the apps you can manage, assigning users or groups to an app, maintaining
properties for the app such as the application name/logo, and even disabling an application so that no users can
sign in to it.
4. On the Enterprise applications blade, select All applications. From this blade you can select apps to manage,
change the displayed columns, or filter the list to find that app you want (for example, to view only disabled
apps).
Next steps
Assign a user or group to an enterprise app
Remove a user or group assignment from an enterprise app
Disable user sign-ins for an enterprise app
Change the name or logo of an enterprise app
Preview: Managing user account provisioning for
enterprise apps in the new Azure portal
1/17/2017 5 min to read Edit on GitHub
This article describes how to use the Azure portal to manage automatic user account provisioning and de-
provisioning for applications that support it, particularly ones that have been added from the "featured" category of
the Azure Active Directory application gallery. This management experience in the new Azure portal is currently in
public preview, and this article describes the new features as well as a few temporary limitations that are in place
during the preview period. What's in the preview?
To learn more about automatic user account provisioning and how it works, see Automate User Provisioning and
Deprovisioning to SaaS Applications with Azure Active Directory.
Selecting the All applications link on the left shows a list of all apps that have been configured, including apps that
had been added from the gallery. Selecting an app loads the resource blade for that app, where reports can be
viewed for that app and a variety of settings can be managed.
User account provisioning settings can be managed by selecting Provisioning on the left.
Provisioning modes
The Provisioning blade begins with a Mode menu, which shows what provisioning modes are supported for an
enterprise application, and allows them to be configured. The available options include:
Automatic - This option appears if Azure AD supports automatic API-based provisioning and/or de-
provisioning of user accounts to this application. Selecting this mode displays an interface that guides
administrators through configuring Azure AD to connect to the application's user management API, creating
account mappings and workflows that define how user account data should flow between Azure AD and the app,
and managing the Azure AD provisioning service.
Manual - This option is shown if Azure AD does not support automatic provisioning of user accounts to this
application. This option means that user account records stored in the application must be managed using an
external process, based on the user management and provisioning capabilities provided by that application
(which can include SAML Just-In-Time provisioning).
Before you can assign users and groups to an application, you must require user assignment. To learn how to
require user assignment please see the Requiring User Assignment article.
Next Steps
Configuring access rules
Requiring user assignment
Assigning users to an application
Assigning groups to an application
Integrating applications with Azure Active Directory
Article Index for Application Management in Azure Active Directory
Azure AD and Applications: Assigning Groups to an
Application
1/17/2017 1 min to read Edit on GitHub
Before you can assign users and groups to an application, you must require user assignment. To learn how to
require user assignment, see the Requiring User Assignment article.
This article assumes that you have already created groups in the active directory you are using for this application.
Next Steps
Configuring access rules
Requiring user assignment
Assigning users to an application
Assigning groups to an application
Integrating applications with Azure Active Directory
Article Index for Application Management in Azure Active Directory
Azure AD and Applications: Requiring User
Assignment
1/17/2017 1 min to read Edit on GitHub
Next Steps
Configuring access rules
Requiring user assignment
Assigning users to an application
Assigning groups to an application
Integrating applications with Azure Active Directory
Article Index for Application Management in Azure Active Directory
Azure AD and applications: Develop line-of-business
apps
1/17/2017 2 min to read Edit on GitHub
This guide provides an overview of developing line-of-business (LoB) applications for Azure Active Directory
(AD).The intended audience is Active Directory/Office 365 global administrators.
Overview
Building applications integrated with Azure AD gives users in your organization single sign-on with Office 365.
Having the application in Azure AD gives you control over the authentication policy for the application. To learn
more about conditional access and how to protect apps with multi-factor authentication (MFA) see Configuring
access rules.
Register your application to use Azure Active Directory. Registering the application means that your developers can
use Azure AD to authenticate users and request access to user resources such as email, calendar, and documents.
Any member of your directory (not guests) can register an application, otherwise known as creating an application
object.
Registering an application allows any user to do the following:
Get an identity for their application that Azure AD recognizes
Get one or more secrets/keys that the application can use to authenticate itself to AD
Brand the application in the Azure portal with a custom name, logo, etc.
Apply Azure AD authorization features to their app, including:
Role-Based Access Control (RBAC)
Azure Active Directory as oAuth authorization server (secure an API exposed by the application)
Declare required permissions necessary for the application to function as expected, including:
- App permissions (global administrators only). For example: Role membership in another Azure AD
application or role membership relative to an Azure Resource, Resource Group, or Subscription
- Delegated permissions (any user). For example: Azure AD, Sign-in, and Read Profile
NOTE
By default, any member can register an application. To learn how to restrict permissions for registering applications to specific
members, see How applications are added to Azure AD.
Heres what you, the global administrator, need to do to help developers make their application ready for
production:
Configure access rules (access policy/MFA)
Configure the app to require user assignment and assign users
Suppress the default user consent experience
Related Articles
Enable secure remote access to on-premises applications with Azure AD Application Proxy
Azure Conditional Access Preview for SaaS Apps
Managing access to apps with Azure AD
Article Index for Application Management in Azure Active Directory
Managing access to apps
1/17/2017 4 min to read Edit on GitHub
Ongoing access management, usage evaluation, and reporting continue to be a challenge after an app is
integrated into your organization's identity system. In many cases, IT Administrators or helpdesk have to take an
ongoing active role in managing access to your apps. Sometimes, assignment is performed by a general or
divisional IT team. Often, the assignment decision is intended to be delegated to the business decision maker,
requiring their approval before IT makes the assignment. Other organizations invest in integration with an existing
automated identity and access management system, like Role-Based Access Control (RBAC) or Attribute-Based
Access Control (ABAC). Both the integration and rule development tend to be specialized and expensive.
Monitoring or reporting on either management approach is its own separate, costly, and complex investment.
Enabling self-service capabilities for end users is a common scenario for enterprise IT. Lots of users, lots of
applications, and the person who is best-informed to make access grant decisions may not be the directory
administrator. Often the best person to decide who can access an application is a team lead or other delegated
administrator. But at the end of the day, its the user who uses the app, and the user knows what they need to be
able to do their job.
Self-service application access is a feature of Azure Active Directory Premium that allow directory administrators to:
Enable users to request access to applications using a Get more applications tile in the Azure AD access panel
Set which applications users can request access to
Set whether or not an approval is required for users to be able to self-assign access to an application
Set who should approve the requests and manage access for each application
Today this capability is supported for all pre-integrated and custom apps that support federated or password-based
single sign-on in the Azure Active Directory application gallery, including apps like Salesforce, Dropbox, Google
Apps, and more. This article describes how to:
Configure self-service application access for end users, including configuring an optional approval workflow
Delegate access management for specific applications to the most appropriate people in your organization, and
enable them to use the Azure AD access panel to approve access requests, directly assign access to selected
users, or (optionally) set credentials for application access when password-based single sign-on is configured
Approve Requests
The Approve Requests tile allows approvers to see any pending approvals specific to that app, and redirects to the
Approvals tab where the requests can be confirmed or denied. Note that the approver also receives automated
emails whenever a request is created that instructs them what to do.
Add Users
The Add Users tile allows approvers to directly grant selected users access to the application. Upon clicking this tile,
the approver sees a dialog allows them to view and search for users in their directory. Adding a user results in the
application being shown in those users Azure AD access panels or Office 365. If any manual user provisioning
process is required at the app before the user will be able to sign in, then the approver should perform this process
before assigning access.
Manage Users
The Manage Users tile allows approvers to directly update or remove which users have access to the application.
Configure Password SSO Credentials (if applicable )
The Configure tile is only shown if the application was configured by the IT administrator to use password-based
single sign on, and the administrator granted the approver the ability to set password SSO credentials as described
previously. When selected, the Approver is presented with several options for how the credentials will be
propagated to assigned users:
Users sign in with their own passwords In this mode, the assigned users know what their usernames and
passwords are for the application, and will be prompted to enter them upon their first sign-in to the application.
This corresponds to the password SSO case where the users manage credentials.
Users are automatically signed in using separate accounts that I manage In this mode, the assigned
users not be required to enter or know their app-specific credentials when signing into the application. Instead,
the approver sets the credentials for each user after assigning access using the Add User tile. When the user
clicks on the application in their access panel or Office 365, they will be automatically signed in using the
credentials set by the approver. This corresponds to the password SSO case where the administrators manage
credentials.
Users are automatically signed in using a single account that I manage - This is a special case, and is
appropriate to use when all assigned users need to be granted access using a single shared account. The most
common use case for this is social media applications, where an organization has a single company account
and multiple users need to make updates to that account. This also corresponds to the password SSO case
where the administrators manage credentials. However, after selecting this option, the approver will be
prompted to enter the username and password for the single shared account. Once completed, all assigned
users will be signed in using this account when clicking on the application in their Azure AD access panels or
Office 365.
Additional Resources
Article Index for Application Management in Azure Active Directory
Managing Certificates for Federated Single Sign-On
in Azure Active Directory
1/17/2017 2 min to read Edit on GitHub
This article covers common questions related to the certificates that Azure Active Directory creates in order to
establish federated single sign-on (SSO) to your SaaS applications.
This article is only relevant to apps that are configured to use Azure AD Single Sign-On, as shown in the example
below:
5. Next, click on Download certificate. To learn how to upload the certificate to your particular SaaS app,
click View configuration instructions.
6. The certificate won't be enabled until you select the confirmation checkbox at the bottom of the dialog and then
press submit.
2. On the first page of the dialog, Azure AD Single Sign-On should already be selected, so click Next.
3. On the second page, select the checkbox for Configure the certificate used for federated single sign-
on. Then click Next.
4. On the next page, select Generate a new certificate, and select how long you'd like the new certificate to
be valid for. Then click Next.
5. Click on Download certificate. To successfully renew your certificate, you must perform the following two
steps:
Upload the new certificate to the SaaS app's single sign-on configuration screen. To learn how to do this
for your particular SaaS app, click View configuration instructions.
In Azure AD, Select the confirmation checkbox at the bottom of the dialog to enable the new
certificate, and then click Next to submit.
IMPORTANT
Single sign-on to the app will be disabled the moment either one of these two steps is completed, but it will
be enabled again once the second step is completed. Therefore, to minimize downtime, please prepare to
accomplish both steps within a short amount of time from each other.
Related Articles
Article Index for Application Management in Azure Active Directory
Application access and single sign-on with Azure Active Directory
Troubleshooting SAML-Based Single Sign-On
Using SCIM to enable automatic provisioning of users
and groups from Azure Active Directory to
applications
1/17/2017 21 min to read Edit on GitHub
Overview
Azure Active Directory can automatically provision users and groups to any application or identity store that is
fronted by a Web service with the interface defined in the SCIM 2.0 protocol specification. Azure Active Directory
can send requests to create, modify and delete assigned users and groups to this Web service, which can then
translate those requests into operations upon the target identity store.
Figure: Provisioning from Azure Active Directory to an identity store via a Web service
This capability can be used in conjunction with the bring your own app capability in Azure AD to enable single
sign-on and automatic user provisioning for applications that provide or are fronted by a SCIM web service.
There are two use cases for SCIM in Azure Active Directory:
Provisioning users and groups to applications that support SCIM - Applications that support SCIM 2.0
and use OAuth bearer tokens for authentication will work with Azure AD of the box.
Build your own provisioning solution for applications that support other API-based provisioning - For
non-SCIM applications, you can create a SCIM endpoint to translate between Azure ADs SCIM endpoint and
whatever API the application supports for user provisioning. To aid in the development of a SCIM endpoint, we
provide CLI libraries along with code samples that show you how to do provide a SCIM endpoint and translate
SCIM messages.
1. In the resulting screen, select the second Configure account provisioning button.
2. In the Provisioning Endpoint URL field, enter the URL of the application's SCIM endpoint.
3. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Azure AD, then copy the
required OAuth bearer token into the Authentication Token (optional) field. Is this field is left blank, then
Azure AD will include an OAuth bearer token issued from Azure AD with each request. Apps that use Azure AD
as an idenity provider can validate this Azure AD -issued token.
4. Click Next, and click on the Start Test button to have Azure Active Directory attempt to connect to the SCIM
endpoint. If the attempts fail, diagnostic information will be displayed.
5. If the attempts to connect to the application succeed, then click Next on the remaining screens, and click
Complete to exit the dialog.
6. In the resulting screen, select the third Assign Accounts button. In the resulting Users and Groups section,
assign the users or groups you want to provision to the application.
7. Once users and groups are assigned, click the Configure tab near the top of the screen.
8. Under Account Provisioning, confirm that the Status is set to On.
9. Under Tools, click Restart account provisioning to kick-start the provisioning process.
Note that 5-10 minutes may elapse before the provisioning process will begin to send requests to the SCIM
endpoint. A summary of connection attempts is provided on the applications Dashboard tab, and both a report of
provisioning activity and any provisioning errors can be downloaded from the directorys Reports tab.
2: Express route handlers are available for parsing node.js request objects representing calls (as defined by the
SCIM specification), made to a node.js Web service.
Building a Custom SCIM Endpoint
Using the libraries described above, developers using those libraries can host their services within any executable
Common Language Infrastructure assembly, or within Internet Information Services. Here is sample code for
hosting a service within an executable assembly, at the address http://localhost:9000:
Microsoft.SystemForCrossDomainIdentityManagement.IMonitor monitor =
new DevelopersMonitor();
Microsoft.SystemForCrossDomainIdentityManagement.IProvider provider =
new DevelopersProvider(arguments[1]);
Microsoft.SystemForCrossDomainIdentityManagement.Service webService = null;
try
{
webService = new WebService(monitor, provider);
webService.Start("http://localhost:9000");
Console.ReadKey(true);
}
finally
{
if (webService != null)
{
webService.Dispose();
webService = null;
}
}
}
public WebService(
Microsoft.SystemForCrossDomainIdentityManagement.IMonitor monitoringBehavior,
Microsoft.SystemForCrossDomainIdentityManagement.IProvider providerBehavior)
{
this.monitor = monitoringBehavior;
this.provider = providerBehavior;
}
}
set
{
this.monitor = value;
}
}
set
{
this.provider = value;
}
}
}
It is important to note that this service must have an HTTP address and server authentication certificate of which
the root certification authority is one of the following:
CNNIC
Comodo
CyberTrust
DigiCert
GeoTrust
GlobalSign
Go Daddy
Verisign
WoSign
A server authentication certificate can be bound to a port on a Windows host using the network shell utility, like so:
Here, the value provided for the certhash argument is the thumbprint of the certificate, while the value provided for
the appid argument is an arbitrary globally-unique identifier.
To host the service within Internet Information Services, a developer would build a Common Language
Infrastructure code library assembly with a class named Startup in the default namespace of the assembly. Here is
a sample of such a class:
public class Startup
{
// Microsoft.SystemForCrossDomainIdentityManagement.IWebApplicationStarter,
// Microsoft.SystemForCrossDomainIdentityManagement.IMonitor and
// Microsoft.SystemForCrossDomainIdentityManagement.Service are all defined in
// Microsoft.SystemForCrossDomainIdentityManagement.Service.dll.
Microsoft.SystemForCrossDomainIdentityManagement.IWebApplicationStarter starter;
public Startup()
{
Microsoft.SystemForCrossDomainIdentityManagement.IMonitor monitor =
new DevelopersMonitor();
Microsoft.SystemForCrossDomainIdentityManagement.IProvider provider =
new DevelopersProvider();
this.starter =
new Microsoft.SystemForCrossDomainIdentityManagement.WebApplicationStarter(
provider,
monitor);
}
// SystemIdentityModel.Tokens.TokenValidationParameters is defined in
// System.IdentityModel.Token.Jwt.dll.
SystemIdentityModel.Tokens.TokenValidationParameters tokenValidationParameters =
new TokenValidationParameters()
{
ValidAudience = "00000002-0000-0000-c000-000000000000"
};
// WindowsAzureActiveDirectoryBearerAuthenticationOptions is defined in
// Microsoft.Owin.Security.ActiveDirectory.dll
Microsoft.Owin.Security.ActiveDirectory.
WindowsAzureActiveDirectoryBearerAuthenticationOptions authenticationOptions =
new WindowsAzureActiveDirectoryBearerAuthenticationOptions() {
TokenValidationParameters = tokenValidationParameters,
Tenant = "03F9FCBC-EA7B-46C2-8466-F81917F3C15E" // Substitute the appropriate tenants
// identifier for this one.
};
applicationBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(authenticationOptions);
}
IsSoftDeleted active
displayName displayName
givenName name.givenName
jobTitle title
mailNickname externalId
manager manager
objectId id
surname name.familyName
user-PrincipalName userName
displayName externalId
mailNickname displayName
members members
objectId id
If the service was built using the Common Language Infrastructure libraries provided by Microsoft for
implementing SCIM services, then the request will be translated into a call to the Query method of the services
provider. Here is the signature of that method:
System.Threading.Tasks.Task<Microsoft.SystemForCrossDomainIdentityManagement.Resource[]> Query(
Microsoft.SystemForCrossDomainIdentityManagement.IQueryParameters parameters,
string correlationIdentifier);
In the case of the foregoing sample of a query for a user with a given value for the externalId attribute, values of
the arguments passed to the Query method will be as follows:
parameters.AlternateFilters.Count: 1
parameters.AlternateFilters.ElementAt(0).AttributePath: "externalId"
parameters.AlternateFilters.ElementAt(0).ComparisonOperator: ComparisonOperator.Equals
parameters.AlternateFilter.ElementAt(0).ComparisonValue: "jyoung"
correlationIdentifier: System.Net.Http.HttpRequestMessage.GetOwinEnvironment["owin.RequestId"]
2: If the response to a query to the service for a user with an externalId attribute value matching the mailNickname
attribute value of a user in Azure Active Directory does not return any users, then Azure Active Directory will
request that the service provision a user corresponding to the one in Azure Active Directory. Here is an example of
such a request:
POST https://.../scim/Users HTTP/1.1
Authorization: Bearer ...
Content-type: application/json
{
"schemas":
[
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0User"],
"externalId":"jyoung",
"userName":"jyoung",
"active":true,
"addresses":null,
"displayName":"Joy Young",
"emails": [
{
"type":"work",
"value":"jyoung@Contoso.com",
"primary":true}],
"meta": {
"resourceType":"User"},
"name":{
"familyName":"Young",
"givenName":"Joy"},
"phoneNumbers":null,
"preferredLanguage":null,
"title":null,
"department":null,
"manager":null}
The Common Language Infrastructure libraries provided by Microsoft for implementing SCIM services would
translate that request into a call to the Create method of the services provider. The Create method has this
signature:
System.Threading.Tasks.Task<Microsoft.SystemForCrossDomainIdentityManagement.Resource> Create(
Microsoft.SystemForCrossDomainIdentityManagement.Resource resource,
string correlationIdentifier);
In the case of a request to provision a user, the value of the resource argument will be an instance of the
Microsoft.SystemForCrossDomainIdentityManagement. Core2EnterpriseUser class, defined in the
Microsoft.SystemForCrossDomainIdentityManagement.Schemas library. If the request to provision the user
succeeds, then the implementation of the method is expected to return an instance of the the
Microsoft.SystemForCrossDomainIdentityManagement. Core2EnterpriseUser class, with the value of the Identifier
property set to the unique identifier of the newly-provisioned user.
3: To update a user known to exist in an identity store fronted by an SCIM, Azure Active Directory will proceed by
requesting the current state of that user from the service with a request like this one:
In a service built using the Common Language Infrastructure libraries provided by Microsoft for implementing
SCIM services, the request will be translated into a call to the Retrieve method of the services provider. Here is the
signature of the Retrieve method:
// System.Threading.Tasks.Tasks is defined in mscorlib.dll.
// Microsoft.SystemForCrossDomainIdentityManagement.Resource and
// Microsoft.SystemForCrossDomainIdentityManagement.IResourceRetrievalParameters
// are defined in Microsoft.SystemForCrossDomainIdentityManagement.Schemas.
System.Threading.Tasks.Task<Microsoft.SystemForCrossDomainIdentityManagement.Resource>
Retrieve(
Microsoft.SystemForCrossDomainIdentityManagement.IResourceRetrievalParameters
parameters,
string correlationIdentifier);
public interface
Microsoft.SystemForCrossDomainIdentityManagement.IResourceRetrievalParameters:
IRetrievalParameters
{
Microsoft.SystemForCrossDomainIdentityManagement.IResourceIdentifier
ResourceIdentifier
{ get; }
}
public interface Microsoft.SystemForCrossDomainIdentityManagement.IResourceIdentifier
{
string Identifier
{ get; set; }
string Microsoft.SystemForCrossDomainIdentityManagement.SchemaIdentifier
{ get; set; }
}
In the case of the foregoing example of a request to retrieve the current state of a user, the values of the properties
of the object provided as the value of the parameters argument will be as follows:
Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
4: If a reference attribute is to be updated, then Azure Active Directory will query the service to determine whether
or not the current value of the reference attribute in the identity store fronted by the service already matches the
value of that attribute in Azure Active Directory. In the case of users, the only attribute of which the current value
will be queried in this way is the manager attribute. Here is an example of a request to determine whether the
manager attribute of a particular user object currently has a certain value:
The value of the attributes query parameter, id, signifies that if a user object exists that satisfies the expression
provided as the value of the filter query parameter, then the service is expected to respond with a
urn:ietf:params:scim:schemas:core:2.0:User or urn:ietf:params:scim:schemas:extension:enterprise:2.0:User resource,
including only the value of that resources id attribute. Of course, the value of the id attribute is known to the
requestorit is included in the value of the filter query parameter; the purpose of asking for it is actually to request
a minimal representation of a resource that satisfying the filter expression as an indication of whether or not any
such object exists.
If the service was built using the Common Language Infrastructure libraries provided by Microsoft for
implementing SCIM services, then the request will be translated into a call to the Query method of the services
provider. The value of the properties of the object provided as the value of the parameters argument will be as
follows:
parameters.AlternateFilters.Count: 2
parameters.AlternateFilters.ElementAt(x).AttributePath: "id"
parameters.AlternateFilters.ElementAt(x).ComparisonOperator: ComparisonOperator.Equals
parameters.AlternateFilter.ElementAt(x).ComparisonValue: "54D382A4-2050-4C03-94D1-E769F1D15682"
parameters.AlternateFilters.ElementAt(y).AttributePath: "manager"
parameters.AlternateFilters.ElementAt(y).ComparisonOperator: ComparisonOperator.Equals
parameters.AlternateFilter.ElementAt(y).ComparisonValue: "2819c223-7f76-453a-919d-413861904646"
parameters.RequestedAttributePaths.ElementAt(0): "id"
parameters.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
Here, the value of the index x may be 0 and the value of the index y may be 1, or the value of x may be 1 and the
value of y may be 0, depending on the order of the expressions of the filter query parameter.
5: Here is an example of a request from Azure Active Directory to an SCIM service to update a user:
The Microsoft Common Language Infrastructure libraries for implementing SCIM services would translate the
request into a call to the Update method of the services provider. Here is the signature of that method:
// System.Threading.Tasks.Tasks and
// System.Collections.Generic.IReadOnlyCollection<T>
// are defined in mscorlib.dll.
// Microsoft.SystemForCrossDomainIdentityManagement.IPatch,
// Microsoft.SystemForCrossDomainIdentityManagement.PatchRequestBase,
// Microsoft.SystemForCrossDomainIdentityManagement.IResourceIdentifier,
// Microsoft.SystemForCrossDomainIdentityManagement.PatchOperation,
// Microsoft.SystemForCrossDomainIdentityManagement.OperationName,
// Microsoft.SystemForCrossDomainIdentityManagement.IPath and
// Microsoft.SystemForCrossDomainIdentityManagement.OperationValue
// are all defined in Microsoft.SystemForCrossDomainIdentityManagement.Protocol.
System.Threading.Tasks.Task Update(
Microsoft.SystemForCrossDomainIdentityManagement.IPatch patch,
string correlationIdentifier);
public Microsoft.SystemForCrossDomainIdentityManagement.IPath
Path
{ get; set; }
public System.Collections.Generic.IReadOnlyCollection
<Microsoft.SystemForCrossDomainIdentityManagement.OperationValue> Value
{ get; }
In the case of the foregoing example of a request to update a user, the object provided as the value of the patch
argument will have these property values:
ResourceIdentifier.Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
ResourceIdentifier.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
(PatchRequest as PatchRequest2).Operations.Count: 1
(PatchRequest as PatchRequest2).Operations.ElementAt(0).OperationName: OperationName.Add
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Path.AttributePath: "manager"
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.Count: 1
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Reference:
http://.../scim/Users/2819c223-7f76-453a-919d-413861904646
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Value: 2819c223-7f76-453a-
919d-413861904646
6: To de-provision a user from an identity store fronted by an SCIM service, Azure Active Directory will send a
request like this one:
If the service was built using the Common Language Infrastructure libraries provided by Microsoft for
implementing SCIM services, then the request will be translated into a call to the Delete method of the services
provider. That method has this signature:
The object provided as the value of the resourceIdentifier argument will have these property values in the case of
the foregoing example of a request to de-provision a user:
ResourceIdentifier.Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
ResourceIdentifier.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
Related Articles
Article Index for Application Management in Azure Active Directory
Automate User Provisioning/Deprovisioning to SaaS Apps
Customizing Attribute Mappings for User Provisioning
Writing Expressions for Attribute Mappings
Scoping Filters for User Provisioning
Account Provisioning Notifications
List of Tutorials on How to Integrate SaaS Apps
Article Index for Application Management in
Azure Active Directory
1/17/2017 13 min to read Edit on GitHub
This page provides a comprehensive list of every document written about the various application-related
features in Azure Active Directory (Azure AD).
There is a brief introduction to each major feature area, as well as guidance on which articles to read
depending on what information you're looking for.
Overview Articles
The articles below are good starting points for those who simply want a brief explanation of Azure AD
application management features.
ARTICLE GUIDE
An introduction to the application management problems Managing Applications with Azure Active Directory (AD)
that Azure AD solves
An overview of the various features in Azure AD related Application Access and Single Sign-on in Azure Active
to enabling single sign-on, defining who has access to Directory
apps, and how users launch apps
A look at the different steps involved when integrating Integrating Azure Active Directory with Applications
apps into your Azure AD
Enabling Single Sign-On to SaaS Apps
A technical explanation of how apps are represented in How and Why Applications are Added to Azure AD
Azure AD
Troubleshooting Articles
This section provides quick access to relevant troubleshooting guides. More information about each feature
area can be found on the rest of this page.
FEATURE AREA
Password-Based Single Sign-On Troubleshooting the Access Panel Extension for Internet
Explorer
ARTICLE GUIDE
An introduction to federation and other types of sign-on Single Sign-On with Azure AD
Thousands of SaaS apps that are pre-integrated with Getting started with the Azure AD application gallery
Azure AD with simplified single sign-on configuration
steps Full List of Pre-Integrated Apps that Support Federation
More than 150 app tutorials on how to configure single List of Tutorials on How to Integrate SaaS Apps with
sign-on for apps such as Salesforce, ServiceNow, Google Azure Active Directory
Apps, Workday, and many more
How to manually set up and customize your single sign- How to Configure Federated Single Sign-On to Apps that
on configuration are not in the Azure Active Directory Application Gallery
Troubleshooting guide for federated apps that use the Troubleshooting SAML-Based Single Sign-On
SAML protocol
How to configure your app's certificate's expiration date, Managing Certificates for Federated Single Sign-On in
and how to renew your certificates Azure Active Directory
Federated single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure AD
Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium,
then you can use groups to assign access to federated applications.
Password-Based Single Sign-On: Account sharing and SSO for non-federated apps
To enable single sign-on to applications that don't support federation, Azure AD offers password
management features that can securely store passwords to SaaS apps and automatically sign users into
those apps. You can easily distribute credentials for newly created accounts and share team accounts with
multiple people. Users don't necessarily need to know the credentials to the accounts that they're given
access to.
ARTICLE GUIDE
An introduction to how password-based SSO works and a Password-Based Single Sign-On with Azure AD
brief technical overview
ARTICLE GUIDE
A summary of the scenarios related to account sharing Sharing accounts with Azure AD
and how these problems are solved by Azure AD
Automatically change the password for certain apps at a Automated Password Rollover (preview)
regular interval
Deployment and troubleshooting guides for the Internet How to Deploy the Access Panel Extension for Internet
Explorer version of the Azure AD password management Explorer using Group Policy
extension
Troubleshooting the Access Panel Extension for Internet
Explorer
Password-based single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure
AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD
Premium, then you can use groups to assign access to applications. Automated password rollover is an
Azure AD Premium feature.
App Proxy: Single sign-on and remote access to on-premises applications
If you have applications in your private network that need to be accessed by users and devices outside the
network, then you can use Azure AD Application Proxy to enable secure, remote access to those apps.
ARTICLE GUIDE
Overview of Azure AD Application Proxy and how it works Providing secure remote access to on-premises
applications
Tutorials on how to configure Application Proxy and how How to Set Up Azure AD App Proxy
to publish your first app
How to Silently Install the App Proxy Connector
How to enable single sign-on and conditional access for Single-sign-on with Application Proxy
apps published with App Proxy
Conditional Access and Application Proxy
Guidance on how to use Application Proxy for the How to Support Native Client Applications
following scenarios
How to Support Claims-Aware Applications
Application Proxy is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium
supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you
can use groups to assign access to applications.
You may also be interested in Azure AD Domain Services, which allows you to migrate your on-premises
applications to Azure while still satisfying the identity needs of those applications.
Enabling single sign-on between Azure AD and on-premises AD
If your organization maintains a Windows Server Active Directory on premises along with your Azure
Active Directory in the cloud, then you will likely want to enable single sign-on between these two systems.
Azure AD Connect (the tool that integrates these two systems together) provides multiple options for
setting up single sign-on: establish federation with ADFS or another federation provider, or enable
password synchronization.
ARTICLE GUIDE
An overview on the single sign-on options offered in User Sign On Options in Azure AD Connect
Azure AD Connect, as well as information on managing
hybrid environments
General guidance for managing environments with both Azure AD Hybrid Identity Design Considerations
on-premises Active Directory and Azure Active Directory
Integrating your On-Premises Identities with Azure Active
Directory
Guidance on using Password Sync to enable SSO Implement Password Synchronization with Azure AD
Connect
Guidance on using Password Writeback to enable SSO Getting Started with Password Management in Azure AD
Guidance on using third party identity providers to enable List of Compatible Third-Party Identity Providers That Can
SSO Be Used to Enable Single Sign-On
How Windows 10 users can enjoy the benefits of single Extending Cloud Capabilities to Windows 10 Devices
sign-on via Azure AD Join through Azure Active Directory Join
Azure AD Connect is available for all editions of Azure Active Directory. Azure AD Self-Service Password
Reset is available for Azure AD Basic and Azure AD Premium. Password Writeback to on-prem AD is an
Azure AD Premium feature.
Conditional Access: Enforce additional security requirements for high-risk apps
Once you set up single sign-on to your apps and resources, you can then further secure sensitive
applications by enforcing specific security requirements on every sign-in to that app. For instance, you can
use Azure AD to demand that all access to a particular app always require multi-factor authentication,
regardless of whether or not that app innately supports that functionality. Another common example of
conditional access is to require that users be connected to the organization's trusted network in order to
access a particularly sensitive application.
ARTICLE GUIDE
An introduction to the conditional access capabilities Managing Risk With Conditional Access
offered across Azure AD, Office365, and Intune
ARTICLE GUIDE
How to enable conditional access for the following types Conditional Access for SaaS Apps
of resources
Conditional Access for Office 365 services
How to register devices with Azure Active Directory in Overview of Azure Active Directory Device Registration
order to enable device-based conditional access policies
How to Enable Automatic Device Registration for Domain
Joined Windows Devices
Steps for Windows 8.1 devices
Steps for Windows 7 devices
How to use the Android version of the Azure Azure Authenticator for Android
Authenticator app for policies involving multi-factor
authentication
ARTICLE GUIDE
A general overview of how it works Finding unsanctioned cloud applications with Cloud App
Discovery
A deeper dive into how it works, with answers to Security and Privacy Considerations
questions on privacy
Tutorials for deploying Cloud App Discovery Group Policy Deployment Guide
The change log for updates to the Cloud App Discovery Change log
agent
Learn about how it works and find answers to common Automate User Provisioning & Deprovisioning to SaaS
questions Apps
How to enable automated provisioning to any app that Set up Automated User Provisioning to any SCIM-
supports the SCIM protocol Enabled App
Automated user provisioning is available for all editions of Azure AD for up to ten apps per user. Azure AD
Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium,
then you can use groups to manage which users get provisioned.
Building applications that integrate with Azure AD
If your organization is developing or maintaining line-of-business (LoB) applications, or if you're an app
developer with customers who use Azure Active Directory, the following tutorials will help you integrate
your applications with Azure AD.
ARTICLE GUIDE
Guidance for both IT professionals and application The IT Pro's Guide for Developing Applications for Azure
developers on integrating apps with Azure AD AD
How to application vendors can add their apps to the Listing your Application in the Azure Active Directory
Azure AD App Gallery Application Gallery
How to manage access to developed applications using How to Enable User Assignment for Developed
Azure Active Directory Applications
If you're developing consumer-facing applications, you may be interested in using Azure Active Directory
B2C so that you don't have to develop your own identity system to manage your users. Learn more.
Instructions for setting up your groups in Azure AD How to Create Security Groups
Use dynamic groups to automatically populate group Dynamic Group Membership: Advanced Rules
membership using attribute-based membership rules
Troubleshooting Dynamic Group Memberships
Group-based application access management is available for Azure AD Basic and Azure AD Premium. Self-
service group management, self-service application management, and dynamic groups are Azure AD
Premium features.
B2B Collaboration: Enable partner access to applications
If your business has partnered with other companies, it's likely that you need to manage partner access to
your corporate applications. Azure Active Directory B2B Collaboration provides an easy and secure way to
share your apps with partners. This feature is currently in preview.
ARTICLE GUIDE
An overview of different Azure AD features that can help Comparing Capabilities for Managing External Identities in
you manage external users such as partners, customers, Azure AD
etc.
An introduction to B2B Collaboration preview and how to Simple, Secure, Cloud Partner Integration with Azure AD
get started
Azure Active Directory B2B Collaboration
A deeper dive into Azure AD B2B Collaboration and how B2B Collaboration: How it works
to use it
Current Limitations of Azure AD B2B Collaboration
Preview
Reference articles with technical details on how Azure AD CSV File Format for Adding Partner Users
B2B Collaboration works
User Attributes Affected by Azure AD B2B Collaboration
The B2B Collaboration preview is currently available for all editions of Azure Active Directory.
Access Panel: A portal for accessing apps and self-service features
The Azure AD Access Panel is where end-users can launch their apps and access the self-service features
that allow them to manage their apps and group memberships. In addition to the Access Panel, other
options for accessing SSO-enabled apps are included in the list below.
ARTICLE GUIDE
A comparison of the different options available for Deploying Azure AD Integrated Applications to Users
deploying single sign-on apps to users
An overview of the Access Panel and its mobile equivalent Introduction to Access Panel and MyApps
MyApps iOS
Android
How to access Azure AD apps from the Office 365 Using the Office 365 App Launcher
website
How to access Azure AD apps from the Intune Managed Intune Managed Browser
Browser mobile app iOS
Android
How to access Azure AD apps using deep links to initiate Getting Direct Sign-On Links to Your Apps
single sign-on
ARTICLE GUIDE
An overview of the reporting features in Azure Active Getting Started with Azure AD Reporting
Directory
How to monitor the sign-ins and app-usage of your users View Your Access and Usage Reports
Track changes made to who can access a particular Azure Active Directory Audit Report Events
application
Export the data of these reports to your preferred tools Getting Started with the Azure AD Reporting API
using the Reporting API
To see which reports are included with different editions of Azure Active Directory, click here.
See also
What is Azure Active Directory?
Azure Active Directory B2C
Azure Active Directory Domain Services
Azure Multi-Factor Authentication
Conceptual overview of custom domain names in
Azure Active Directory
1/17/2017 4 min to read Edit on GitHub
A domain name is an important part of the identifier for many directory resources: it is part of a user name or
email address for a user, part of the address for a group, and can be part of the app ID URI for an application. A
resource in Azure Active Directory (Azure AD) can include a domain name that is already verified to be owned by
the directory that contains the resource. Only a global administrator can perform domain management tasks in
Azure AD.
Domain names in Azure AD are globally unique. A domain name can be used by a single Azure AD. If one Azure AD
directory has verified a domain name, then no other Azure AD directory can verify or use that same domain name.
You've got one or more domain names that your organization uses to do business, and your users sign in to your
corporate network using your corporate domain name. Using Azure Active Directory (Azure AD) preview, you can
add your corporate domain name to Azure AD as well. What's in the preview? This allows you to assign user
names in the directory that are familiar to your users, such as alice@contoso.com. The process is simple:
1. Add the custom domain name to your directory
2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
Now that you've added the domain name, Azure AD must verify that your organization owns the domain name.
Before Azure AD can perform this verification, you must add a DNS entry in the DNS zone file for the domain
name. This task is performed at the website for domain name registrar for the domain name.
Add the DNS entry at the domain name registrar for the domain
The next step to use your custom domain name with Azure AD is to update the DNS zone file for the domain. This
enables Azure AD to verify that your organization owns the custom domain name.
1. Sign in to the domain name registrar for the domain. If you don't have access to update the DNS entry, ask the
person or team who has this access to complete step 2 and to let you know when it is completed.
2. Update the DNS zone file for the domain by adding the DNS entry provided to you by Azure AD. This DNS entry
enables Azure AD to verify your ownership of the domain. The DNS entry doesn't change any behaviors such as
mail routing or web hosting.
For help with this adding the DNS entry, read Instructions for adding a DNS entry at popular DNS registrars
3. On the User management - Domain names blade, select the unverified domain name that you want to verify.
4. On the domainname blade (that is, the blade that opens that has your new domain name in the title), select
Verify to complete the verification.
Now you can assign user names that include your custom domain name.
Troubleshooting
If you can't verify a custom domain name, try the following. We'll start with the most common and work down to
the least common.
1. Wait an hour. DNS records need to propagate before Azure AD can verify the domain. This can take an hour or
more.
2. Ensure the DNS record was entered, and that it is correct. Complete this step at the website for the domain
name registrar for the domain. Azure AD cannot verify the domain name if the DNS entry is not present in the
DNS zone file, or if it is not an exact match with the DNS entry that Azure AD provided you. If you do not have
access to update DNS records for the domain at the domain name registrar, share the DNS entry with the
person or team at your organization who has this access, and ask them to add the DNS entry.
3. Delete the domain name from another directory in Azure AD. A domain name can be verified in only a
single directory. If a domain name was previously verified in another directory, it must be deleted there before it
can be verified in your new directory. To learn about deleting domain names, read Manage custom domain
names.
Next steps
Manage custom domain names
Add a custom domain name to Azure Active
Directory
1/17/2017 4 min to read Edit on GitHub
You've got one or more domain names that your organization uses to do business, and your users sign in to your
corporate network using your corporate domain name. Now that you're using Azure Active Directory (Azure AD),
you can add your corporate domain name to Azure AD as well. This allows you to assign user names in the
directory that are familiar to your users, such as alice@contoso.com. The process is simple:
1. Add the custom domain name to your directory
2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
NOTE
If you plan to configure your custom domain name to be used with Active Directory Federation Services (AD FS) or a
different security token service (STS) on your corporate network, follow the instructions in Add and configure a domain for
federation with Azure Active Directory. This is useful if you plan to synchronize users from your corporate directory to Azure
AD, and password hash sync does not meet your requirements.
Add the DNS entry at the domain name registrar for the domain
The next step to use your custom domain name with Azure AD is to update the DNS zone file for the domain. This
enables Azure AD to verify that your organization owns the custom domain name.
1. Sign in to the domain name registrar for the domain. If you don't have access to update the DNS entry, ask the
person or team who has this access to complete step 2 and to let you know when it is completed.
2. Update the DNS zone file for the domain by adding the DNS entry provided to you by Azure AD. This DNS
entry enables Azure AD to verify your ownership of the domain. The DNS entry doesn't change any behaviors
such as mail routing or web hosting.
For help with this adding the DNS entry, read Instructions for adding a DNS entry at popular DNS registrars
Verify the domain name with Azure AD
Once you have added the DNS entry, you are ready to verify the domain name with Azure AD.
If you still have the Add domain wizard open, select Verify on the third page of the wizard. When you select
Verify, Azure AD will look for the DNS entry in the DNS zone file for the domain. Azure AD can verify the domain
name only after the DNS records have propagated. This propagation often takes only seconds, but it can
sometimes take an hour or more. If verification doesnt work the first time, try again later.
If the Add domain wizard isn't still open, you can verify the domain in the Azure classic portal:
1. Sign in with a user account that is a global administrator of your Azure AD directory.
2. Open your directory and select the Domains tab.
3. Select the domain name that you want to verify and select Verify on the command bar.
4. Select Verify in the dialog box to complete the verification.
Now you can assign user names that include your custom domain name.
Troubleshooting
If you can't verify a custom domain name, try the following. We'll start with the most common and work down to
the least common.
1. Wait an hour. DNS records need to propagate before Azure AD can verify the domain. This can take an hour
or more.
2. Ensure the DNS record was entered, and that it is correct. Complete this step at the website for the
domain name registrar for the domain. Azure AD cannot verify the domain name if the DNS entry is not
present in the DNS zone file, or if it is not an exact match with the DNS entry that Azure AD provided you. If
you do not have access to update DNS records for the domain at the domain name registrar, share the DNS
entry with the person or team at your organization who has this access, and ask them to add the DNS entry.
3. Delete the domain name from another directory in Azure AD. A domain name can be verified in only a
single directory. If a domain name was previously verified in another directory, it must be deleted there before
it can be verified in your new directory. To learn about deleting domain names, read Manage custom domain
names.
Next steps
Assign user names that include your custom domain name
Manage custom domain names
Learn about domain management concepts in Azure AD
Show your company's branding when your users sign in
Use PowerShell to manage domain names in Azure AD
Add your custom domain name to Azure Active
Directory
1/17/2017 4 min to read Edit on GitHub
You can configure a custom domain name, such as contoso.com, so that users in contoso.com can have a
federated single sign-on experience from your corporate network. If you already have Active Directory Federation
Services (AD FS) or a different federation server running on your corporate network, you can configure Azure AD to
use your custom domain name using the Azure AD Connect tool. You can also use Azure AD Connect to deploy a
new AD FS environment, and configure that for federated single sign-on to Azure AD.
If you do not have and do not plan to deploy AD FS or another federation server, follow these instructions: Add a
custom domain name to Azure Active Directory.
Add the DNS entry at the domain name registrar for the domain
The next step to use your custom domain name with Azure AD is to update the DNS zone file for the domain. This
enables Azure AD to verify that your organization owns the custom domain name.
1. Sign in to the website for domain name registrar for your domain name. If you don't have access to do this, ask
the person or team in your organization who has this access to complete step 2 and to let you know when it is
completed.
2. Update the DNS zone file for the domain by adding the DNS entry provided to you by Azure AD. This DNS entry
enables Azure AD to verify your ownership of the domain. The DNS entry doesn't change any behaviors such as
mail routing or web hosting.
For help with this step, read Instructions for adding a DNS entry at popular DNS registrars
Troubleshooting
If you can't verify a custom domain name, try the following. We'll start with the most common and work down to
the least common.
1. Wait an hour. DNS records need to propagate before Azure AD can verify the domain. This can take an hour or
more.
2. Ensure the DNS record was entered, and that it is correct. Complete this step at the website for the domain
name registrar for the domain. Azure AD cannot verify the domain name if the DNS entry is not present in the
DNS zone file, or if it is not an exact match with the DNS entry that Azure AD provided you. If you do not have
access to update DNS records for the domain at the domain name registrar, share the DNS entry with the
person or team at your organization who has this access, and ask them to add the DNS entry.
3. Delete the domain name from another directory in Azure AD. A domain name can be verified in only a
single directory. If a domain name was previously verified in another directory, it must be deleted there before it
can be verified in your new directory. To learn about deleting domain names, read Manage custom domain
names.
Next steps
Manage custom domain names
Learn about domain management concepts in Azure AD
Show your company's branding when your users sign in
Use PowerShell to manage domain names in Azure AD
Assign users to a custom domain
1/17/2017 1 min to read Edit on GitHub
After you have added your custom domain to Azure Active Directory, you must add the user accounts for this
domain so that you can begin authenticating them.
Next steps
Using custom domain names to simplify the sign-in experience for your users
Manage custom domain names
Learn about domain management concepts in Azure AD
Managing custom domain names in your Azure
Active Directory preview
1/17/2017 3 min to read Edit on GitHub
A domain name is an important part of the identifier for many directory resources: it is part of a user name or
email address for a user, part of the address for a group, and can be part of the app ID URI for an application. A
resource in Azure Active Directory (Azure AD) preview can include a domain name that is already verified to be
owned by the directory that contains the resource. What's in the preview? Only a global administrator can perform
domain management tasks in Azure AD.
What to do if you change the DNS registrar for your custom domain
name
If you change the DNS registrar for your custom domain name, you can continue to use your custom domain name
with Azure AD itself without interruption and without additional configuration tasks. If you use your custom
domain name with Office 365, Intune, or other services that rely on custom domain names in Azure AD, refer to the
documentation for those services.
Next steps
Add custom domain names
Managing custom domain names in your Azure
Active Directory
1/17/2017 3 min to read Edit on GitHub
A domain name is an important part of the identifier for many directory resources: it is part of a user name or
email address for a user, part of the address for a group, and can be part of the app ID URI for an application. A
resource in Azure Active Directory (Azure AD) can include a domain name that is already verified to be owned by
the directory that contains the resource. Only a global administrator can perform domain management tasks in
Azure AD.
What to do if you change the DNS registrar for your custom domain
name
If you change the DNS registrar for your custom domain name, you can continue to use your custom domain
name with Azure AD itself without interruption and without additional configuration tasks. If you use your custom
domain name with Office 365, Intune, or other services that rely on custom domain names in Azure AD, refer to
the documentation for those services.
Delete a custom domain name
You can delete a custom domain name from your Azure AD if your organization no longer uses that domain
name, or if you need to use that domain name with another Azure AD.
To delete a custom domain name, you must first ensure that no resources in your directory rely on the domain
name. You can't delete a domain name from your directory if:
Any user has a user name, email address, or proxy address that include the domain name.
Any group has an email address or proxy address that includes the domain name.
Any application in your Azure AD has an app ID URI that includes the domain name.
You must change or delete any such resource in your Azure AD directory before you can delete the custom
domain name.
Next steps
Learn about domain names in Azure AD
Manage custom domain names
Add company branding to your sign-in page in the
Azure Active Directory preview
1/17/2017 2 min to read Edit on GitHub
To avoid confusion, many companies want to apply a consistent look and feel across all the websites and services
they manage. Azure Active Directory preview provides this capability by allowing you to customize the appearance
of the sign-in page with your company logo and custom color schemes. What's in the preview? The sign-in page is
the page that appears when you sign in to Office 365 or other web-based applications that are using Azure AD as
your identity provider. You interact with this page to enter your credentials.
If you want to show your company brand, colors and other customizable elements on this page, see the following
images to understand the difference between the two experiences.
The following screenshot shows and example for the Office 365 sign-in page on a desktop computer before a
customization:
The following screenshot shows and example for the Office 365 sign-in page on a desktop computer after a
customization:
NOTE
Your domain name must appear as Active" in the Domains portion of the Azure portal in which you have configured
branding. For more information, see Add custom domain names.
Sign-in page branding doesnt carry over to the consumer sign in page of Microsoft. If you sign in with a Microsoft
account, you may see a branded list of user tiles rendered by Azure AD, but the branding of your organization does not
apply to the Microsoft account sign-in page.
On your sign-in page, the Keep me signed in checkbox allows a user to remain signed in when they close and re-
open their browser.
It does not effect session lifetime. You can hide the checkbox on the Azure Active Directory sign-in page. Whether
the checkbox is displayed depends on the setting of Keep me signed in disabled.
NOTE
Some features of SharePoint Online and Office 2010 depend on users being able to check this box. If you configure this
setting to hidden, your users may see additional and unexpected prompts to sign-in.
5. Modify the elements you want to customize. All elements are optional.
6. Click Save.
It can take up to an hour for any changes you made to the sign-in page branding to appear.
Next steps
Add language-specific company branding
Add language-specific company branding to your
sign-in page in the Azure Active Directory preview
1/17/2017 1 min to read Edit on GitHub
To avoid confusion, many companies want to apply a consistent look and feel across all the websites and services
they manage. Azure Active Directory preview provides this capability by allowing you to customize the appearance
of the sign-in page with your company logo and custom color schemes. What's in the preview? The sign-in page is
the page that appears when you sign in to Office 365 or other web-based applications that are using Azure AD as
your identity provider. You interact with this page to enter your credentials.
Next steps
Add company branding to your sign-in page
Add company branding to your sign-in and Access
Panel pages
1/17/2017 10 min to read Edit on GitHub
To avoid confusion, many companies want to apply a consistent look and feel across all the websites and services
they manage. Azure Active Directory provides this capability by allowing you to customize the appearance of the
following web pages with your company logo and custom color schemes:
Sign-in page - This is the page that appears when you sign in to Office 365 or other web-based applications
that are using Azure AD as your identity provider. You interact with this page either during a Home Realm
Discovery or to enter your credentials. The Home Realm Discovery allows the system to redirect federated
users to their on-premises STS (such as AD FS).
Access Panel page - The Access Panel is a web-based portal that allows you to view and launch the cloud-
based applications your Azure AD administrator has granted you access to. To access the Access Panel, use the
following URL: https://myapps.microsoft.com.
This topic explains how you can customize the sign-in page and the access panel page.
NOTE
Company branding is a feature that is available only if you upgraded to the Premium or Basic edition of Azure Active
Directory, or are an Office 365 user. For more information, see Azure Active Directory editions.
Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of
Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Microsoft
Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.
NOTE
Your domain name must appear as Active in the Active Directory > Directory > Domains section of the Azure
classic portal where you have configured branding.
Sign-in page branding doesnt carry over to the consumer sign in page of Microsoft. If you sign in with a personal
Microsoft account, you may see a branded list of user tiles rendered by Azure AD, but the branding of your organization
does not apply to the Microsoft account sign-in page.
If you want to show your company brand, colors and other customizable elements on this page, see the following
images to understand the difference between the two experiences.
The following screenshot shows and example for the Office 365 sign-in page on a desktop computer before a
customization:
The following screenshot shows and example for the Office 365 sign-in page on a desktop computer after a
customization:
The following screenshot shows an example of the Office 365 sign-in page on a mobile device before a
customization:
The following screenshot shows an example of the Office 365 sign-in page on a mobile device after a
customization:
When you resize a browser window, the large Illustration, like the one shown previously, is often cropped to
accommodate different screen aspect ratios. With this in mind, you should try to keep the key visual elements in
the illustration so that they always appear in the top-left corner (top-right for right-to-left languages). This is
important because resizing typically occurs from the bottom-right corner going towards the top / left or from the
bottom towards the top.
The following picture shows how the illustration is cropped when the browser is resized to the left:
Here is how it appears after the browser is resized toward the top:
What elements on the page can I customize?
You can customize the following elements on the sign-in page:
Banner Logo Shown at the top-right of the page. Replaces the logo the
destination site you are signing in to displays (For example.
Office 365 or Azure).
PAGE ELEMENT LOCATION ON THE PAGE
Large Illustration / Background Color Shown at the left of the page. Replaces the image the
destination site you are signing in to displays. The
Background Color may be shown in place of the Large
Illustration on low bandwidth connections, or on narrow
screens.
Sign-in Page Text Shown above the page footer when you need to convey
helpful information before a sign-in with a work or school
account. For example, you may want to include the phone
number to your help desk, or a legal statement.
NOTE
All elements are optional. For example, if you specify a Banner Logo but no Large Illustration, the sign-in page shows your
logo and the illustration for the destination site (that is, the Office 365 California highway image).
On your sign-in page, the Keep me signed in checkbox allows a user to remain signed in when they close and
re-open their browser. It does not effect session lifetime. You can hide the checkbox on the Azure Active Directory
sign-in page.
Whether the checkbox is displayed depends on the setting of Hide KMSI.
NOTE
Some features of SharePoint Online and Office 2010 depend on users being able to check this box. If you configure this
setting to hidden, your users may see additional and unexpected prompts to sign-in.
You can also localize all elements on this page. Once youve configured a default set of customization elements,
you can configure more versions for different locales. You can also mix and match various elements. For example,
you can:
Create a default Large Illustration that works for all cultures, then create specific versions for English and
French. When you set your browsers to one of these two languages, the specific image appears, while the
default illustration appears for all other languages.
Configure different logos for your organization (e.g. Japanese or Hebrew versions).
Customizable elements
Some customizable elements in Azure AD have multiple use cases. You can configure company logos once per
directory and is used on both, the sign-in and Access Panel pages. Some customizable elements are specific only
to the sign-in page. The following table provides details for the different customizable elements.
Banner Logo The Banner Logo is JPG or PNG Use your organizations
displayed on the sign-in full logo (including
page and the Access panel. 60x280 pixels pictogram and
10 KB logotype)
Keep it under 30 pixels
high to avoid
introducing scrollbars
on mobile devices
Keep it under 4 KB
Use a transparent PNG
(dont assume that the
sign-in page always has
a white background)
Tile Logo (currently not used in the JPG or PNG Keep it simple (no small
sign-in page) In the future, text), as this image may
this text may be used to 120x120 pixels be resized to 50%
replace the generic work or 10 KB
school account pictogram
in different places of the
experience.
Sign-in Page User Name (currently not used in the Unicode text, up to 50 Keep it short and simple
Label sign-in page) In the future, characters
this text may be used to Ask your users how
replace the generic work or Plain text only (no links they usually refer to the
school account string in or HTML tags) work or school account
different places of the you provide them with.
experience. You can set it to
something like Contoso
account or Contoso ID.
Sign-in Page Text This boilerplate text Unicode text, up to 256 Keep it under 250
appears below the sign-in characters characters (approximately 3
page form and can be used lines of text)
to communicate additional Plain text only (no links
instructions, or where to get or HTML tags)
help and support.
NAME DESCRIPTION CONSTRAINTS RECOMMENDATIONS
Sign-in Page Illustration The illustration is a large JPG or PNG 1420x1200 pixels
image that is displayed on
the sign-in page to the left 1420x1200 Important: Keep it as
of the sign-in page form. small as possible, ideally
500 KB under 200 KB. If this
image is too large, the
performance of the
Sign-in page is impacted
when the image isnt
cached
This image is often
cropped, to
accommodate different
screen ratios. Keep the
primary visual elements
in the top left corner
(top right for RTL
languages), because
resizing occurs from the
bottom/right corner,
going towards the top /
left, as the browser
window shrinks.
Sign-in Page Background The sign-in page Must be an RGB color in The background color
Color background color is used in hexadecimal form (example: may be shown in place
the area to the left of the #FFFFFF) of the large Illustration
sign-in page form. on low-bandwidth
connections
We suggest picking the
primary color of the
Banner Logo
Next Steps
Getting started with Azure Active Directory Premium
View your access and usage reports
Administer your Azure AD directory
1/17/2017 10 min to read Edit on GitHub
The first time you sign up for a Microsoft cloud service, you are prompted to provide details about your
organization and your organizations Internet domain name registration. This information is then used to create
a new Azure AD directory instance for your organization. That same directory is used to authenticate sign in
attempts when you subscribe to multiple Microsoft cloud services.
The additional services fully leverage any existing user accounts, policies, settings or on-premises directory
integration you configure to help improve efficiency between your organizations identity infrastructure on-
premises and Azure AD.
For example, if you originally signed up for a Microsoft Intune subscription and completed the steps necessary to
further integrate your on-premises Active Directory with your Azure AD directory by deploying directory
synchronization and/or single sign-on servers, you can sign up for another Microsoft cloud service such as Office
365 which can also leverage the same directory integration benefits you now use with Microsoft Intune.
For more information about integrating your on-premises directory with Azure AD, see Directory integration.
Associate an Azure AD directory with a new Azure subscription
You can associate a new Azure subscription with the same directory that authenticates sign in for an existing
Office 365 or Microsoft Intune subscription. Sign in to the Azure Management Portal using your work or school
account. The Management Portal returns a message that it was unable to find any subscriptions for that account.
Select Sign Up For Azure, and your directory will be available for administration within the portal. For more
information, see Manage the directory for your Office 365 subscription in Azure.
For a video about common usage questions for Azure AD, see Azure Active Directory - Common Sign-up, sign-in
and usage questions.
Create an Azure AD directory by signing up for a Microsoft cloud service as an organization
If you dont yet have a subscription to a Microsoft cloud service, use one of the links below to sign up. The act of
signing up for your first service will create an Azure AD directory automatically.
Microsoft Azure
Office 365
Microsoft Intune
Manage an Azure -provisioned Default directory
Today, a directory is automatically created when you sign up for Azure and your subscription is associated with
that directory. But if you originally signed up for Azure before October 2013, a directory was not automatically
created. In that case, Azure may have backfilled for your account by provisioning a Default directory for it. Your
subscription was then associated with that Default directory.
Backfilling of directories was done in October 2013 as part of an overall improvement to the security model for
Azure. It helps offer organizational identity features to all Azure customers and ensures that all Azure resources
are accessed in the context of a user in directory. You cannot use Azure without a directory. To achieve that, any
user who was signed up prior to July 7, 2013 but did not have a directory had to have one created. If you had
already created a directory, then your subscription was associated with that directory.
There are no costs for using Azure AD. The directory is a free resource. There is an additional Azure Active
Directory Premium tier that is licensed separately and provides additional features such as company branding
and self-service password reset.
To change the display name of your directory, click the directory in the portal and click Configure. As explained
later in this topic, you can add a new directory or delete a directory that you no longer need. To associate your
subscription with a different directory, click the Settings extension in the left navigation, and at the bottom of the
Subscriptions page, click Edit Directory. You can also create a custom domain using a DNS name that you
have registered instead of the default *.onmicrosoft.com domain, which may be preferable with a service such as
SharePoint Online.
These account portals and the associated Azure AD PowerShell cmdlets used to manage users and groups are
built on top of the Azure AD platform.
When you make a change to your organizations data using any of the portals (or cmdlets) while signed in under
the context of one of these services, the change will also be shown in the other portals the next time you sign-in
under the context of that service because this data is shared across the Microsoft cloud services you are
subscribed to. For example, if you used the Office 365 Admin Center to block a user from signing in, that action
will block the user from signing in to any other service that your organization is currently subscribed to. If you
were to pull up that same users account under the context of the Microsoft Intune account portal you will see
that the user is blocked.
How can I add and manage multiple directories?
You can add an Azure AD directory in the Azure Management Portal. Select the Active Directory extension on
the left and click Add.
You can manage each directory as a fully independent resource: each directory is a peer, fully-featured, and
logically independent of other directories that you manage; there is no parent-child relationship between
directories. This independence between directories includes resource independence, administrative
independence, and synchronization independence.
Resource independence. If you create or delete a resource in one directory, it has no impact on any
resource in another directory, with the partial exception of external users, described below. If you use a
custom domain 'contoso.com' with one directory, it cannot be used with any other directory.
Administrative independence. If a non-administrative user of directory 'Contoso', creates a test
directory 'Test' then:
The directory sync tool, to synchronize data with a single AD forest.
The administrators of directory 'Contoso' have no direct administrative privileges to directory 'Test'
unless an administrator of 'Test' specifically grants them these privileges. Administrators of
'Contoso' can control access to directory 'Test' by virtue of their control of the user account which
created 'Test.'
And if you change (add or remove) an administrator role for a user in one directory, the change
does not affect any administrator role that user may have in another directory.
Synchronization independence. You can configure each Azure AD independently to get data
synchronized from a single instance of either:
The directory sync tool, to synchronize data with a single AD forest
The Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or
more on-premises forests, and/or non-AD data sources.
Also note that unlike other Azure resources, your directories are not child resources of an Azure subscription. So
if you cancel or allow your Azure subscription to expire, you can still access your directory data using Azure AD
PowerShell, the Azure Graph API, or other interfaces such as the Office 365 Admin Center. You can also associate
another subscription with the directory.
NOTE
If the user is signed in with a work or school account, the user must not be attempting to delete his or her home directory.
For example, if the user is signed in as joe@contoso.onmicrosoft.com, that user cannot delete the directory that has
contoso.onmicrosoft.com as its default domain.
NOTE
If the user is signed in with a work or school account, the user must not be attempting to delete his or her home directory.
For example, if the user is signed in as joe@contoso.onmicrosoft.com, that user cannot delete the directory that has
contoso.onmicrosoft.com as its default domain.
Additional Resources
Azure AD Forum
Azure Multi-Factor Authentication Forum
Stackoverflow
Sign up for Azure as an organization
Manage Azure AD using Windows PowerShell
Assigning administrator roles in Azure AD
Add and manage multiple Azure Active Directory
directories
1/17/2017 1 min to read Edit on GitHub
In Azure Active Directory (Azure AD), each directory is a fully independent resource: a peer, fully-featured, and
logically independent of other directories that you manage. There is no parent-child relationship between
directories. This independence between directories includes resource independence, administrative independence,
and synchronization independence.
Resource independence
If you create or delete a resource in one directory, it has no impact on any resource in another directory, with the
partial exception of external users, described below. If you use a custom domain 'contoso.com' with one directory,
it cannot be used with any other directory.
Administrative independence
If a non-administrative user of directory 'Contoso' creates a test directory 'Test' then:
By default, the user who creates a directory is added as an external user in that new directory, and assigned the
global administrator role in that directory.
The administrators of directory 'Contoso' have no direct administrative privileges to directory 'Test' unless an
administrator of 'Test' specifically grants them these privileges. Administrators of 'Contoso' can control access
to directory 'Test' if they control the user account which created 'Test.'
If you change (add or remove) an administrator role for a user in one directory, the change does not affect any
administrator role that the user might have in another directory.
Synchronization independence
You can configure each Azure AD directory independently to get data synchronized from a single instance of either:
The Directory Synchronization (DirSync) tool, to synchronize data with a single AD forest.
The Azure Active Directory Connector for Forefront Identity Manager, to synchronize data with one or more on-
premises forests, and/or non-Azure AD data sources.
NOTE
Unlike other Azure resources, your directories are not child resources of an Azure subscription. If you cancel or allow your
Azure subscription to expire, you can still access your directory data using Azure PowerShell, the Azure Graph API, or other
interfaces such as the Office 365 Admin Center. You can also associate another subscription with the directory.
For a broad overview of Azure AD licensing issues and best practices, see What is Azure Active Directory licensing?.
Manage the directory for your Office 365
subscription in Azure
1/17/2017 2 min to read Edit on GitHub
This article describes how to manage a directory that was created for an Office 365 subscription, using the Azure
classic portal. You must be either the Service Administrator or a co-administrator of an Azure subscription to sign
in to the Azure classic portal. If you dont yet have an Azure subscription, you can sign up for a free 30-day trial
today and deploy your first cloud solution in under 5 minutes, using this link. Be sure to use the work or school
account that you use to sign in to Office 365.
After you complete the Azure subscription, you can sign in to the Azure classic portal and access Azure services.
Click the Active Directory extension to manage the same directory that authenticates your Office 365 users.
If you do already have an Azure subscription, the process to manage an additional directory is also straightforward.
For example, Michael Smith might have an Office 365 subscription for Contoso.com. He also has an Azure
subscription that he signed up for by using his Microsoft account, msmith@hotmail.com. In this case, he manages
two directories.
He wants to manage the user identities in the Contoso directory while he is signed in to Azure using his Microsoft
account, so that he can enable Azure AD features such as multifactor authentication. The following diagram may
help to illustrate the process.
In this case, the two directories are independent of each other.
NOTE
These steps can be completed only when a user is signed in with a Microsoft account. If the user is signed in with a work or
school account, the option to Use existing directory isn't available. A work or school account can be authenticated only by
its home directory (that is, the directory where the work or school account is stored, and that the business or school owns).
Next steps
For more information about the relationship between subscriptions and directories, see How a subscription is
associated with a directory.
What is Self-Service Signup for Azure?
1/17/2017 8 min to read Edit on GitHub
This topic explains the self-service signup process and how to take over a DNS domain name.
User experience
For example, let's say a user whose email is Dan@BellowsCollege.com receives sensitive files via email. The files
have been protected by Azure Rights Management (Azure RMS). But Dan's organization, Bellows College, has not
signed up for Azure RMS, nor has it deployed Active Directory RMS. In this case, Dan can sign up for a free
subscription to RMS for individuals in order to read the protected files.
If Dan is the first user with an email address from BellowsCollege.com to sign up for this self-service offering, then
an unmanaged directory will be created for BellowsCollege.com in Azure AD. If other users from the
BellowsCollege.com domain sign up for this offering or a similar self-service offering, they will also have email-
verified user accounts created in the same unmanaged directory in Azure.
Admin experience
An admin who owns the DNS domain name of an unmanaged Azure directory can take over or merge the directory
after proving ownership. The next sections explain the admin experience in more detail, but here's a summary:
When you take over an unmanaged Azure directory, you simply become the global administrator of the
unmanaged directory. This is sometimes called an internal takeover.
When you merge an unmanaged Azure directory, you add the DNS domain name of the unmanaged directory
to your managed Azure directory and a mapping of users-to-resources is created so users can continue to
access services without interruption. This is sometimes called an external takeover.
For example:
1. Connect to Azure AD using the credentials that were used to respond to the self-service offering:
import-module MSOnline
$msolcred = get-credential
connect-msolservice -credential $msolcred
The following flowchart explains all the different combinations for these parameters and the resulting conditions
for the directory and self-service sign up.
For more information and examples of how to use these parameters, see Set-MsolCompanySettings.
See Also
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set-MsolCompanySettings
Enterprise State Roaming overview
1/17/2017 1 min to read Edit on GitHub
With Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user
settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified
experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise
State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8.
Additionally, Enterprise State Roaming offers:
Separation of corporate and consumer data Organizations are in control of their data, and there is no
mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
Enhanced security Data is automatically encrypted before leaving the users Windows 10 device by using
Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays
encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
Better management and monitoring Provides control and visibility over who syncs settings in your
organization and on which devices through the Azure AD portal integration.
Enterprise State Roaming is available in multiple Azure regions. You can find the updated list of available regions
on the Azure Services by Regions page under Azure Active Directory.
ARTICLE DESCRIPTION
Enable Enterprise State Roaming in Azure Active Directory Enterprise State Roaming is available to any organization with
a Premium Azure Active Directory (Azure AD) subscription.
For more details on how to get an Azure AD subscription, see
the Azure AD product page.
Settings and data roaming FAQ This topic answers some questions IT administrators might
have about settings and app data sync.
Group policy and MDM settings for settings sync Windows 10 provides Group Policy and mobile device
management (MDM) policy settings to limit settings sync.
Windows 10 roaming settings reference The following is a complete list of all the settings that will be
roamed and/or backed-up in Windows 10.
Troubleshooting This topic goes through some basic steps for troubleshooting,
and contains a list of known issues.
Enable Enterprise State Roaming in Azure Active
Directory
1/17/2017 4 min to read Edit on GitHub
Enterprise State Roaming is available to any organization with a Premium Azure Active Directory (Azure AD)
subscription. For more details on how to get an Azure AD subscription, see the Azure AD product page.
When you enable Enterprise State Roaming, your organization will be automatically granted licenses for a free,
limited-use subscription to Azure Rights Management. This free subscription is limited to encrypting and
decrypting enterprise settings and application data synced by the Enterprise State Roaming service; you must have
a paid subscription to use the full capabilities of Azure Rights Management.
After obtaining a Premium Azure AD subscription, follow these steps to enable Enterprise State Roaming:
1. Login to the Azure classic portal.
2. On the left, select ACTIVE DIRECTORY, and then select the directory for which you want to enable Enterprise
State Roaming.
3. Go to the CONFIGURE tab on the top.
4. Scroll down the page and select USERS MAY SYNC SETTINGS AND ENTERPRISE APP DATA, and then click
SAVE.
For a Windows 10 device to roam settings with the Enterprise State Roaming service, the device must authenticate
using an Azure AD identity. For devices that are joined to Azure AD, the users primary login is the Azure AD
identity, so no additional configuration is required. For devices that use a traditional on-premises Active Directory,
the IT admin must connect the domain-joined devices to Azure AD for Windows 10 experiences.
Data retention
Data synced to Azure via Enterprise State Roaming will be retained indefinitely unless a manual delete operation is
performed or the data in question is determined to be stale.
Explicit deletion: The data is deleted when an Azure admin deletes a user or a directory or an admin requests
explicitly that data is to be deleted.
User deletion: When a user is deleted in Azure AD, the user account roaming data will be marked for deletion
and will be deleted between 90 to 180 days.
Directory deletion: Deleting an entire directory in Azure AD is an immediate operation. All the settings data
associated with that directory will be marked for deletion and will be deleted between 90 to 180 days.
On request deletion: If the Azure AD admin wants to manually delete a specific users data or settings data,
the admin can file a ticket with Azure support.
Stale data deletion: Data that has not been accessed for one year (the retention period) will be treated as stale
and may be deleted from Azure. The retention period is subject to change but will not be less than 90 days. The
stale data may be a specific set of Windows/application settings or all settings for a user. For example:
If no devices access a particular settings collection (e.g., an application is removed from the device, or a settings
group such as Theme is disabled for all of a users devices), then that collection will become stale after the
retention period and may be deleted.
If a user has turned off settings sync on all his/her devices, then none of the settings data will be accessed, and
all the settings data for that user will become stale and may be deleted after the retention period.
If the Azure AD directory admin turns off Enterprise State Roaming for the entire directory, then all users in that
directory will stop syncing settings, and all settings data for all users will become stale and may be deleted after
the retention period.
Deleted data recovery: The data retention policy is not configurable. Once the data has been permanently
deleted, it will not be recoverable. However, its important to note that the settings data will only be deleted from
Azure, not the end-user device. If any device later reconnects to the Enterprise State Roaming service, the settings
will again be synced and stored in Azure.
Related topics
Enterprise State Roaming overview
Settings and data roaming FAQ
Group Policy and MDM settings for settings sync
Windows 10 roaming settings reference
Troubleshooting
Group Policy and MDM settings
1/17/2017 1 min to read Edit on GitHub
Use these group policy and mobile device management (MDM) settings only on corporate-owned devices because
these policies are applied to the users entire device. Applying an MDM policy to disable settings sync for a
personal, user-owned device will negatively impact the use of that device. Additionally, other user accounts on the
device will also be affected by the policy.
Enterprises that want to manage roaming for personal (unmanaged) devices can use the Azure portal to enable or
disable roaming, rather than using Group Policy or MDM. The following tables describe the policy settings
available.
MDM settings
The MDM policy settings apply to both Windows 10 and Windows 10 Mobile. Windows 10 Mobile support exists
only for Microsoft account based roaming via users OneDrive account. Please refer to Devices and endpoints
section for details on what devices are supported for Azure AD based syncing.
NAME DESCRIPTION
Allow Microsoft Account Connection Allows users to authenticate using a Microsoft account on the
device
Allow Sync My Settings Allows users to roam Windows settings and app data;
Disabling this policy will disable sync as well as backups on
mobile devices
NAME DESCRIPTION
Accounts: Block Microsoft Accounts This policy setting prevents users from adding new Microsoft
accounts on this computer
Do not sync Prevents users to roam Windows settings and app data
Do not sync browser settings Disables syncing of the Internet Explorer group
Do not sync other Windows settings Disables syncing of Other Windows settings group
Do not sync on metered connections Disables roaming on metered connections, such as cellular 3G
Related topics
Enterprise State Roaming overview
Enable enterprise state roaming in Azure Active Directory
Settings and data roaming FAQ
Windows 10 roaming settings reference
Troubleshooting
Windows 10 roaming settings reference
1/17/2017 6 min to read Edit on GitHub
The following is a complete list of all the settings that will be roamed or backed up in Windows 10.
What is backup?
Windows settings generally sync by default, but some settings are only backed up, such as the list of installed
applications on a device. Backup is for mobile devices only and currently not available for Enterprise State
Roaming users. Backup uses a Microsoft account and stores the settings and application data into OneDrive. If a
user disables sync on the device using the Settings app, application data that normally syncs becomes backup
only. Backup data can only be accessed through the restore operation during the first run experience of a new
device. Backups can be disabled via the device settings, and can be managed and deleted through the users
OneDrive account.
Related topics
Enterprise state roaming overview
Enable enterprise state roaming in Azure Active Directory
Settings and data roaming FAQ
Group policy and MDM settings for settings sync
Troubleshooting
Settings and data roaming FAQ
1/17/2017 10 min to read Edit on GitHub
This topic answers some questions IT administrators might have about settings and app data sync.
NOTE
Windows 10 devices that are enterprise-owned and are connected to Azure AD can no longer connect their Microsoft
accounts to a domain account. The ability to connect a Microsoft account to a domain account and have all the user's data
sync to the Microsoft account (that is, the Microsoft account roaming via the connected Microsoft account and Active
Directory functionality) is removed from Windows 10 devices that are joined to a connected Active Directory or Azure AD
environment.
What are the roaming settings options for existing Windows desktop
applications?
Roaming only works for Universal Windows apps. There are two options available for enabling roaming on an
existing Windows desktop application:
The Desktop Bridge helps you bring your existing Windows desktop apps to the Universal Windows Platform.
From here, minimal code changes will be required to take advantage of Azure AD app data roaming. The
Desktop Bridge provides your apps with an app identity, which is needed to enable app data roaming for
existing desktop apps.
User Experience Virtualization (UE-V) helps you create a custom settings template for existing Windows
desktop apps and enable roaming for Win32 apps. This option does not require the app developer to change
code of the app. UE-V is limited to on-premises Active Directory roaming for customers who have purchased
the Microsoft Desktop Optimization Pack.
Administrators can configure UE-V to roam Windows desktop app data by changing roaming of Windows OS
settings and Universal app data through UE-V group policies, including:
Roam Windows settings group policy
Do not synchronize Windows Apps group policy
Internet Explorer roaming in the applications section
In the future, Microsoft may investigate ways to make UE-V deeply integrated into Windows and extend UE-V to
roam settings through the Azure AD cloud.
Known issues
Please see the documentation in the troubleshooting section for a list of known issues.
Related topics
Enterprise state roaming overview
Enable enterprise state roaming in Azure Active Directory
Group policy and MDM settings for settings sync
Windows 10 roaming settings reference
Troubleshooting
Troubleshooting Enterprise State Roaming settings in
Azure Active Directory
1/17/2017 8 min to read Edit on GitHub
This topic provides information on how to troubleshoot and diagnose issues with Enterprise State Roaming, as
well as provides a list of known issues.
Known issues
Sync does not work on devices that have apps side -loaded using MDM software
Affects devices running the Windows 10 Anniversary Update (Version 1607). In Event Viewer under the
SettingSync-Azure logs, the Event ID 6013 with error 80070259 is frequently seen.
Recommended action
Make sure the Windows 10 v1607 client has the August 23, 2016 Cumulative Update (KB3176934 OS Build
14393.82).
Theme is not syncing, as well as data protected with Windows Information Protection
To prevent data leakage, data that is protected with Windows Information Protection will not sync through
Enterprise State Roaming for devices using the Windows 10 Anniversary Update.
Recommended action
None. Future updates to Windows may resolve this issue.
Sync does not work on devices that use smart card for login
If you attempt to sign in to your Windows device using a smart card or virtual smart card, settings sync will stop
working.
Recommended action
None. Future updates to Windows may resolve this issue.
Event ID 6065: 80070533 This user cant sign in because this account is currently disabled
In Event Viewer under the SettingSync/Debug logs, this error can be seen when the tenant did not automatically
have AzureRMS provisioned.
Recommended action
Proceed with the steps listed in KB3193791.
Next steps
Use the User Voice forum to provide feedback and make suggestions on how to improve Enterprise State
Roaming.
For more details, see the Enterprise State Roaming overview.
Related topics
Enterprise state roaming overview
Enable enterprise state roaming in Azure Active Directory
Settings and data roaming FAQ
Group policy and MDM settings for settings sync
Windows 10 roaming settings reference
Azure AD B2B collaboration preview: Simple, secure
cloud partner integration
1/17/2017 1 min to read Edit on GitHub
As companies focus more on their core business, the need to partner with other businesses increases. Companies
need to easily and securely share resources (such as access to corporate applications) with their partners to
engage in effective collaboration. Azure Active Directory B2B collaboration supports your cross-company
relationships by enabling partners to selectively access your corporate applications and data using their self-
managed identities. Azure AD B2B collaboration is:
Simple: Each partner user uses an existing Azure AD account or one that is easily created during invitation
acceptance. You can provide this user with direct access to your chosen corporate app or a set of applications
through the App Access Panel.
Secure: Your admin controls all access to your corporate apps through your Azure AD directory. When
collaboration is terminated, partner users can be removed from your Azure AD and their access to your apps is
immediately revoked. Additionally, when the partner user leaves the partner organization, access is lost
automatically.
Seamless: The partner companies who need access to your corporate apps do not need to have Azure AD.
Azure AD B2B collaboration provides a simple user sign-up experience to provide these partners with
immediate access to your apps.
Check out the blog post announcing public preview and this deep dive video walking through Azure AD B2B
collaboration.
For a comparison of the use cases for Azure AD B2B collaboration, Azure AD B2C, and the Azure AD Multi-tenant
App, check out Comparing capabilities for managing external identities using Azure AD.
Related articles
Browse our other articles on Azure AD B2B collaboration:
How it works
Detailed walkthrough
CSV file format reference
External user token format
External user object attribute changes
Current preview limitations
Article Index for Application Management in Azure Active Directory
Azure Active Directory B2B collaboration
1/17/2017 2 min to read Edit on GitHub
Azure Active Directory (Azure AD) B2B collaboration lets you enable access to your corporate applications from
partner-managed identities. You can create cross-company relationships by inviting and authorizing users from
partner companies to access your resources. Complexity is reduced because each company federates once with
Azure Active Directory and each user is represented by a single Azure AD account. Security is increased if your
business partners manage their accounts in Azure AD because access is revoked when partner users are
terminated from their organizations, and unintended access via membership in internal directories is prevented.
For business partners who don't already have Azure AD, B2B collaboration has a streamlined sign-up experience to
provide Azure AD accounts to your business partners.
Your business partners use their own sign-in credentials, which frees you from managing an external partner
directory, and from the need to remove access when users leave the partner organization.
You manage access to your apps independently of your business partner's account lifecycle. This means, for
example, that you can revoke access without having to ask the IT department of your business partner to do
anything.
Capabilities
B2B collaboration simplifies management and improves security of partner access to corporate resources including
SaaS apps such as Office 365, Salesforce, Azure Services, and every mobile, cloud and on-premises claims-aware
application. B2B collaboration enables partners manage their own accounts and enterprises can apply security
policies to partner access.
Azure Active Directory B2B collaboration is easy to configure with simplified sign-up for partners of all sizes even if
they dont have their own Azure Active Directory via an email-verified process. It is also easy to maintain with no
external directories or per partner federation configurations.
Next steps
Browse our other articles on Azure AD B2B collaboration.
What is Azure AD B2B collaboration?
How it works
Detailed walkthrough
CSV file format reference
External user token format
External user object attribute changes
Current preview limitations
Article Index for Application Management in Azure Active Directory
Azure AD B2B collaboration preview: How it works
1/17/2017 1 min to read Edit on GitHub
Azure AD B2B collaboration is based on an invite and redeem model. You provide the email addresses of the
parties you want to work with, along with the applications you want them to use. Azure AD sends them an email
invite with a link. The partner user follows the link and is prompted to sign in using their Azure AD account or sign
up for a new Azure AD account.
1. Your admin invites partner users by uploading a structured .csv file using the Azure portal.
2. The portal sends invite emails to these partner users.
3. The partner users click the link in the email, and are prompted to sign in using their work credentials (if they're
already in Azure AD), or to sign up as an Azure AD B2B collaboration user.
4. Partner users are redirected to the application they were invited to, where they now have access.
Directory operations
Partner users exist in your Azure AD as external users. This means your admin can provision licenses, assign group
membership, and further grant access to corporate apps through the Azure portal or using Azure PowerShell just
like for users in your company.
While a paid Azure AD subscription (Basic or Premium) is not necessary to use Azure AD B2B, tenants who do
have a paid Azure AD subscription (Basic or Premium) receive the following additional benefits:
Admins can assign groups to apps, providing for simpler management of invited user access.
Admin tenant branding is used to brand the invitation emails and redemption experience, providing more
context to invited partner users.
Related articles
Browse our other articles on Azure AD B2B collaboration
What is Azure AD B2B collaboration?
Detailed walkthrough
CSV file format reference
External user token format
External user object attribute changes
Current preview limitations
Article Index for Application Management in Azure Active Directory
Comparing capabilities for managing external
identities using Azure Active Directory
1/17/2017 2 min to read Edit on GitHub
In addition to managing mobile workforce access to SaaS apps, Azure Active Directory (Azure AD) can help your
organization share resources with business partners and deliver applications to businesses and consumers.
Accessible when... Customer admin consents My admin invites The consumer signs up
Azure AD B2B collaboration preview: Detailed
walkthrough
1/17/2017 4 min to read Edit on GitHub
This walkthrough outlines how to use Azure AD B2B collaboration. As the IT administrator of Contoso, we want to
share applications with employees from three partner companies. None of the partner companies need to have
Azure AD.
Alice from Simple Partner Org
Bob, from Medium Partner Org, needs access to a set of apps
Carol, from Complex Partner Org, needs access to a set of apps, and membership in groups at Contoso
After invitations are sent out to partner users, we can configure them in Azure AD to grant access to apps and
membership to groups through the Azure portal. Let's start by adding Alice.
2. In the Azure portal, add a user into the Contoso directory (Active Directory > Contoso > Users > Add User). In
the "Type of User" drop down, select "Users in partner companies". Upload the .csv file. Make sure that the .csv
file is closed before uploading.
3. Alice is now represented as an External User in the Contoso Azure AD directory.
6. Alice is redirected to the App Access Panel, empty until she is granted access to apps.
This procedure enables the simplest form of B2B collaboration. As a user in the Contoso Azure AD directory, Alice
can be granted access to applications and groups through the Azure portal. Now let's add Bob, who needs access
to the applications Moodle and Salesforce.
2. Create a .csv file containing Bob's Email and DisplayName, InviteAppID, InviteAppResources, and
InviteContactUsUrl. Populate InviteAppResources with the AppPrincipalIds of Moodle and Salesforce found
from PowerShell, separated by a space. Populate InviteAppId with the same AppPrincipalId of Moodle to
brand the email and sign in pages with a Moodle logo.
3. Upload the .csv file through the Azure Portal just as it was done for Alice. Bob is now an external user in the
Contoso Azure AD directory.
4. Bob receives the following email.
5. Bob clicks the link and is prompted to accept the invitation. After he is signed in, he is directed to the Access
Panel and can already use Moodle and Salesforce.
We will add Carol next, who needs access to applications as well as membership to groups in the Contoso
directory.
5. Carol receives an email containing a link to accept the invitation. After she signs in, she is redirected to the App
Access Panel to have access to Moodle and Salesforce.
That's all there is to adding users from partner businesses in Azure AD B2B collaboration. This walkthrough
showed how to add users Alice, Bob, and Carol to the Contoso directory using three separate .csv files. This
process can be made easier by condensing the separate .csv files into a single file.
Related articles
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How it works
CSV file format reference
External user token format
External user object attribute changes
Current preview limitations
Article Index for Application Management in Azure Active Directory
Azure AD B2B collaboration preview: Current
preview limitations
1/17/2017 1 min to read Edit on GitHub
Multi-factor authentication (MFA) not supported on external users. For example, if Contoso has MFA, but
Partner Org does not, then Partner Org users can't be granted MFA through B2B collaboration.
Invites are possible only via CSV; individual invites and API access are not supported.
Only Azure AD Global Administrators can upload .csv files.
Invitations to consumer email addresses (such as hotmail.com, Gmail.com, or comcast.net) are currently not
supported.
External user access to on-premises applications not tested.
External users are not automatically cleaned up when the actual user is deleted from their directory.
Invitations to distribution lists are not supported.
Maximum of 2,000 records can be uploaded via CSV.
Related articles
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How it works
Detailed walkthrough
CSV file format reference
External user token format
External user object attribute changes
Article Index for Application Management in Azure Active Directory
Azure AD B2B collaboration preview: CSV file
format
1/17/2017 2 min to read Edit on GitHub
The preview version of Azure AD B2B collaboration requires a CSV file specifying partner user information to be
uploaded through the Azure AD portal. The CSV file should contain the required labels below, and optional fields
as necessary. Modify the sample CSV file (below) without changing the spelling of the labels in the first row.
NOTE
The first row of labels (such as Email, DisplayName, and so on) is necessary for the CSV file to be parsed successfully. The
spelling must match the fields specified below. These labels identify the content beneath them. For optional fields that
aren't needed, their labels can be removed from the CSV file. The entire column can be left empty.
Required fields:
Email: Email address of invited user.
DisplayName: Display name for invited user (typically, first and last name).
Optional fields:
InvitationText: Customize invitation email text after app branding and before the redemption link.
InvitedToApplications: AppIDs to corporate applications to assign users. AppIDs are retrievable in PowerShell
by calling Get-MsolServicePrincipal | fl DisplayName, AppPrincipalId
InvitedToGroups: ObjectIDs for groups to add user to. ObjectIDs are retrievable in PowerShell by calling
Get-MsolGroup | fl DisplayName, ObjectId
InviteRedirectURL: URL to direct an invited user after invite acceptance. This should be a company-specific URL
(such as contoso.my.salesforce.com). If this optional field is not specified, the invited user is directed to the App
Access Panel where they can navigate to your chosen corporate apps. The App Access Panel URL is of the form
https://account.activedirectory.windowsazure.com/applications/default.aspx?tenantId=<TenantID> .
CcEmailAddress: Email address to copy emailed invitation. If the CcEmailAddress field is used, this invitation
cannot be used for email-verified user or tenant creation.
Language: Language for invitation email and redemption experience, with "en" (English) as the default when
unspecified. The other 10 supported language codes are:
1. de: German
2. es: Spanish
3. fr: French
4. it: Italian
5. ja: Japanese
6. ko: Korean
7. pt-BR: Portuguese (Brazil)
8. ru: Russian
9. zh-HANS: Simplified Chinese
10. zh-HANT: Traditional Chinese
Sample CSV file
Here is a sample CSV you can modify.
NOTE
Copy and paste this into Notepad, and save it with a '.csv' file extension. Then edit this in Excel. It will be structured into a
table with labels in the first row.
Add more optional fields in Excel by specifying the label and populating the column beneath it.
Email,DisplayName,InvitationText,InviteRedirectUrl,InvitedToApplications,InvitedToGroups,CcEmailAddress,Lang
uage
wharp@contoso.com,Walter Harp,Hi Walter! I hope youve been doing well.,,cd3ed3de-93ee-400b-8b19-
b61ef44a0f29,,you@yourcompany.com,en
jsmith@contoso.com,Jeff Smith,Hi Jeff! I hope youve been doing well.,,cd3ed3de-93ee-400b-8b19-
b61ef44a0f29,,you@yourcompany.com,en
bsmith@contoso.com,Ben Smith,Hi Ben! I hope youve been doing well.,,cd3ed3de-93ee-400b-8b19-
b61ef44a0f29,,you@yourcompany.com,en
Related articles
Browse our other articles on Azure AD B2B collaboration
What is Azure AD B2B collaboration?
How it works
Detailed walkthrough
External user token format
External user object attribute changes
Current preview limitations
Article Index for Application Management in Azure Active Directory
Azure AD B2B collaboration preview: External user
object attribute changes
1/17/2017 1 min to read Edit on GitHub
Each user in an Azure AD directory is represented by a user object. The user object in Azure AD undergoes
attribute changes in various stages of the B2B collaboration invite-redeem flow. The user object representing the
partner user in the directory has attributes that change at redeem time, when the partner user clicks the link in the
invite email. Specifically:
The SignInName and AltSecId attributes are populated
The DisplayName attribute changes from the User Principal Name (user_fabrikam.com#EXT#@contoso.com)
to the sign-in name (user@fabrikam.com)
Tracking these attributes in Azure AD can help you troubleshoot whether or not a partner user has redeemed
their B2B collaboration invitation.
Related articles
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How it works
Detailed walkthrough
CSV file format reference
External user token format
Current preview limitations
Article Index for Application Management in Azure Active Directory
Azure AD B2B collaboration preview: External user
token format
1/17/2017 1 min to read Edit on GitHub
The claims for a standard Azure AD token are described in the Supported Token and Claim Types article on
azure.microsoft.com.
The claims that are different for an authenticated B2B collaboration external user are as follows:
OID: the object ID from the resource tenant
TID: tenant ID from the resource tenant
Issuer: this is the resource tenant
IDP: this is the home tenant of the user
AltSecId: this is the alternative security ID, which is opaque to you
Related articles
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How it works
Detailed walkthrough
CSV file format reference
External user object attribute changes
Current preview limitations
Article Index for Application Management in Azure Active Directory
Integrating your on-premises identities with Azure
Active Directory
1/17/2017 7 min to read Edit on GitHub
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to
provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
This topic will guide you through the planning, deployment, and operation steps. It is a collection of links to the
topics related to this area.
IMPORTANT
Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great time
to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these tools are
now deprecated and will reach end of support on April 13, 2017.
SOLUTION SCENARIO
Before you start - Hardware and prerequisites Steps to complete before you start to install Azure AD
Connect.
Express settings If you have a single forest AD then this is the recommended
option to use.
User sign in with the same password using password
synchronization.
Customized settings Used when you have multiple forests. Supports many on-
premises topologies.
Customize your sign-in option, such as ADFS for federation
or use a 3rd party identity provider.
Customize synchronization features, such as filtering and
writeback.
Upgrade from DirSync Used when you have an existing DirSync server already
running.
Upgrade from Azure AD Sync or Azure AD Connect There are several different methods depending on your
preference.
After installation you should verify it is working as expected and assign licenses to the users.
Next steps to Install Azure AD Connect
TOPIC LINK
TOPIC LINK
Accounts used for installation More about Azure AD Connect credentials and permissions
Understanding the default configuration Azure AD Connect sync: Understanding the default
configuration
Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts
Change the default configuration Best practices for changing the default configuration
Configure federation features
ADFS can be configured to support multiple domains. For example you might have multiple top domains you need
to use for federation.
if your ADFS server has not been configured to automatically update certificates from Azure AD or if you use a non-
ADFS solution, then you will be notified when you have to update certificates.
Next steps to configure federation features
TOPIC LINK
Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD
Manually updating federation certificates Renewing Federation Certificates for Office 365 and Azure AD
Compare DirSync, Azure ADSync, and Azure AD Connect Directory integration tools comparison
Additional Resources
Ignite 2015 presentation on extending your on-premises directories to the cloud.
Assigning administrator roles in Azure Active
Directory
1/19/2017 8 min to read Edit on GitHub
Using Azure Active Directory (Azure AD), you can designate separate administrators to serve different functions.
These administrators will have access to various features in the Azure portal or Azure classic portal and,
depending on their role, will be able to create or edit users, assign administrative roles to others, reset user
passwords, manage user licenses, and manage domains, among other things. A user who is assigned an admin
role will have the same permissions across all of the cloud services that your organization has subscribed to,
regardless of whether you assign the role in the Office 365 portal, or in the Azure classic portal, or by using the
Azure AD module for Windows PowerShell.
The following administrator roles are available:
Billing administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors
service health.
Global administrator / Company Administrator: Has access to all administrative features. The person
who signs up for the Azure account becomes a global administrator. Only global administrators can
assign other administrator roles. There can be more than one global administrator at your company.
NOTE
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company
Administrator". It is "Global Administrator" in the Azure portal.
Compliance administrator: Users with this role have management permissions within in the Office 365
Security & Compliance Center and Exchange Admin Center, and access to read reports in the Office 365
Admin Center. More information at About Office 365 admin roles.
CRM service administrator: Users with this role have global permissions within Microsoft CRM Online,
when the service is present. More information at About Office 365 admin roles.
Device administrators: Users with this role become Administrators on all Windows 10 devices that are
joined to Azure Active Directory.
Directory readers: This is a legacy role that is to be assigned to applications that do not support the Consent
Framework. It should not be assigned to any users.
Directory synchronization accounts: Do not use. This role is automatically assigned to the Azure AD
Connect service, and is not intended or supported for any other use.
Directory writers: This is a legacy role that is to be assigned to applications that do not support the Consent
Framework. It should not be assigned to any users.
Exchange service administrator: Users with this role have global permissions within Microsoft Exchange
Online, when the service is present. More information at About Office 365 admin roles.
Intune service administrator: Users with this role have global permissions within Microsoft Intune Online,
when the service is present. More information at About Office 365 admin roles.
Skype for Business service administrator: Users with this role have global permissions within Microsoft
Skype for Business, when the service is present. More information at About Office 365 admin roles. This role
was referred to previously as the Lync service administrator role.
Guest inviter: Users in this role can manage guest invitations. It does not include any other permissions.
Mailbox Administrator: This role is only used as part of Exchange Online email support for RIM Blackberry
devices. If your organization does not use Exchange Online email on RIM Blackberry devices, do not use this
role.
Partner Tier 1 Support: Do not use. This role has been deprecated and will be removed from Azure AD in
the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended
for general use.
Partner Tier 2 Support: Do not use. This role has been deprecated and will be removed from Azure AD in
the future. This role is intended for use by a small number of Microsoft resale partners, and is not intended
for general use.
Password administrator/Helpdesk administrator: Resets passwords, manages service requests, and
monitors service health. Password administrators can reset passwords only for users and other password
administrators.
NOTE
In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Helpdesk
Administrator".
SharePoint service administrator: Users with this role have global permissions within Microsoft
SharePoint Online, when the service is present. More information at About Office 365 admin roles.
Service administrator: Manages service requests and monitors service health.
NOTE
To assign the service administrator role to a user, the global administrator must first assign administrative
permissions to the user in the service, such as Exchange Online, and then assign the service administrator role to
the user in the Azure classic portal.
User account administrator: Resets passwords, monitors service health, and manages user accounts, user
groups, and service requests. Some limitations apply to the permissions of a user management
administrator. For example, they cannot delete a global administrator or create other administrators. Also,
they cannot reset passwords for billing, global, and service administrators.
Security reader: Read-only access to a number of security features of Identity Protection Center, Privileged
Identity Management, Monitor Office 365 Service Health, and Office 365 Security & Compliance Center.
Security administrator: All of the read-only permissions of the Security reader role, plus a number of
additional administrative permissions for the same services: Identity Protection Center, Privileged Identity
Management, Monitor Office 365 Service Health, and Office 365 Security & Compliance Center.
Administrator permissions
Billing administrator
CAN DO CANNOT DO
CAN DO CANNOT DO
Global administrator
CAN DO CANNOT DO
Password administrator
CAN DO CANNOT DO
CAN DO CANNOT DO
View company and user information Perform billing and purchasing operations for Office
products
Manage Office support tickets
Create and manage user views
Reset user passwords
Create, edit, and delete users and groups, and manage
user licenses
Manage domains
Manage company information
Delegate administrative roles to others
Use directory synchronization
View reports
Service administrator
CAN DO CANNOT DO
User administrator
CAN DO CANNOT DO
View company and user information Perform billing and purchasing operations for Office
products
Manage Office support tickets
Manage domains
Reset user passwords, with limitations. He or she cannot
reset passwords for billing, global, and service Manage company information
administrators.
Delegate administrative roles to others
Create and manage user views
Use directory synchronization
Create, edit, and delete users and groups, and manage
user licenses, with limitations. He or she cannot delete a Enable or disable multi-factor authentication
global administrator or create other administrators. View reports
Security Reader
IN CAN DO
Identity Protection Center Read all security reports and settings information for security
features
Anti-spam
Encryption
Data loss prevention
Anti-malware
Advanced threat protection
Anti-phishing
Mailflow rules
Privileged Identity Management Has read-only access to all information surfaced in Azure
AD PIM: Policies and reports for Azure AD role
assignments, security reviews and in the future read
access to policy data and reports for scenarios besides
Azure AD role assignment.
Cannot sign up for Azure AD PIM or make any changes
to it. In PIM's portal or via PowerShell, someone in this
role can activate additional roles (for example, Global
Admin or Privileged Role Administrator), if the user is a
candidate for them.
Security Administrator
IN CAN DO
Monitor Office 365 Service Health All permissions of the Security Reader role.
Can configure all settings in the Advanced Threat
Office 365 Security & Compliance Center Protection feature (malware & virus protection,
malicious URL config, URL tracing, etc.).
Next steps
To learn more about how to change administrators for an Azure subscription, see How to add or change
Azure administrator roles
To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource
access in Azure
For more information on how Azure Active Directory relates to your Azure subscription, see How Azure
subscriptions are associated with Azure Active Directory
Manage users
Manage passwords
Manage groups
Assign a user to administrator roles in Azure Active
Directory preview
1/17/2017 1 min to read Edit on GitHub
This article explains how to assign an administrative role to a user in Azure Active Directory (Azure AD) preview.
What's in the preview? For information about adding new users in your organization, see Add new users to Azure
Active Directory. Added users don't have administrator permissions by default, but you can assign roles to them
at any time.
What's next
Add a user
Reset a user's password in the new Azure portal
Change a user's work information
Manage user profiles
Delete a user in your Azure AD
Administrative units management in Azure AD -
Public Preview
1/17/2017 1 min to read Edit on GitHub
This article describes administrative units a new Azure Active Directory container of resources that can be used
for delegating administrative permissions over subsets of users and applying policies to a subset of users. In Azure
Active Directory, administrative units enable central administrators to delegate permissions to regional
administrators or to set policy at a granular level.
This is useful in organizations with independent divisions, for example, a large university that is made up of many
autonomous schools (Business school, Engineering school, and so on) which are independent from each other.
Such divisions have their own IT administrators who control access, manage users, and set policies specifically for
their division. Central administrators want to be able grant these divisional administrators permissions over the
users in their particular divisions. More specifically, using this example, a central administrator can, for instance,
create an administrative unit for a particular school (Business school) and populate it with only the Business school
users. Then a central administrator can add the Business school IT staff to a scoped role, in other words, grant the IT
staff of Business school administrative permissions only over the Business school administrative unit.
IMPORTANT
You can create and use administrative units only if you enable Azure Active Directory Premium. For more information, see
Getting started with Azure AD Premium.
From the central administrators point of view, an administrative unit is a directory object that can be created and
populated with resources. In this release, these resources can be only users. Once created and populated, the
administrative unit can be used as a scope to restrict the granted permission only over resources contained in the
administrative unit.
Next steps
Azure Active Directory editions
Understanding resource access in Azure
1/17/2017 3 min to read Edit on GitHub
NOTE
This topic explains concepts about using subscription administrators to control resource access in the full Azure portal. As an
alternative, the Azure Preview portal provides role-based access control so Azure resources can be managed more precisely.
In October 2013, the Azure classic portal and Service Management APIs were integrated with Azure Active
Directory in order to lay the groundwork for improving the user experience for managing access to Azure
resources. Azure Active Directory already provides great capabilities such as user management, on-premises
directory sync, multi-factor authentication, and application access control. Naturally, these should also be made
available for managing Azure resources across-the-board.
Access control in Azure starts from a billing perspective. The owner of an Azure account, accessed by visiting the
Azure Accounts Center, is the Account Administrator (AA). Subscriptions are a container for billing, but they also
act as a security boundary: each subscription has a Service Administrator (SA) who can add, remove, and modify
Azure resources in that subscription by using the Azure classic portal. The default SA of a new subscription is the
AA, but the AA can change the SA in the Azure Accounts Center.
Subscriptions also have an association with a directory. The directory defines a set of users. These can be users
from the work or school that created the directory or they can be external users (that is, Microsoft Accounts).
Subscriptions are accessible by a subset of those directory users who have been assigned as either Service
Administrator (SA) or Co-Administrator (CA); the only exception is that, for legacy reasons, Microsoft Accounts
(formerly Windows Live ID) can be assigned as SA or CA without being present in the directory.
Functionality within the Azure classic portal enables SAs that are signed in using a Microsoft Account to change
the directory that a subscription is associated with by using the Edit Directory command on the Subscriptions
page in Settings. Note that this operation has implications on the access control of that subscription.
NOTE
The Edit Directory command in the Azure classic portal is not available to users who are signed in using a work or school
account because those accounts can sign in only to the directory to which they belong.
In the simple case, an organization (such as Contoso) will enforce billing and access control across the same set of
subscriptions. That is, the directory is associated to subscriptions that are owned by a single Azure Account. Upon
successful login to the Azure classic portal, users see two collections of resources (depicted in orange in the
previous illustration):
Directories where their user account exists (sourced or added as a foreign principal). Note that the directory
used for login isnt relevant to this computation, so your directories will always be shown regardless of where
you logged in.
Resources that are part of subscriptions that are associated with the directory used for login AND which the
user can access (where they are an SA or CA).
Users with subscriptions across multiple directories have the ability to switch the current context of the Azure
classic portal by using the subscription filter. Under the covers, this results in a separate login to a different
directory, but this is accomplished seamlessly using single sign-on (SSO).
Operations such as moving resources between subscriptions can be more difficult as a result of this single
directory view of subscriptions. To perform the resource transfer, it may be necessary to first use the Edit
Directory command on the Subscriptions page in Settings to associate the subscriptions to the same directory.
Next Steps
To learn more about how to change administrators for an Azure subscription, see How to add or change Azure
administrator roles
For more information on how Azure Active Directory relates to your Azure subscription, see How Azure
subscriptions are associated with Azure Active Directory
For more information on how to assign roles in Azure AD, see Assigning administrator roles in Azure Active
Directory
Get started with access management in the Azure
portal
1/24/2017 3 min to read Edit on GitHub
Security-oriented companies should focus on giving employees the exact permissions they need. Too many
permissions exposes an account to attackers. Too few permissions means that employees can't get their work done
efficiently. Azure Role-Based Access Control (RBAC) helps address this problem by offering fine-grained access
management for Azure.
Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they
need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or
resources, you can allow only certain actions. For example, use RBAC to let one employee manage virtual machines
in a subscription, while another can manage SQL databases within the same subscription.
The RBAC role that you assign dictates what resources the user, group, or application can manage within that
scope.
Built-in roles
Azure RBAC has three basic roles that apply to all resource types:
Owner has full access to all resources including the right to delegate access to others.
Contributor can create and manage all types of Azure resources but cant grant access to others.
Reader can view existing Azure resources.
The rest of the RBAC roles in Azure allow management of specific Azure resources. For example, the Virtual
Machine Contributor role allows the user to create and manage virtual machines. It does not give them access to
the virtual network or the subnet that the virtual machine connects to.
RBAC built-in roles lists the roles available in Azure. It specifies the operations and scope that each built-in role
grants to users. If you're looking to define your own roles for even more control, see how to build Custom roles in
Azure RBAC.
Next Steps
Get started with Role-Based Access Control in the Azure portal.
See the RBAC built-in roles
Define your own Custom roles in Azure RBAC
View access assignments for users and groups in the
Azure portal - Public preview
1/17/2017 2 min to read Edit on GitHub
With Role-Based Access Control (RBAC) in the Azure Active Directory preview, you can manage access to your
Azure resources. What's in the preview?
Access assigned with RBAC is fine-grained because there are two ways you can restrict the permissions:
Scope: RBAC role assignments are scoped to a specific subscription, resource group, or resource. A user given
access to a single resource cannot access any other resources in the same subscription.
Role: Within the scope of the assignment, access is narrowed even further by assigning a role. Roles can be
high-level, like owner, or specific, like virtual machine reader.
Roles can only be assigned from within the subscription, resource group, or resource that is the scope for the
assignment. But you can view all the access assignments for a given user or group in a single place.
Get more information about how to Use role assignments to manage access to your Azure subscription resources.
Related topics
Get started with Role-Based Access Control to Use role assignments to manage access to your Azure
subscription resources
See the RBAC built-in roles
Use role assignments to manage access to your
Azure subscription resources
1/17/2017 2 min to read Edit on GitHub
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC, you
can grant only the amount of access that users need to perform their jobs. This article helps you get up and
running with RBAC in the Azure portal. If you want more details about how RBAC helps you manage access, see
What is Role-Based Access Control.
View access
You can see who has access to a resource, resource group, or subscription from its main blade in the Azure
portal. For example, we want to see who has access to one of our resource groups:
1. Select Resource groups in the navigation bar on the left.
2. Select the name of the resource group from the Resource groups blade.
3. Select Access control (IAM) from the left menu.
4. The Access control blade lists all users, groups, and applications that have been granted access to the
resource group.
Notice that some users were Assigned access while others Inherited it. Access is either assigned specifically to
the resource group or inherited from an assignment to the parent subscription.
NOTE
Classic subscription admins and co-admins are considered owners of the subscription in the new RBAC model.
Add Access
You grant access from within the resource, resource group, or subscription that is the scope of the role
assignment.
1. Select Add on the Access control blade.
2. Select the role that you wish to assign from the Select a role blade.
3. Select the user, group, or application in your directory that you wish to grant access to. You can search
the directory with display names, email addresses, and object identifiers.
4. Select OK to create the assignment. The Adding user popup tracks the progress.
After successfully adding a role assignment, it will appear on the Users blade.
Remove Access
1. Select the role assignment on the Access control blade.
2. Select Remove in the assignment details blade.
3. Select yes to confirm removal.
Inherited assignments cannot be removed. Notice in the image below that the remove button is grayed out.
Instead, look at the Assigned At detail. Go to the resource listed there to remove the role assignment.
Next Steps
Create an access change history report
See the RBAC built-in roles
Define your own Custom roles in Azure RBAC
RBAC: Built-in roles
1/24/2017 13 min to read Edit on GitHub
Azure Role-Based Access Control (RBAC) comes with the following built-in roles that can be assigned to users,
groups, and services. You cant modify the definitions of built-in roles. However, you can create Custom roles in
Azure RBAC to fit the specific needs of your organization.
Roles in Azure
The following table provides brief descriptions of the built-in roles. Click the role name to see the detailed list of
actions and notactions for the role. The actions property specifies the allowed actions on Azure resources.
Action strings can use wildcard characters. The notactions property specifies the actions that are excluded from
the allowed actions.
NOTE
The Azure role definitions are constantly evolving. This article is kept as up to date as possible, but you can always find the
latest roles definitions in Azure PowerShell. Use the cmdlets (get-azurermroledefinition "<role name>").actions or
(get-azurermroledefinition "<role name>").notactions as applicable.
Data Factory Contributor Can create and manage data factories, and child resources
within them.
DevTest Labs User Can view everything and connect, start, restart, and
shutdown virtual machines
New Relic APM Account Contributor Can manage New Relic Application Performance Management
accounts and applications
SQL DB Contributor Can manage SQL databases, but not their security-related
policies
SQL Security Manager Can manage the security-related policies of SQL servers and
databases
SQL Server Contributor Can manage SQL servers and databases, but not their
security-related policies
Classic Virtual Machine Contributor Can manage classic virtual machines, but not the virtual
network or storage account to which they are connected
Virtual Machine Contributor Can manage virtual machines, but not the virtual network or
storage account to which they are connected
Classic Network Contributor Can manage classic virtual networks and reserved IPs
Website Contributor Can manage websites, but not the web plans to which they
are connected
Role permissions
The following tables describe the specific permissions given to each role. This can include Actions, which give
permissions, and NotActions, which restrict them.
API Management Service Contributor
Can manage API Management services
ACTIONS
ACTIONS
Automation Operator
Able to start, stop, suspend, and resume jobs
ACTIONS
BizTalk Contributor
Can manage BizTalk services
ACTIONS
ACTIONS
Contributor
Can manage everything except access
ACTIONS
NOTACTIONS
ACTIONS
Microsoft.DataFactory/dataFactories/* Create and manage data factories, and child resources within
them.
ACTIONS
ACTIONS
ACTIONS
Network Contributor
Can manage all network resources
ACTIONS
ACTIONS
Owner
Can manage everything, including access
ACTIONS
Reader
Can view everything, but can't make changes
ACTIONS
ACTIONS
ACTIONS
ACTIONS
Security Manager
Can manage security components, security policies, and virtual machines
ACTIONS
SQL DB Contributor
Can manage SQL databases but not their security-related policies
ACTIONS
NOTACTIONS
ACTIONS
ACTIONS
NOTACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
Website Contributor
Can manage websites but not the web plans to which they are connected
ACTIONS
Microsoft.Web/sites/* Create and manage websites (site creation also requires write
permissions to the associated App Service Plan)
See also
Role-Based Access Control: Get started with RBAC in the Azure portal.
Custom roles in Azure RBAC: Learn how to create custom roles to fit your access needs.
Create an access change history report: Keep track of changing role assignments in RBAC.
Role-Based Access Control troubleshooting: Get suggestions for fixing common issues.
Custom Roles in Azure RBAC
1/24/2017 3 min to read Edit on GitHub
Create a custom role in Azure Role-Based Access Control (RBAC) if none of the built-in roles meet your specific
access needs. Custom roles can be created using Azure PowerShell, Azure Command-Line Interface (CLI), and the
REST API. Just like built-in roles, custom roles can be assigned to users, groups, and applications at subscription,
resource group, and resource scopes. Custom roles are stored in an Azure AD tenant and can be shared across all
subscriptions that use that tenant as the Azure AD directory for the subsciption.
The following is an example of a custom role for monitoring and restarting virtual machines:
{
"Name": "Virtual Machine Operator",
"Id": "cadb4a5a-4e7a-47be-84db-05cad13b6769",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e",
"/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624",
"/subscriptions/34370e90-ac4a-4bf9-821f-85eeedeae1a2"
]
}
Actions
The Actions property of a custom role specifies the Azure operations to which the role grants access. It is a
collection of operation strings that identify securable operations of Azure resource providers. Operation strings
that contain wildcards (*) grant access to all operations that match the operation string. For instance:
*/read grants access to read operations for all resource types of all Azure resource providers.
Microsoft.Network/*/read grants access to read operations for all resource types in the Microsoft.Network
resource provider of Azure.
Microsoft.Compute/virtualMachines/* grants access to all operations of virtual machines and its child resource
types.
Microsoft.Web/sites/restart/Action grants access to restart websites.
Use Get-AzureRmProviderOperation (in PowerShell) or azure provider operations show (in Azure CLI) to list
operations of Azure resource providers. You may also use these commands to verify that an operation string is
valid, and to expand wildcard operation strings.
Get-AzureRMProviderOperation Microsoft.Compute/virtualMachines/*/action | FT Operation, OperationName
Get-AzureRMProviderOperation Microsoft.Network/*
NotActions
Use the NotActions property if the set of operations that you wish to allow is more easily defined by excluding
restricted operations. The access granted by a custom role is computed by subtracting the NotActions operations
from the Actions operations.
NOTE
If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the
same operation, the user will be allowed to perform that operation. NotActions is not a deny rule it is simply a convenient
way to create a set of allowed operations when specific operations need to be excluded.
AssignableScopes
The AssignableScopes property of the custom role specifies the scopes (subscriptions, resource groups, or
resources) within which the custom role is available for assignment. You can make the custom role available for
assignment in only the subscriptions or resource groups that require it, and not clutter user experience for the rest
of the subscriptions or resource groups.
Examples of valid assignable scopes include:
/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e, /subscriptions/e91d47c4-76f3-4271-a796-
21b4ecfe3624 - makes the role available for assignment in two subscriptions.
/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e - makes the role available for assignment in a
single subscription.
/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network - makes the role
available for assignment only in the Network resource group.
NOTE
You must use at least one subscription, resource group, or resource ID.
See also
Role Based Access Control: Get started with RBAC in the Azure portal.
Learn how to manage access with:
PowerShell
Azure CLI
REST API
Built-in roles: Get details about the roles that come standard in RBAC.
Create an access change history report
1/17/2017 1 min to read Edit on GitHub
Any time someone grants or revokes access within your subscriptions, the changes get logged in Azure events. You
can create access change history reports to see all changes for the past 90 days.
PROPERTY DESCRIPTION
This example command lists all access changes in the subscription for the past seven days:
Export to a spreadsheet
To save the report, or manipulate the data, export the access changes into a .csv file. You can then view the report
in a spreadsheet for review.
See also
Get started with Azure Role-Based Access Control
Work with Custom roles in Azure RBAC
Manage Role-Based Access Control with the Azure
command-line interface
1/17/2017 4 min to read Edit on GitHub
You can use Role-Based Access Control (RBAC) in the Azure portal and Azure Resource Manager API to manage
access to your subscription and resources at a fine-grained level. With this feature, you can grant access for Active
Directory users, groups, or service principals by assigning some roles to them at a particular scope.
Before you can use the Azure command-line interface (CLI) to manage RBAC, you must have the following:
Azure CLI version 0.8.8 or later. To install the latest version and associate it with your Azure subscription, see
Install and Configure the Azure CLI.
Azure Resource Manager in Azure CLI. Go to Using the Azure CLI with the Resource Manager for more details.
List roles
List all available roles
To list all available roles, use:
The following example shows the actions of the Contributor and Virtual Machine Contributor roles.
List access
List role assignments effective on a resource group
To list the role assignments that exist in a resource group, use:
The following example shows the role assignments in the pharma-sales-projecforcast group.
You can also see role assignments that are inherited from groups by modifying the command:
The following example shows the role assignments that are granted to the sameert@aaddemo.com user. This
includes roles that are assigned directly to the user and roles that are inherited from groups.
azure role assignment create --objectId <group object id> --roleName <name of role> --subscription
<subscription> --scope <subscription/subscription id>
The following example assigns the Reader role to Christine Koch's Team at the subscription scope.
Assign a role to an application at the subscription scope
To assign a role to an application at the subscription scope, use:
azure role assignment create --objectId <applications object id> --roleName <name of role> --subscription
<subscription> --scope <subscription/subscription id>
The following example grants the Contributor role to an Azure AD application on the selected subscription.
azure role assignment create --signInName <user email address> --roleName "<name of role>" --resourceGroup
<resource group name>
The following example grants the Virtual Machine Contributor role to samert@aaddemo.com user at the Pharma-
Sales-ProjectForcast resource group scope.
Assign a role to a group at the resource scope
To assign a role to a group at the resource scope, use:
azure role assignment create --objectId <group id> --role "<name of role>" --resource-name <resource group
name> --resource-type <resource group type> --parent <resource group parent> --resource-group <resource
group>
The following example grants the Virtual Machine Contributor role to an Azure AD group on a subnet.
Remove access
To remove a role assignment, use:
azure role assignment delete --objectId <object id to from which to remove role> --roleName "<role name>"
The following example removes the Virtual Machine Contributor role assignment from the
sammert@aaddemo.com user on the Pharma-Sales-ProjectForcast resource group. The example then removes
the role assignment from a group on the subscription.
The following example creates a custom role called Virtual Machine Operator. The custom role grants access to all
read operations of Microsoft.Compute, Microsoft.Storage, and Microsoft.Network resource providers and grants
access to start, restart, and monitor virtual machines. The custom role can be used in two subscriptions. This
example uses a JSON file as an input.
Modify a custom role
To modify a custom role, first use the azure role show command to retrieve role definition. Second, make the
desired changes to the role definition file. Finally, use azure role set to save the modified role definition.
The following example adds the Microsoft.Insights/diagnosticSettings/ operation to the Actions, and an Azure
subscription to the AssignableScopes of the Virtual Machine Operator custom role.
Delete a custom role
To delete a custom role, first use the azure role show command to determine the ID of the role. Then, use the
azure role delete command to delete the role by specifying the ID.
The following example removes the Virtual Machine Operator custom role.
azure role list --json | jq '.[] | if .properties.type == "CustomRole" then .properties.roleName else empty
end'
RBAC Topics
Role Based Access Control
Manage access using Azure Powershell
Manage access using the Azure CLI
RBAC Built in Roles
Manage Role-Based Access Control with Azure
PowerShell
1/17/2017 6 min to read Edit on GitHub
You can use Role-Based Access Control (RBAC) in the Azure portal and Azure Resource Management API to
manage access to your subscription at a fine-grained level. With this feature, you can grant access for Active
Directory users, groups, or service principals by assigning some roles to them at a particular scope.
Before you can use PowerShell to manage RBAC, you must have the following:
Azure PowerShell version 0.8.8 or later. To install the latest version and associate it with your Azure
subscription, see How to install and configure Azure PowerShell.
Azure Resource Manager cmdlets. Install the Azure Resource Manager cmdlets in PowerShell.
List roles
List all available roles
To list RBAC roles that are available for assignment and to inspect the operations to which they grant access, use
Get-AzureRmRoleDefinition .
Get-AzureRmRoleAssignment -IncludeClassicAdministrators
Grant access
Search for object IDs
To assign a role, you need to identify both the object (user, group, or application) and the scope.
If you don't know the subscription ID, you can find it in the Subscriptions blade on the Azure portal. To learn how
to query for the subscription ID, see Get-AzureSubscription on MSDN.
To get the object ID for an Azure AD group, use:
New-AzureRmRoleAssignment -ObjectId <application id> -RoleDefinitionName <role name> -Scope <subscription id>
Assign a role to a user at the resource group scope
To grant access to a user at the resource group scope, use:
Remove-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name> -Scope <scope such as
subscription id>
To add the role to the subscriptions, run the following PowerShell command:
In the following example, the Virtual Machine Operator custom role isnt available in the Production4 subscription
because that subscription isnt in the AssignableScopes of the role.
See also
Using Azure PowerShell with Azure Resource Manager * Role Based Access Control * Manage access using
Azure Powershell * Manage access using the Azure CLI * RBAC Built in Roles
Managing Role-Based Access Control with the REST API
1/17/2017 10 min to read Edit on GitHub
Role-Based Access Control (RBAC) in the Azure Portal and Azure Resource Manager API helps you manage access to your subscription and
resources at a fine-grained level. With this feature, you can grant access for Active Directory users, groups, or service principals by assigning
some roles to them at a particular scope.
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version={api-version}&$filter={filter}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the role assignments. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {api-version} with 2015-07-01.
3. Replace {filter} with the condition that you wish to apply to filter the role assignment list:
List role assignments for only the specified scope, not including the role assignments at subscopes: atScope()
List role assignments for a specific user, group, or application: principalId%20eq%20'{objectId of user, group, or service principal}'
List role assignments for a specific user, including ones inherited from groups | assignedTo('{objectId of user}')
Response
Status code: 200
{
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-
3385-48ef-bd42-f606fba81ae7",
"principalId": "2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e",
"createdOn": "2015-10-08T07:28:24.3905077Z",
"updatedOn": "2015-10-08T07:28:24.3905077Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleAssignments/baa6e199-ad19-4667-b768-
623fde31aedd",
"type": "Microsoft.Authorization/roleAssignments",
"name": "baa6e199-ad19-4667-b768-623fde31aedd"
}
],
"nextLink": null
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role-assignment-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the role assignments. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-assignment-id} with the GUID identifier of the role assignment.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/b24988ac-
6180-42a0-ab88-20f7382dd24c",
"principalId": "672f1afa-526a-4ef6-819c-975c7cd79022",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e",
"createdOn": "2015-10-05T08:36:26.4014813Z",
"updatedOn": "2015-10-05T08:36:26.4014813Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleAssignments/196965ae-6088-4121-a92a-
f1e33fdcc73e",
"type": "Microsoft.Authorization/roleAssignments",
"name": "196965ae-6088-4121-a92a-f1e33fdcc73e"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role-assignment-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope at which you wish to create the role assignments. When you create a role assignment at a parent scope, all
child scopes inherit the same role assignment. The following examples show how to specify the scope for different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-assignment-id} with a new GUID, which becomes the GUID identifier of the new role assignment.
3. Replace {api-version} with 2015-07-01.
For the request body, provide the values in the following format:
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-
4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-01/subnets/Devices-Engineering-
ProjectRND/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"principalId": "5ac84765-1c8c-4994-94b2-629461bd191b"
}
}
ELEMENT NAME REQUIRED TYPE DESCRIPTION
Response
Status code: 201
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-
c2be-4d73-94e8-173b1dc7cf3c",
"principalId": "5ac84765-1c8c-4994-94b2-629461bd191b",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-
VNET-01/subnets/Devices-Engineering-ProjectRND",
"createdOn": "2015-12-16T00:27:19.6447515Z",
"updatedOn": "2015-12-16T00:27:19.6447515Z",
"createdBy": null,
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-
01/subnets/Devices-Engineering-ProjectRND/providers/Microsoft.Authorization/roleAssignments/2e9e86c8-0e91-4958-b21f-20f51f27bab2",
"type": "Microsoft.Authorization/roleAssignments",
"name": "2e9e86c8-0e91-4958-b21f-20f51f27bab2"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role-assignment-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope at which you wish to create the role assignments. The following examples show how to specify the scope
for different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-assignment-id} with the role assignment id GUID.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-
c2be-4d73-94e8-173b1dc7cf3c",
"principalId": "5ac84765-1c8c-4994-94b2-629461bd191b",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-
VNET-01/subnets/Devices-Engineering-ProjectRND",
"createdOn": "2015-12-17T23:21:40.8921564Z",
"updatedOn": "2015-12-17T23:21:40.8921564Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-
01/subnets/Devices-Engineering-ProjectRND/providers/Microsoft.Authorization/roleAssignments/5eec22ee-ea5c-431e-8f41-82c560706fd2",
"type": "Microsoft.Authorization/roleAssignments",
"name": "5eec22ee-ea5c-431e-8f41-82c560706fd2"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?api-version={api-version}&$filter={filter}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the roles. The following examples show how to specify the scope for different
levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {api-version} with 2015-07-01.
3. Replace {filter} with the condition that you wish to apply to filter the list of roles:
List roles available for assignment at the specified scope and any of its child scopes: atScopeAndBelow()
Search for a role using exact display name: roleName%20eq%20'{role-display-name}' . Use the URL encoded form of the exact display
name of the role. For instance, $filter=roleName%20eq%20'Virtual%20Machine%20Contributor' |
Response
Status code: 200
{
"value": [
{
"properties": {
"roleName": "Virtual Machine Contributor",
"type": "BuiltInRole",
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account
they\u2019re connected to.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": []
}
],
"createdOn": "2015-06-02T00:18:27.3542698Z",
"updatedOn": "2015-12-08T03:16:55.6170255Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-
173b1dc7cf3c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
}
],
"nextLink": null
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the role assignments. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with the GUID identifier of the role definition.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"value": [
{
"properties": {
"roleName": "Virtual Machine Contributor",
"type": "BuiltInRole",
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account
they\u2019re connected to.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": []
}
],
"createdOn": "2015-06-02T00:18:27.3542698Z",
"updatedOn": "2015-12-08T03:16:55.6170255Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-
173b1dc7cf3c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
}
],
"nextLink": null
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the first AssignableScope of the custom role. The following examples show how to specify the scope for different
levels.
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with a new GUID, which becomes the GUID identifier of the new custom role.
3. Replace {api-version} with 2015-07-01.
For the request body, provide the values in the following format:
{
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7",
"properties": {
"roleName": "Virtual Machine Operator",
"description": "Lets you monitor virtual machines and restart them.",
"type": "CustomRole",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
]
}
}
Response
Status code: 201
{
"properties": {
"roleName": "Virtual Machine Operator",
"type": "CustomRole",
"description": "Lets you monitor virtual machines and restart them.",
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"createdOn": "2015-12-18T00:10:51.4662695Z",
"updatedOn": "2015-12-18T00:10:51.4662695Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/7c8c8ccd-9838-4e42-b38c-
60f0bbe9a9d7",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the first AssignableScope of the custom role. The following examples show how to specify the scope for different
levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with the GUID identifier of the custom role.
3. Replace {api-version} with 2015-07-01.
For the request body, provide the values in the following format:
{
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7",
"properties": {
"roleName": "Virtual Machine Operator",
"description": "Lets you monitor virtual machines and restart them.",
"type": "CustomRole",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
]
}
}
Response
Status code: 201
{
"properties": {
"roleName": "Virtual Machine Operator",
"type": "CustomRole",
"description": "Lets you monitor virtual machines and restart them.",
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"createdOn": "2015-12-18T00:10:51.4662695Z",
"updatedOn": "2015-12-18T00:10:51.4662695Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/7c8c8ccd-9838-4e42-b38c-
60f0bbe9a9d7",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope at which you wish to delete the role definition. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with the GUID role definition id of the custom role.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"properties": {
"roleName": "Virtual Machine Operator",
"type": "CustomRole",
"description": "Lets you monitor virtual machines and restart them.",
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"createdOn": "2015-12-16T00:07:02.9236555Z",
"updatedOn": "2015-12-16T00:07:02.9236555Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/0bd62a70-e1b8-4e0b-a7c2-
75cab365c95b",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "0bd62a70-e1b8-4e0b-a7c2-75cab365c95b"
}
Introduction
Role-Based Access Control is a powerful feature that allows you to delegate fine-grained access to resources in
Azure. This means you can feel confident granting a specific person the right to use exactly what they need, and no
more. However, at times the resource model for Azure resources can be complicated and it can be difficult to
understand exactly what you are granting permissions to.
This document will let you know what to expect when using some of the roles in the Azure portal. These three roles
cover all resource types:
Owner
Contributor
Reader
Owners and contributors both have full access to the management experience, but a contributor cant give access
to other users or groups. Things get a little more interesting with the reader role, so thats where well spend some
time. See the Role-Based Access Control get-started article for details on how to grant access.
See more
Role Based Access Control: Get started with RBAC in the Azure portal.
Built-in roles: Get details about the roles that come standard in RBAC.
Custom roles in Azure RBAC: Learn how to create custom roles to fit your access needs.
Create an access change history report: Keep track of changing role assignments in RBAC.
Configurable Token Lifetimes in Azure Active
Directory (Public Preview)
1/18/2017 20 min to read Edit on GitHub
NOTE
This capability is currently in public preview. You should be prepared to revert or remove any changes. We are opening up
this feature for everyone to try during the public preview, however, certain aspects may require an Azure AD Premium
subscription once generally available.
Introduction
This feature is used by admins and developers to specify the lifetimes of tokens issued by Azure AD. Token lifetimes
can be configured for all apps in an organization, for a multi-tenant (multi-organization) application, or for a
specific Service Principal in a organization.
In Azure AD, a policy object represents a set of rules enforced on individual applications or all applications in an
organization. Each type of policy has a unique structure with a set of properties that are then applied to objects to
which they are assigned.
A policy can be designated as the default for an organization. This policy then takes effect on any application that
resides within that organization as long as it is not overridden by a policy with a higher priority. Policies can also be
assigned to specific applications. The order of priority varies by policy type.
Token lifetime policies can be configured for refresh tokens, access tokens, session tokens, and ID tokens.
Access tokens
An access token is used by a client to access a protected resource. An access token can only be used for a specific
combination of user, client, and resource. Access tokens cannot be revoked and are valid until their expiry. A
malicious actor that has obtained an access token can use it for extent of its lifetime. Adjusting access token lifetime
is a trade-off between improving system performance and increasing the amount of time that the client retains
access after the users account is disabled. Improved system performance is achieved by reducing the number of
times a client needs to acquire a fresh access token.
Refresh tokens
When a client acquires an access token to access a protected resource, it receives both a refresh token and an
access token. The refresh token is used to obtain new access/refresh token pairs when the current access token
expires. Refresh tokens are bound to combinations of user and client. They can be revoked and their validity is
checked every time they are used.
It is important to make a distinction between confidential and public clients. For more information on the different
types of clients see RFC 6749.
Token Lifetimes with Confidential Client Refresh Tokens
Confidential clients are applications that are able to securely store a client password (secret), allowing them to
prove that requests are coming from the client application and not a malicious actor. For example, a web app is a
confidential client since it can store a client secret on the web server and thus is not exposed. As these flows are
more secure, the default lifetimes of refresh tokens issued to these flows are higher and cannot be changed using
policy.
Token Lifetimes with Public Client Refresh Tokens
Public clients are unable to securely store a client password (secret). For example, an iOS/Android app cannot
obfuscate a secret from the resource owner, and as such is considered a public client. Policies can be set on
resources to prevent refresh tokens from public clients older than a specified period from obtaining a new
access/refresh token pair (Refresh Token Max Inactive Time). Additionally, policies can be used to set a period of
time beyond which the refresh tokens are no longer accepted (Refresh Token Max Age). Adjusting refresh token
lifetime allows you to control when and how often the user is required to reenter credentials instead of being
silently re-authenticated when using a public client application.
ID tokens
ID tokens are passed to web sites and native clients and contain profile information about a user. An ID token is
bound to a specific combination of user and client. ID tokens are considered valid until expiry. Normally, a web
application matches a users session lifetime in the application to the lifetime of the ID token issued for the user.
Adjusting ID token lifetime allows you to control how often the web application will expire the application session
and require the user to be re-authenticated with Azure AD (either silently or interactively).
Single Sign-On Session token
When a user authenticates with Azure AD and checks the "Keep me signed in" box, a single sign-on session is
established with the users browser and Azure AD. The Single Sign-On Session Token, in the form of a cookie,
represents this session. It is important to note that the SSO session token is not bound to a specific resource/client
application. SSO session tokens can be revoked and their validity is checked every time they are used.
There are two kinds of SSO session tokens. Persistent session tokens are stored as persistent cookies by the
browser and non-persistent session tokens are stored as session cookies (these are destroyed when the browser is
closed).
Non-persistent session tokens have a lifetime of 24 hours whereas persistent tokens have a lifetime of 180 days.
Any time the SSO session token is used within its validity period, the validity period is extended another 24 hours
or 180 days. If the SSO session token is not used within its validity period, it is considered expired and will no
longer be accepted.
Policies can be used to set a period of time after the first session token was issued beyond which the session tokens
are no longer accepted (Session Token Max Age). Adjusting session token lifetime allows you to control when and
how often the user is required to re-enter credentials instead of being silently authenticated when using a web
application.
Token lifetime policy properties
A token lifetime policy is a type of policy object that contains token lifetime rules. The properties of the policy are
used to control specified token lifetimes. If no policy is set, the system enforces the default lifetime value.
Configurable token lifetime properties
POLICY PROPERTY
PROPERTY STRING AFFECTS DEFAULT MINIMUM MAXIMUM
*365 days is the maximum explicit length that can be set for these attributes.
**If MaxAgeSessionSingleFactor is not set then this value takes the MaxAgeSingleFactor value. If neither
parameter is set, the property takes on the default value (Until-revoked).
***If MaxAgeSessionMultiFactor is not set then this value takes the MaxAgeMultiFactor value. If neither
parameter is set, the property takes on the default value (Until-revoked).
Exceptions
PROPERTY AFFECTS DEFAULT
Refresh Token Max Inactive Time Refresh tokens (Issued for federated 12 hours
(federated users with insufficient users with insufficient revocation
revocation information) information)
Refresh Token Max Inactive Time Refresh tokens (Issued for Confidential 90 days
(Confidential Clients) Clients)
Refresh token Max Age (Issued for Refresh tokens (Issued for Confidential Until-revoked
Confidential Clients) Clients)
@("{
`"TokenLifetimePolicy`":
{
`"Version`":1,
`"MaxAgeSingleFactor`":`"until-revoked`"
}
}")
Then run the following command to create this policy.
To see your new policy and get its ObjectID, run the following command.
Get-AzureADPolicy
3. You're done!
Sample: Creating a policy for web sign-in
In this sample, we will create a policy that will require your users to authenticate more frequently into your Web
App. This policy will set the lifetime of the Access/Id Tokens and the Max Age of a Multi-Factor Session Token to the
service principal of your web app.
1. Create a Token Lifetime Policy.
This policy for Web Sign-in will set the Access/Id Token lifetime and the Max Single-Factor Session Token Age to 2
hours.
To see your new policy and get its ObjectID, run the following command.
Get-AzureADPolicy
3. You're Done!
To see your new policy and get its ObjectID, run the following command.
Get-AzureADPolicy
3. You're Done!
Sample: Managing an advanced policy
In this sample, we will create a few policies to demonstrate how the priority system works, and how you can
manage multiple policies applied to several objects. This will give some insight into the priority of policies explained
above, and will also help you manage more complicated scenarios.
1. Create a Token Lifetime Policy
So far pretty simple. We've created a organization default policy that sets the Single-Factor Refresh Token lifetime
to 30 days.
To see your new policy and get it's ObjectID, run the following command.
Get-AzureADPolicy
5. You're Done!
You now have the original policy linked to your service principal and the new policy set as your organization
default policy. It's important to remember that policies applied to service principals have priority over organization
default policies.
Cmdlet Reference
Manage policies
The following cmdlets can be used to manage policies.
New-AzureADPolicy
Creates a new policy.
Get-AzureADPolicy
Gets all AzureAD Policies or specified policy
Get-AzureADPolicy
-ObjectId [Optional] The object Id of the Policy you would -ObjectId <ObjectID of Policy>
like to get.
Get-AzureADPolicyAppliedObject
Gets all apps and service principals linked to a policy
-ObjectId The object Id of the Policy you would -ObjectId <ObjectID of Policy>
like to get.
Set-AzureADPolicy
Updates an existing policy
-ObjectId The object Id of the Policy you would -ObjectId <ObjectID of Policy>
like to get.
-Type [Optional] The type of policy, for token lifetimes -Type TokenLifetimePolicy
always use "TokenLifetimePolicy"
Remove-AzureADPolicy
Deletes the specified policy
-ObjectId The object Id of the Policy you would -ObjectId <ObjectID of Policy>
like to get.
Application policies
The following cmdlets can be used for application policies.
Add-AzureADApplicationPolicy
Links the specified policy to an application
Get-AzureADApplicationPolicy
Gets the policy assigned to an application
Remove-AzureADApplicationPolicy
Removes a policy from an application
Get-AzureADServicePrincipalPolicy
Gets any policy linked to the specified service principal
Remove-AzureADServicePrincipalPolicy
Removes the policy from specified service principal
Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to:
Detect potential vulnerabilities affecting your organizations identities
Configure automated responses to detected suspicious actions that are related to your organizations
identities
Investigate suspicious incidents and take appropriate action to resolve them
Getting started
Microsoft secures cloud-based identities for more than a decade. With Azure Active Directory Identity
Protection, in your environment, you can use the same protection systems Microsoft uses to secure identities.
The vast majority of security breaches take place when attackers gain access to an environment by stealing a
users identity. Over the years, attackers have become increasingly effective in leveraging third party breaches
and using sophisticated phishing attacks. As soon as an attacker gains access to even low privileged user
accounts, it is relatively easy for them to gain access to important company resources through lateral
movement.
As a consequence of this, you need to:
Protect all identities regardless of their privilege level
Proactively prevent compromised identities from being abused
Discovering compromised identities is no easy task. Azure Active Directory uses adaptive machine learning
algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised
identities. Using this data, Identity Protection generates reports and alerts that enable you to evaluate the
detected issues and take appropriate mitigation or remediation actions.
Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your
organization's identities, you can configure risk-based policies that automatically respond to detected issues
when a specified risk level has been reached. These policies, in addition to other conditional access controls
provided by Azure Active Directory and EMS, can either automatically block or initiate adaptive remediation
actions including password resets and multi-factor authentication enforcement.
Identity Protection capabilities
Detecting vulnerabilities and risky accounts:
Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
Calculating sign-in risk levels
Calculating user risk levels
Investigating risk events:
Sending notifications for risk events
Investigating risk events using relevant and contextual information
Providing basic workflows to track investigations
Providing easy access to remediation actions such as password reset
Risk-based conditional access policies:
Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges.
Policy to block or secure risky user accounts
Policy to require users to register for multi-factor authentication
Detection
Vulnerabilities
Azure Active Directory Identity Protection analyses your configuration and detects vulnerabilities that can have
an impact on your user's identities. For more details, see Vulnerabilities detected by Azure Active Directory
Identity Protection.
Risk events
Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect suspicious actions
that are related to your user's identities. The system creates a record for each detected suspicious action. These
records are also known as risk events.
For more details, see Azure Active Directory risk events.
Investigation
Your journey through Identity Protection typically starts with the Identity Protection dashboard.
Risky sign-ins
Aure Active Directory detects some risk event types in real-time. All real-time risk events that have been
detected during a sign-in of a user contribute to a logical concept called risky sign-in. A risky sign-in is an
indicator for a sign-in attempt that might not have been performed by the legitimate owner of a user account.
The lifecycle of a risky sign-in ends when a user signs out.
Sign-in risk level
A sign-in risk level is an indication (High, Medium, or Low) of the likelihood that a sign-in attempt was not
performed by the legitimate owner of a user account.
Mitigating sign-in risk events
A mitigation is an action to limit the ability of an attacker to exploit a compromised identity or device without
restoring the identity or device to a safe state. A mitigation does not resolve previous sign-in risk events
associated with the identity or device.
To mitigate risky sign-ins automatically, you can configure sign-in risk security policicies. Using these policies,
you consider the risk level of the user or the sign-in to block risky sign-ins or require the user to perform multi-
factor authentication. These actions may prevent an attacker from exploiting a stolen identity to cause damage,
and may give you some time to secure the identity.
Sign-in risk security policy
A sign-in risk policy is a conditional access policy that evaluates the risk to a specific sign-in and applies
mitigations based on predefined conditions and rules.
Azure AD Identity Protection helps you manage the mitigation of risky sign-ins by enabling you to:
Set the users and groups the policy applies to:
Set the sign-in risk level threshold (low, medium, or high) that triggers the policy:
However, for security reasons, this setting only works for users that have already been registered for multi-
factor authentication. If the condition to require multi-factor authentication is satisfied for a user who is not yet
registered for multi-factor authentication, the user is blocked.
As a best practice, if you want to require multi-factor authentication for risky sign-ins, you should:
1. Enable the multi-factor authentication registration policy for the affected users.
2. Require the affected users to login in a non-risky session to perform a MFA registration
Completing these steps ensures that multi-factor authentication is required for a risky sign-in.
Best practices
Choosing a High threshold reduces the number of times a policy is triggered and minimizes the impact to
users.
However, it excludes Low and Medium sign-ins flagged for risk from the policy, which may not block an
attacker from exploiting a compromised identity.
When setting the policy,
Exclude users who do not/cannot have multi-factor authentication
Exclude users in locales where enabling the policy is not practical (for example no access to helpdesk)
Exclude users who are likely to generate a lot of false-positives (developers, security analysts)
Use a High threshold during initial policy roll out, or if you must minimize challenges seen by end users.
Use a Low threshold if your organization requires greater security. Selecting a Low threshold introduces
additional user sign-in challenges, but increased security.
The recommended default for most organizations is to configure a rule for a Medium threshold to strike a
balance between usability and security.
The sign-in risk policy is:
Applied to all browser traffic and sign-ins using modern authentication.
Not applied to applications using older security protocols by disabling the WS-Trust endpoint at the
federated IDP, such as ADFS.
The Risk Events page in the Identity Protection console lists all events:
This policy was applied to
You can review the activity and determine whether the action was appropriate or not
For an overview of the related user experience, see:
Risky sign-in recovery
Risky sign-in blocked
Sign-in experiences with Azure AD Identity Protection
To open the related configuration dialog:
On the Azure AD Identity Protection blade, in the Configure section, click Sign-in risk policy.
You can use the user risk levels to create conditional access policies that block risky users from signing in, or
force them to securely change their password.
Closing risk events manually
In most cases, you will take remediation actions such as a secure password reset to automatically close risk
events. However, this might not always be possible.
This is, for example, the case, when:
A user with Active risk events has been deleted
An investigation reveals that a reported risk event has been perform by the legitimate user
Because risk events that are Active contribute to the user risk calculation, you may have to manually lower a
risk level by closing risk events manually.
During the course of investigation, you can choose to take any of these actions to change the status of a risk
event:
Resolve - If after investigating a risk event, you took an appropriate remediation action outside Identity
Protection, and you believe that the risk event should be considered closed, mark the event as Resolved.
Resolved events will set the risk events status to Closed and the risk event will no longer contribute to user
risk.
Mark as false-positive - In some cases, you may investigate a risk event and discover that it was incorrectly
flagged as a risky. You can help reduce the number of such occurrences by marking the risk event as False-
positive. This will help the machine learning algorithms to improve the classification of similar events in the
future. The status of false-positive events is to Closed and they will no longer contribute to user risk.
Ignore - If you have not taken any remediation action, but want the risk event to be removed from the active
list, you can mark a risk event Ignore and the event status will be Closed. Ignored events do not contribute to
user risk. This option should only be used under unusual circumstances.
Reactivate - Risk events that were manually closed (by choosing Resolve, False positive, or Ignore) can
be reactivated, setting the event status back to Active. Reactivated risk events contribute to the user risk
level calculation. Risk events closed through remediation (such as a secure password reset) cannot be
reactivated.
To open the related configuration dialog:
1. On the Azure AD Identity Protection blade, under Investigate, click Risk events.
When you click Dismiss all events, all events are closed and the affected user is no longer at risk.
Remediating user risk events
A remediation is an action to secure an identity or a device that was previously suspected or known to be
compromised. A remediation action restores the identity or device to a safe state, and resolves previous risk
events associated with the identity or device.
To remediate user risk events, you can:
Perform a secure password reset to remediate user risk events manually
Configure a user risk security policy to mitigate or remediate user risk events automatically
Re-image the infected device
Manual secure password reset
A secure password reset is an effective remediation for many risk events, and when performed, automatically
closes these risk events and recalculates the user risk level. You can use the Identity Protection dashboard to
initiate a password reset for a risky user.
The related dialog provides two different methods to reset a password:
Reset password - Select Require user to reset password to allow the user to self-recover if the user has
registered for multi-factor authentication. During the user's next sign-in, the user will be required to solve a
multi-factor authentication challenge successfully and then, forced to change the password. This option isn't
available if the user account is not already registered multi-factor authentication.
Temporary password - Select Generate a temporary password to immediately invalidate the existing
password, and create a new temporary password for the user. Send the new temporary password to an
alternate email address for the user or to the user's manager. Because the password is temporary, the user will
be prompted to change the password upon sign-in.
Azure AD Identity Protection helps you manage the mitigation and remediation of users flagged for risk by
enabling you to:
Set the users and groups the policy applies to:
Set the user risk level threshold (low, medium, or high) that triggers the policy:
Next steps
Channel 9: Azure AD and Identity Show: Identity Protection Preview
Enabling Azure Active Directory Identity Protection
Vulnerabilities detected by Azure Active Directory Identity Protection
Azure Active Directory risk events
Azure Active Directory Identity Protection notifications
Azure Active Directory Identity Protection playbook
Azure Active Directory Identity Protection glossary
Sign-in experiences with Azure AD Identity Protection
Azure Active Directory Identity Protection - How to unblock users
Get started with Azure Active Directory Identity Protection and Microsoft Graph
Enabling Azure Active Directory Identity Protection
1/17/2017 1 min to read Edit on GitHub
Azure Active Directory Identity Protection is a new capability that provides a consolidated view into suspicious sign-
in activities and potential vulnerabilities and with notifications, remediation recommendations and risk-based
policies helps you protect your business.
The service detects suspicious activities for end user and privileged (admin) identities based on signals like brute
force attacks, leaked credentials, sign ins from unfamiliar locations, infected devices, to protect against these
activities in real-time. More importantly, based on these suspicious activities, a user risk severity is computed and
risk-based policies can be configured and automatically protect the identities of your organization. For more details,
see Azure Active Directory Identity Protection.
This topics shows how to enable Azure Active Directory Identity Protection.
2. The user is required to prove their identity by solving a security challenge. If the user is registered for multi-
factor authentication they need to round-trip a security code to their phone number. Since this is a just a
risky sign in and not a compromised account, the user wont have to change the password in this flow.
Risky sign-in blocked
Administrators can also choose to set a Sign-In Risk policy to block users upon sign-in depending on the risk level.
To get unblocked, end users must contact an administrator or help desk, or they can try signing in from a familiar
location or device. Self-recovering by solving multi-factor authentication is not an option in this case.
3. Finally, the user is forced to change their password since someone else may have had access to their
account. Screenshots of this experience are below.
Compromised account blocked
To get a user that was blocked by a user risk security policy unblocked, the user must contact an administrator or
help desk. Self-recovering by solving multi-factor authentication is not an option in this case.
Reset password
If compromised users are blocked from signing in, an administrator can generate a temporary password for them.
The users will have to change their password during a next sign-in.
See also
Azure Active Directory Identity Protection
Azure Active Directory Identity Protection - How to
unblock users
1/17/2017 2 min to read Edit on GitHub
With Azure Active Directory Identity Protection, you can configure policies to block users if the configured
conditions are satisfied. Typically, a blocked user contacts help desk to become unblocked. This topics explains the
steps you can perform to unblock a blocked user.
Sign-in risk
User risk
A user that is blocked by:
A sign-in risk policy is also known as suspicious sign-in
A user risk policy is also known as an account at risk
Next steps
Do you want to know more about Azure AD Identity Protection? Check out Azure Active Directory Identity
Protection.
Vulnerabilities detected by Azure Active Directory
Identity Protection
1/17/2017 1 min to read Edit on GitHub
Vulnerabilities are weaknesses in your environment that can be exploited by an attacker. We recommend that you
address these vulnerabilities to improve the security posture of your organization, and prevent attackers from
exploiting them.
The following sections provide you with an overview of the vulnerabilities reported by Identity Protection.
See also
Azure Active Directory Identity Protection
Types of risk events detected by Azure Active
Directory
1/17/2017 5 min to read Edit on GitHub
Leaked credentials
Leaked credentials are found posted publicly in the dark web by Microsoft security researchers. These credentials
are usually found in plain text. They are checked against Azure AD credentials, and if there is a match, they are
reported as Leaked credentials.
Leaked credentials risk events are classified as a High severity risk event, because they provide a clear indication
that the user name and password are available to an attacker.
Sign-ins from IP addresses with suspicious activity Sign-ins from IP addresses with suspicious activity
Lockout events -
The following Azure AD Anomalous Activity reports are not included as risk events in Azure AD, and will therefore
not be available through Azure AD. These reports are still available in the Azure portal however they will be
deprecated at some time in the future as they are being superseded by risk events in Azure AD.
Sign-ins after multiple failures
Sign-ins from multiple geographies
See also
Azure Active Directory Identity Protection
Azure Active Directory Identity Protection playbook
1/17/2017 5 min to read Edit on GitHub
Simulating vulnerabilities
Vulnerabilities are weaknesses in an Azure AD environment that can be exploited by a bad actor. Currently 3 types
of vulnerabilities are surfaced in Azure AD Identity Protection that leverage other features of Azure AD. These
Vulnerabilities will be displayed on the Identity Protection dashboard automatically once these features are set up.
Azure AD Multi-Factor Authentication?
Azure AD Cloud App Discovery.
Azure AD Privileged Identity Management.
Sign-in risk
To test a sign in risk, perform the following steps:
1. Sign-in to https://portal.azure.com with global administrator credentials for your tenant.
2. Navigate to Identity Protection.
3. On the main Azure AD Identity Protection blade, click Settings.
4. On the Portal Settings blade, under Security rules, click Sign in risk.
5. On the Sign in Risk **blade, select **On under Enable rule.
6. Select one of the following options:
a. To block, select Medium under Block sign in
b. To enforce secure password change, select Medium under Require multi-factor authentication.
7. To block, select Medium under Block sign in.
8. To enforce multi-factor authentication, select Medium under Require multi-factor authentication.
9. Click on Save.
10. You can now test risk-based conditional access by simulating the unfamiliar locations or anonymous IP risk
events because they are both Medium risk events.
See also
Azure Active Directory Identity Protection
Azure Active Directory Identity Protection
notifications
1/17/2017 1 min to read Edit on GitHub
Azure AD Identity Protection sends two types of automated notification emails to help you manage user risk and
risk events:
User compromised alert email
Weekly digest email
At risk (User)
A user with one or more active risk events.
Atypical sign-in location
A sign-in from a geographic location that is not typical for the specific user, similar users, or the tenant.
Azure AD Identity Protection
A security module of Azure Active Directory that provides a consolidated view into risk events and potential
vulnerabilities affecting an organizations identities.
Conditional access
A policy for securing access to resources. Conditional access rules are stored in the Azure Active Directory and are
evaluated by Azure AD before granting access to the resource. Example rules include restricting access based on
user location, device health or user authentication method.
Credentials
Information that includes identification and proof of identification that is used to gain access to local and network
resources. Examples of credentials are user names and passwords, smart cards, and certificates.
Event
A record of an activity in Azure Active Directory.
False -positive (risk event)
A risk event status set manually by an Identity Protection user, indicating that the risk event was investigated and
was incorrectly flagged as a risk event.
Identity
A person or entity that must be verified by means of authentication, based on criteria such as password or a
certificate.
Identity risk event
AAD event that was flagged as anomalous by Identity Protection, and may indicate that an identity has been
compromised.
Ignored (risk event)
A risk event status set manually by an Identity Protection user, indicating that the risk event is closed without taking
a remediation action.
Impossible travel from atypical locations
A risk event triggered when two sign-ins for the same user are detected, where at least one of them is from an
atypical sign-in location, and where the time between the sign-ins is shorter than the minimum time it would take
to physically travel between these locations.
Investigation
The process of reviewing the activities, logs, and other relevant information related to a risk event to decide
whether remediation or mitigation steps are necessary, understand if and how the identity was compromised, and
understand how the compromised identity was used.
Leaked credentials
A risk event triggered when current user credentials (user name and password) are found posted publicly in the
Dark web by our researchers.
Mitigation
An action to limit or eliminate the ability of an attacker to exploit a compromised identity or device without
restoring the identity or device to a safe state. A mitigation does not resolve previous risk events associated with
the identity or device.
Multi-factor authentication
An authentication method that requires two or more authentication methods, which may include something the
user has, such a certificate; something the user knows, such as user names, passwords, or pass phrases; physical
attributes, such as a thumbprint; and personal attributes, such as a personal signature.
Offline detection
The detection of anomalies and evaluation of the risk of an event such as sign-in attempt after the fact, for an event
that has already happened.
Policy condition
A part of a security policy which defines the entities (groups, users, apps, device platforms, Device states, IP ranges,
client types) included in the policy or excluded from it.
Policy rule
The part of a security policy which describes the circumstances that would trigger the policy, and the actions taken
when the policy is triggered.
Prevention
An action to prevent damage to the organization through abuse of an identity or device suspected or know to be
compromised. A prevention action does not secure the device or identity, and does not resolve previous risk events.
Privileged (user)
A user that at the time of a risk event, had permanent or temporary admin permissions to one or more resource in
Azure Active Directory, such as a Global Administrator, Billing Administrator, Service Administrator, User
administrator, and Password Administrator.
Real-time
See Real-time detection.
Real-time detection
The detection of anomalies and evaluation of the risk of an event such as sign-in attempt before the event is
allowed to proceed.
Remediated (risk event)
A risk event status set automatically by Identity Protection, indicating that the risk event was remediated using the
standard remediation action for this type of risk event. For example, when the user password is reset, many risk
events that indicate that the previous password was compromised are automatically remediated.
Remediation
An action to secure an identity or a device that were previously suspected or known to be compromised. A
remediation action restores the identity or device to a safe state, and resolves previous risk events associated with
the identity or device.
Resolved (risk event)
A risk event status set manually by an Identity Protection user, indicating that the user took an appropriate
remediation action outside Identity Protection, and that the risk event should be considered closed.
Risk event status
A property of a risk event, indicating whether the event is active, and if closed, the reason for closing it.
Risk event type
A category for the risk event, indicating the type of anomaly that caused the event to be considered risky.
Risk level (risk event)
An indication (High, Medium, or Low) of the severity of the risk event to help Identity Protection users prioritize the
actions they take to reduce the risk to their organization.
Risk level (sign-in)
An indication (High, Medium, or Low) of the likelihood that for a specific sign-in, someone else is attempting to use
the users identity.
Risk level (user compromise )
An indication (High, Medium, or Low) of the likelihood that an identity has been compromised.
Risk level (vulnerability)
An indication (High, Medium, or Low) of the severity of the vulnerability to help Identity Protection users prioritize
the actions they take to reduce the risk to their organization.
Secure (identity)
Take remediation action such as a password change or machine reimaging to restore a potentially compromised
identity to an uncompromised state.
Security policy
A collection of policy rules and condition. A policy can be applied to entities such as users, groups, apps, devices,
device platforms, device states, IP ranges, and Auth2.0 client types. When a policy is enabled, it is evaluated
whenever an entity included in the policy is issued a token for a resource.
Sign in (v)
To authenticate to an identity in Azure Active Directory.
Sign-in (n)
The process or action of authenticating an identity in Azure Active Directory, and the event that captures this
operation.
Sign-in from anonymous IP address
A risk event triggered after a successful sign-in from IP address that has been identified as an anonymous proxy IP
address.
Sign-in from infected device
A risk event triggered when a sign-in originates from an IP address which is known to be used by one or more
compromised devices, which are actively attempting to communicate with a bot server.
Sign-in from IP address with suspicious activity
A risk event triggered after a successful sign-in from an IP address with a high number of failed login attempts
across multiple user accounts over a short period of time.
Sign-in from unfamiliar location
A risk event triggered when a user successfully signs in from a new location (IP, Latitude/Longitude and ASN).
Sign-in risk
See Risk level (sign-in)
Sign-in risk policy
A conditional access policy that evaluates the risk to a specific sign-in and applies mitigations based on predefined
conditions and rules.
User compromise risk
See Risk level (user compromise)
User risk
See Risk level (user compromise).
User risk policy
A conditional access policy that considers the sign-in and applies mitigations based on predefined conditions and
rules.
Users flagged for risk
Users that have risk events which are either active or remediated
Vulnerability
A configuration or condition in Azure Active Directory which makes the directory susceptible to exploits or threats.
See also
Azure Active Directory Identity Protection
Get started with Azure Active Directory Identity
Protection and Microsoft Graph
1/17/2017 4 min to read Edit on GitHub
Microsoft Graph is Microsofts unified API endpoint and the home of Azure Active Directory Identity Protections
APIs. Our first API, identityRiskEvents, allows you to query Microsoft Graph for a list of risk events and associated
information. This article gets you started querying this API. For an in depth introduction, full documentation, and
access to the Graph Explorer, see the Microsoft Graph site.
There are three steps to accessing Identity Protection data through Microsoft Graph:
1. Add an application with a client secret.
2. Use this secret and a few other pieces of information to authenticate to Microsoft Graph, where you receive an
authentication token.
3. Use this token to make requests to the API endpoint and get Identity Protection data back.
Before you get started, youll need:
Administrator privileges to create the application in Azure AD
The name of your tenant's domain (for example, contoso.onmicrosoft.com)
3. From the Directory list, select the directory for which you want to enable directory integration.
4. In the menu on the top, click Applications.
6. On the What do you want to do dialog, click Add an application my organization is developing.
7. On the Tell us about your application dialog, perform the following steps:
a. In the Name textbox, type a name for your application (e.g.: AADIP Risk Event API Application).
b. As Type, select Web Application And / Or Web API.
c. Click Next.
8. On the App properties dialog, perform the following steps:
3. in the keys section, copy the value of your newly created key, and then paste it into a safe location.
NOTE
If you lose this key, you will have to return to this section and create a new key. Keep this key a secret: anyone who
has it can access your data.
4. In the properties section, copy the Client ID, and then paste it into a safe location.
NOTE
You need to provide values for the client_id and the client_secret parameter.
`Authorization`=<token_type> <access_token>"
When authenticating, you can find the token type and access token in the returned token.
Send this header as a request to the following API URL: https://graph.microsoft.com/beta/identityRiskEvents
The response, if successful, is a collection of identity risk events and associated data in the OData JSON format,
which can be parsed and handled as see fit.
Heres sample code for authenticating and calling the API using Powershell.
Just add your client ID, key, and tenant domain.
$ClientID = "<your client ID here>" # Should be a ~36 hex character string; insert your info here
$ClientSecret = "<your client secret here>" # Should be a ~44 character string; insert your info here
$tenantdomain = "<your tenant domain here>" # For example, contoso.onmicrosoft.com
$loginURL = "https://login.microsoft.com"
$resource = "https://graph.microsoft.com"
$body =
@{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body
$body
Write-Output $oauth
$url = "https://graph.microsoft.com/beta/identityRiskEvents"
Write-Output $url
} else {
Write-Host "ERROR: No Access Token"
}
Next steps
Congratulations, you just made your first call to Microsoft Graph!
Now you can query identity risk events and use the data however you see fit.
To learn more about Microsoft Graph and how to build applications using the Graph API, check out the
documentation and much more on the Microsoft Graph site. Also, make sure to bookmark the Azure AD Identity
Protection API page that lists all of the Identity Protection APIs available in Graph. As we add new ways to work with
Identity Protection via API, youll see them on that page.
Additional resources
Azure Active Directory Identity Protection
Types of risk events detected by Azure Active Directory Identity Protection
Microsoft Graph
Overview of Microsoft Graph
Azure AD Identity Protection Service Root
Securing privileged access in Azure AD
1/17/2017 2 min to read Edit on GitHub
Securing privileged access is a critical first step to help protect business assets in a modern organization. Privileged
accounts are those that administer and manage IT systems. Cyber-attackers target these accounts to gain access to
an organizations data and systems. In order to secure privileged access, you should isolate the accounts and
systems from the risk of being exposed to a malicious user.
More users are starting to get privileged access through cloud services. This can include global administrators of
Office365, Azure subscription administrators, and users who have administrative access in VMs or on SaaS apps.
Microsoft recommends you follow this roadmap on Securing Privileged Access.
For customers using Azure Active Directory to manage access to Azure, Office 365, or other Microsoft services and
applications, these principles apply whether user accounts are managed and authenticated by Active Directory or in
Azure Active Directory. The following sections provide more information on Azure AD features to support securing
privileged access.
Multi-factor authentication
To increase the security of administrator authentication, you should require multi-factor authentication (MFA)
before granting privileges. MFA is a method of verifying who you are that requires the use of more than just a
username and password. It provides a second layer of security to user sign-ins and transactions.
Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for a
simple sign-in process. It delivers strong authentication via a range of easy verification options including phone
calls, text messages, mobile app notifications, or verification code and 3rd party OATH tokens.
For an overview of how Azure Multi-Factor Authentication works see the following video.
For more details, see MFA for Office 365 and MFA for Azure.
Time-bound privileges
Some organizations may find that they have too many users in highly privileged roles. A user might have been
added to the role for a particular activity, like to sign up for a service, but didn't use those privileges frequently
afterward.
To lower the exposure time of privileges and increase your visibility into their use, limit users to only taking on their
privileges Just in Time (JIT), when they need to perform a task. For Azure Active Directory and Microsoft Online
Services, you can use Azure AD Privileged Identity Management (PIM).
Attack detection
Azure Active Directory Identity Protection provides a consolidated view into risk events and potential vulnerabilities
affecting your organizations identities. Based on risk events, Identity Protection calculates a user risk level for each
user, enabling you to configure risk-based policies to automatically protect the identities of your organization.
These policies, along with other conditional access controls provided by Azure Active Directory and EMS, can
automatically block the user or offer suggestions that include password resets and multi-factor authentication
enforcement.
Conditional access
With conditional access control, Azure Active Directory checks the specific conditions you choose when
authenticating a user, before allowing access to an application. Once those conditions are met, the user is
authenticated and allowed access to the application.
Related articles
Enable Azure Multi-Factor Authentication
Enable Azure AD Privileged Identity Management
Enable Azure AD Identity Protection
Enable conditional access controls
For more information on building a complete security roadmap, see the Customer responsibilities and roadmap
section of the Microsoft Cloud Security for Enterprise Architects document. For more information on engaging
Microsoft services to assist with any of these topics, contact your Microsoft representative or visit our Cybersecurity
solutions page.
Windows Server Active Directory on Azure VMs
1/17/2017 1 min to read Edit on GitHub
This navigation topic contains links to other topics about how to deploy Windows Server Active Directory Domain
Services (AD DS) or Active Directory Federation Services (AD FS) on an Azure virtual machine (VM).
Conceptual guidelines
Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
Video
How to install a new Active Directory forest on an Azure virtual network
How to articles
Install a new Active Directory forest on an Azure virtual network
Install a Replica Active Directory Domain Controller in Azure Virtual Networks
Set up a hybrid cloud environment for testing
Additional Resources
Sign up for Azure as an organization
Azure Identity
Guidelines for deploying Windows Server Active
Directory on Azure virtual machines
1/17/2017 49 min to read Edit on GitHub
This article explains the important differences between deploying Windows Server Active Directory Domain
Services (AD DS) and Active Directory Federation Services (AD FS) on-premises versus deploying them on
Microsoft Azure virtual machines.
Related resources
You may download and run the Azure Virtual Machine Readiness Assessment. The assessment will automatically
inspect your on-premises environment and generate a customized report based on the guidance found in this topic
to help you migrate the environment to Azure.
We recommend that you also first review the tutorials, guides, and videos that cover the following topics:
Configure a Cloud-Only Virtual Network in the Azure Portal
Configure a Site-to-Site VPN in the Azure Portal
Install a new Active Directory forest on an Azure virtual network
Install a replica Active Directory domain controller on Azure
Microsoft Azure IT Pro IaaS: (01) Virtual Machine Fundamentals
Microsoft Azure IT Pro IaaS: (05) Creating Virtual Networks and Cross-Premises Connectivity
Introduction
The fundamental requirements for deploying Windows Server Active Directory on Azure virtual machines differ
very little from deploying it in on-premises virtual machines (and, to some extent, physical machines). For example,
in the case of Windows Server AD DS, if the domain controllers (DCs) that you deploy on Azure virtual machines
are replicas in an existing on-premises corporate domain/forest, then the Azure deployment can largely be treated
in the same way as you might treat any other additional Windows Server Active Directory site. That is, subnets must
be defined in Windows Server AD DS, a site created, the subnets linked to that site, and connected to other sites
using appropriate site-links. There are, however, some differences that are common to all Azure deployments and
some that vary according to the specific deployment scenario. Two fundamental differences are outlined below:
Azure virtual machines may need connectivity to the on-premises corporate network.
Connecting Azure virtual machines back to an on-premises corporate network requires Azure virtual network,
which includes a site-to-site or site-to-point virtual private network (VPN) component able to seamlessly connect
Azure virtual machines and on-premises machines. This VPN component could also enable on-premises domain
member computers to access a Windows Server Active Directory domain whose domain controllers are hosted
exclusively on Azure virtual machines. It is important to note, though, that if the VPN fails, authentication and other
operations that depend on Windows Server Active Directory will also fail. While users may be able to sign in using
existing cached credentials, all peer-to-peer or client-to-server authentication attempts for which tickets have yet to
be issued or have become stale will fail.
See Virtual Network for a demonstration video and a list of step-by-step tutorials, including Configure a Site-to-Site
VPN in the Azure portal.
NOTE
You can also deploy Windows Server Active Directory on an Azure virtual network that does not have connectivity with an
on-premises network. The guidelines in this topic, however, assume that an Azure virtual network is used because it provides
IP addressing capabilities that are essential to Windows Server.
NOTE
You should shut down and restart a VM that runs the domain controller role in Azure within the guest operating system
instead of using the Shut Down option in the Azure classic portal. Today, using the classic portal to shut down a VM causes
the VM to be deallocated. A deallocated VM has the advantage of not incurring charges, but it also resets the VM-
GenerationID, which is undesirable for a DC. When the VM-GenerationID is reset, the invocationID of the AD DS database is
also reset, the RID pool is discarded, and SYSVOL is marked as non-authoritative. For more information, see Introduction to
Active Directory Domain Services (AD DS) Virtualization and Safely Virtualizing DFSR.
NOTE
Since it provides a layer-3 connection, the VPN component that provides connectivity between an Azure virtual network and
an on-premises network can also enable member servers that run on-premises to leverage DCs that run as Azure virtual
machines on Azure virtual network. But if the VPN is unavailable, communication between on-premises computers and
Azure-based domain controllers will not function, resulting in authentication and various other errors.
NOTE
An option to create a point-to-site VPN is available to connect individual Windows-based computers directly to an Azure
virtual network.
Regardless of whether you create a virtual network or not, Azure charges for egress traffic but not ingress.
Various Windows Server Active Directory design choices can affect how much egress traffic is generated by a
deployment. For example, deploying a read-only domain controller (RODC) limits egress traffic because it does
not replicate outbound. But the decision to deploy an RODC needs to be weighed against the need to perform
write operations against the DC and the compatibility that applications and services in the site have with RODCs.
For more information about traffic charges, see Azure pricing at-a-glance.
While you have complete control over what server resources to use for VMs on-premises, such as RAM, disk
size, and so on, on Azure you must select from a list of preconfigured server sizes. For a DC, a data disk is
needed in addition to the operating system disk in order to store the Windows Server Active Directory database.
However, because Azure does not provide native, full-featured firewall capability, other options need to be used to
restrict traffic. The following table shows each option and its advantages and disadvantages.
Azure network ACLs Less costly and simpler initial Additional network ACL configuration
configuration required if any new VMs are added to
the deployment
Barracuda NG firewall Whitelist mode of operation and it Increased cost and complexity for initial
requires no network ACL configuration setup
The high-level steps to deploy AD FS in this case are as follows:
1. Create a virtual network with cross-premises connectivity, using either a VPN or ExpressRoute.
2. Deploy domain controllers on the virtual network. This step is optional but recommended.
3. Deploy domain-joined AD FS servers on the virtual network.
4. Create an internal load balanced set that includes the AD FS servers and uses a new private IP address within
the virtual network (a dynamic IP address).
a. Update DNS to create the FQDN to point to the private (dynamic) IP address of the internal load balanced
set.
5. Create a cloud service (or a separate virtual network) for the Web Application Proxy nodes.
6. Deploy the Web Application Proxy nodes in the cloud service or virtual network
a. Create an external load balanced set that includes the Web Application Proxy nodes.
b. Update the external DNS name (FQDN) to point to the cloud service public IP address (the virtual IP
address).
c. Configure AD FS proxies to use the FQDN that corresponds to the internal load balanced set for the AD
FS servers.
d. Update claims-based web sites to use the external FQDN for their claims provider.
7. Restrict access between Web Application Proxy to any machine in the AD FS virtual network.
To restrict traffic, the load-balanced set for the Azure internal load balancer needs to be configured for only traffic
to TCP ports 80 and 443, and all other traffic to the internal dynamic IP address of the load balanced set is dropped.
WARNING
The design must prevent Web Application Proxy nodes from reaching any other VMs in the Azure virtual network or any
locations on the on-premises network. That can be done by configuring firewall rules in the on-premises appliance for Express
Route connections or the VPN device for site-to-site VPN connections.
A disadvantage to this option is the need to configure the network ACLs for multiple devices, including internal load
balancer, the AD FS servers, and any other servers that get added to the virtual network. If any device is added to
the deployment without configuring network ACLs to restrict traffic to it, the entire deployment can be at risk. If the
IP addresses of the Web Application Proxy nodes ever change, the network ACLs must be reset (which means the
proxies should be configured to use static dynamic IP addresses).
Another option is to use the Barracuda NG Firewall appliance to control traffic between AD FS proxy servers and
the AD FS servers. This option complies with best practices for security and high availability, and requires less
administration after the initial setup because the Barracuda NG Firewall appliance provides a whitelist mode of
firewall administration and it can be installed directly on an Azure virtual network. That eliminates the need to
configure network ACLs any time a new server is added to the deployment. But this option adds initial deployment
complexity and cost.
In this case, two virtual networks are deployed instead of one. We'll call them VNet1 and VNet2. VNet1 contains the
proxies and VNet2 contains the STSs and the network connection back to the corporate network. VNet1 is therefore
physically (albeit virtually) isolated from VNet2 and, in turn, from the corporate network. VNet1 is then connected
to VNet2 using a special tunneling technology known as Transport Independent Network Architecture (TINA). The
TINA tunnel is attached to each of the virtual networks using a Barracuda NG firewallone Barracuda on each of
the virtual networks. For high-availability, it is recommended that you deploy two Barracudas on each virtual
network; one active, the other passive. They offer extremely rich firewalling capabilities which allow us to mimic the
operation of a traditional on-premises DMZ in Azure.
For more information, see AD FS: Extend a claims-aware on-premises front-end application to the Internet.
An alternative to AD FS deployment if the goal is Office 365 SSO alone
There is another alternative to deploying AD FS altogether if your goal is only to enable sign-in for Office 365. In
that case, you can simply deploy DirSync with password sync on-premises and achieve the same end-result with
minimal deployment complexity because this approach does not require AD FS or Azure.
The following table compares how the sign-in processes work with and without deploying AD FS.
OFFICE 365 SINGLE SIGN-ON USING AD FS AND DIRSYNC OFFICE 365 SAME SIGN-ON USING DIRSYNC + PASSWORD SYNC
1. The user logs on to a corporate network, and is 1. The user logs on to a corporate network, and is
authenticated to Windows Server Active Directory. authenticated to Windows Server Active Directory.
2. The user tries to access Office 365 (I am @contoso.com). 2. The user tries to access Office 365 (I am @contoso.com).
3. Office 365 redirects the user to Azure AD. 3. Office 365 redirects the user to Azure AD.
OFFICE 365 SINGLE SIGN-ON USING AD FS AND DIRSYNC OFFICE 365 SAME SIGN-ON USING DIRSYNC + PASSWORD SYNC
4. Since Azure AD cant authenticate the user and understands 4. Azure AD cant accept Kerberos tickets directly and no trust
there is a trust with AD FS on-premises, it redirects the user to relationship exists so it requests that the user enter
AD FS. credentials.
5. The user sends a Kerberos ticket to the AD FS STS. 5. The user enters the same on-premises password, and Azure
AD validates them against the user name and password that
was synchronized by DirSync.
6. AD FS transforms the Kerberos ticket to the required token 6. Azure AD redirects the user to Office 365.
format/claims and redirects the user to Azure AD.
7. The user authenticates to Azure AD (another transformation 7. The user can sign in to Office 365 and OWA using the
occurs). Azure AD token.
In the Office 365 with DirSync with password sync scenario (no AD FS), single sign-on is replaced by same sign-
on where same simply means that users must re-enter their same on-premises credentials when accessing
Office 365. Note that this data can be remembered by the users browser to help reduce subsequent prompts.
Additional food for thought
If you deploy an AD FS proxy on an Azure virtual machine, connectivity to the AD FS servers is needed. If they
are on-premises, it is recommended that you leverage the site-to-site VPN connectivity provided by the virtual
network to allow the Web Application Proxy nodes to communicate with their AD FS servers.
If you deploy an AD FS server on an Azure virtual machine, connectivity to Windows Server Active Directory
domain controllers, Attribute Stores, and Configuration databases is necessary and may also require an
ExpressRoute or a site-to-site VPN connection between the Azure virtual network and the on-premises network.
Charges are applied to all traffic from Azure virtual machines (egress traffic). If cost is the driving factor, it is
advisable to deploy the Web Application Proxy nodes on Azure, leaving the AD FS servers on-premises. If the AD
FS servers are deployed on Azure virtual machines as well, additional costs will be incurred to authenticate on-
premises users. Egress traffic incurs a cost regardless of whether or not it is traversing the ExpressRoute or the
VPN site-to-site connection.
If you decide to use Azures native server load balancing capabilities for high availability of AD FS servers, note
that load balancing provides probes that are used to determine the health of the virtual machines within the
cloud service. In the case of Azure virtual machines (as opposed to web or worker roles), a custom probe must
be used since the agent that responds to the default probes is not present on Azure virtual machines. For
simplicity, you might use a custom TCP probe this requires only that a TCP connection (a TCP SYN segment
sent and responded to with a TCP SYN ACK segment) be successfully established to determine virtual machine
health. You can configure the custom probe to use any TCP port to which your virtual machines are actively
listening.
NOTE
Machines that need to expose the same set of ports directly to the Internet (such as port 80 and 443) cannot share the same
cloud service. It is, therefore, recommended that you create a dedicated cloud service for your Windows Server AD FS servers
in order to avoid potential overlaps between port requirements for an application and Windows Server AD FS.
Deployment scenarios
The following section outlines commonplace deployment scenarios to draw attention to important considerations
that must be taken into account. Each scenario has links to more details about the decisions and factors to consider.
1. AD DS: Deploy an AD DS-aware application with no requirement for corporate network connectivity
For example, an Internet-facing SharePoint service is deployed on an Azure virtual machine. The application
has no dependencies on corporate-network resources. The application does require Windows Server AD DS
but does NOT require the corporate Windows Server AD DS.
2. AD FS: Extend a claims-aware on-premises front-end application to the Internet
For example, a claims-aware application that has been successfully deployed on-premises and used by
corporate users needs to become accessible from the Internet. The application needs to be accessed directly
over the Internet both by business partners using their own corporate identities and by existing corporate
users.
3. AD DS: Deploy a Windows Server AD DS-aware application that requires connectivity to the corporate
network
For example, an LDAP-aware application that supports Windows-integrated authentication and uses
Windows Server AD DS as a repository for configuration and user-profile data is deployed on an Azure
virtual machine. It is desirable for the application to leverage the existing corporate Windows Server AD DS
and provide single sign-on. The application is not claims-aware.
1. AD DS: Deploy an AD DS -aware application with no requirement for corporate network connectivity
Figure 1
Description
SharePoint is deployed on an Azure virtual machine and the application has no dependencies on corporate-
network resources. The application does require Windows Server AD DS but does not require the corporate
Windows Server AD DS. No Kerberos or federated trusts are required because users are self-provisioned through
the application into the Windows Server AD DS domain that is also hosted in the cloud on Azure virtual machines.
Scenario considerations and how technology areas apply to the scenario
Network topology: Create an Azure virtual network without cross-premises connectivity (also known as site-to-
site connectivity).
DC deployment configuration: Deploy a new domain controller into a new, single-domain, Windows Server
Active Directory forest. This should be deployed along with the Windows DNS server.
Windows Server Active Directory site topology: Use the default Windows Server Active Directory site (all
computers will be in Default-First-Site-Name).
IP addressing and DNS:
Set a static IP address for the DC by using the Set-AzureStaticVNetIP Azure PowerShell cmdlet.
Install and configure Windows Server DNS on the domain controller(s) on Azure.
Configure the virtual network properties with the name and IP address of the VM that hosts the DC and
DNS server roles.
Global Catalog: The first DC in the forest must be a global catalog server. Additional DCs should also be
configured as GCs because in a single domain forest, the global catalog does not require any additional work
from the DC.
Placement of the Windows Server AD DS database and SYSVOL: Add a data disk to DCs running as Azure VMs
in order to store the Windows Server Active Directory database, logs, and SYSVOL.
Backup and Restore: Determine where you want to store system state backups. If necessary, add another data
disk to the DC VM to store backups.
2 AD FS: Extend a claims-aware on-premises front-end application to the Internet
Figure 2
Description
A claims-aware application that has been successfully deployed on-premises and used by corporate users needs to
become accessible directly from the Internet. The application serves as a web frontend to a SQL database in which it
stores data. The SQL servers used by the application are also located on the corporate network. Two Windows
Server AD FS STSs and a load-balancer have been deployed on-premises to provide access to the corporate users.
The application now needs to be additionally accessed directly over the Internet both by business partners using
their own corporate identities and by existing corporate users.
In an effort to simplify and meet the deployment and configuration needs of this new requirement, it is decided that
two additional web frontends and two Windows Server AD FS proxy servers be installed on Azure virtual machines.
All four VMs will be exposed directly to the Internet and will be provided connectivity to the on-premises network
using Azure Virtual Networks site-to-site VPN capability.
Scenario considerations and how technology areas apply to the scenario
Network topology: Create an Azure virtual network and configure cross-premises connectivity.
NOTE
For each of the Windows Server AD FS certificates, ensure that the URL defined within the certificate template and the
resulting certificates can be reached by the Windows Server AD FS instances running on Azure. This may require
cross-premises connectivity to parts of your PKI infrastructure. For example if the CRL's endpoint is LDAP-based and
hosted exclusively on-premises, then cross-premises connectivity will be required. If this is not desirable, it may be
necessary to use certificates issued by a CA whose CRL is accessible over the Internet.
Cloud services configuration: Ensure you have two cloud services in order provide two load-balanced virtual IP
addresses. The first cloud services virtual IP address will be directed to the two Windows Server AD FS proxy
VMs on ports 80 and 443. The Windows Server AD FS proxy VMs will be configured to point to the IP address of
the on-premises load-balancer that fronts the Windows Server AD FS STSs. The second cloud services virtual IP
address will be directed to the two VMs running the web frontend again on ports 80 and 443. Configure a
custom probe to ensure the load-balancer only directs traffic to functioning Windows Server AD FS proxy and
web frontend VMs.
Federation server configuration: Configure Windows Server AD FS as a federation server (STS) to generate
security tokens for the Windows Server Active Directory forest created in the cloud. Set federation claims
provider trust relationships with the different partners you wish to accept identities from, and configure
relying party trust relationships with the different applications you want to generate tokens to.
In most scenarios, Windows Server AD FS proxy servers are deployed in an Internet-facing capacity for
security purposes while their Windows Server AD FS federation counterparts remain isolated from direct
Internet connectivity. Regardless of your deployment scenario, you must configure your cloud service with a
virtual IP address that will provide a publicly exposed IP address and port that is able to load-balance across
either your two Windows Server AD FS STS instances or proxy instances.
Windows Server AD FS high availability configuration: It is advisable to deploy a Windows Server AD FS farm
with at least two servers for failover and load balancing. You might want to consider using the Windows Internal
Database (WID) for Windows Server AD FS configuration data, and use the internal load balancing capability of
Azure to distribute incoming requests across the servers in the farm.
For more information, see the AD DS Deployment Guide.
3. AD DS: Deploy a Windows Server AD DS -aware application that requires connectivity to the corporate
network
Figure 3
Description
An LDAP-aware application is deployed on an Azure virtual machine. It supports Windows-integrated
authentication and uses Windows Server AD DS as a repository for configuration and user profile data. The goal is
for the application to leverage the existing corporate Windows Server AD DS and provide single sign-on. The
application is not claims-aware. Users also need to access the application directly from the Internet. To optimize for
performance and cost, it is decided that two additional domain controllers that are part of the corporate domain be
deployed alongside the application on Azure.
Scenario considerations and how technology areas apply to the scenario
Network topology: Create an Azure virtual network with cross-premises connectivity.
Installation method: Deploy replica DCs from the corporate Windows Server Active Directory domain. For a
replica DC, you can install Windows Server AD DS on the VM, and optionally use the Install From Media (IFM)
feature to reduce the amount of data that needs to be replicated to the new DC during installation. For a tutorial,
see Install a replica Active Directory domain controller on Azure. Even if you use IFM, it may be more efficient to
build the virtual DC on-premises and move the entire Virtual Hard Disk (VHD) to the cloud instead of replicating
Windows Server AD DS during installation. For safety, it is recommended that you delete the VHD from the on-
premises network once it has been copied to Azure.
Windows Server Active Directory site topology: Create a new Azure site in Active Directory Sites and Services.
Create a Windows Server Active Directory subnet object to represent the Azure virtual network and add the
subnet to the site. Create a new site link that includes the new Azure site and the site in which the Azure virtual
network VPN endpoint is located in order to control and optimize Windows Server Active Directory traffic to and
from Azure.
IP addressing and DNS:
Set a static IP address for the DC by using the Set-AzureStaticVNetIP Azure PowerShell cmdlet.
Install and configure Windows Server DNS on the domain controller(s) on Azure.
Configure the virtual network properties with the name and IP address of the VM that hosts the DC and
DNS server roles.
Geo-distributed DCs: Configure additional virtual networks as needed. If your Active Directory site topology
requires DCs in geographies that correspond to different Azure regions, than you want to create Active Directory
sites accordingly.
Read-only DCs: You might deploy an RODC in the Azure site, depending on your requirements for performing
write operations against the DC and the compatibility of applications and services in the site with RODCs. For
more information about application compatibility, see the Read-Only domain controllers application
compatibility guide.
Global Catalog: GCs are needed to service logon requests in multidomain forests. If you do not deploy a GC
in the Azure site, you will incur egress traffic costs as authentication requests cause queries GCs in other
sites. To minimize that traffic, you can enable universal group membership caching for the Azure site in
Active Directory Sites and Services.
If you deploy a GC, configure site links and site links costs so that the GC in the Azure site is not preferred as
a source DC by other GCs that need to replicate the same partial domain partitions.
Placement of the Windows Server AD DS database and SYSVOL: Add a data disk to DCs running on Azure VMs
in order to store the Windows Server Active Directory database, logs, and SYSVOL.
Backup and Restore: Determine where you want to store system state backups. If necessary, add another data
disk to the DC VM to store backups.
Windows Server Active Directory site How do you configure subnets, sites, Subnet and site definitions
topology and site links with Azure Virtual Site link properties and change
Network to optimize traffic and notification
minimize cost? Replication compression
IP addressing and DNS How to configure IP addresses and Use the Use the Set-
name resolution? AzureStaticVNetIP cmdlet to assign a
static IP address
Install Windows Server DNS server
and configure the virtual network
properties with the name and IP
address of the VM that hosts the DC
and DNS server roles
Geo-distributed DCs How to replicate to DCs on separate If your Active Directory site topology
virtual networks? requires DCs in geographies that
corresponds to different Azure regions,
than you want to create Active
Directory sites accordingly. Configure
virtual network to virtual network
Connectivity to replicate between
domain controllers on separate virtual
networks.
Global catalog Install global catalog? For single-domain forest, make all
DCs GCs
For multidomain forest, GCs are
required for authentication
Placement of the Windows Server AD Where to store Windows Server AD DS Change Dcpromo.exe default values.
DS database and SYSVOL database, logs, and SYSVOL? These critical Active Directory files must
be placed on Azure Data Disks instead
of Operating System disks that
implement write caching.
Backup and Restore How to safeguard and recover data? Create system state backups
Cloud services configuration A cloud service is implicitly deployed the Does a VM or VMs require direct
first time you create a virtual machine. exposure to the Internet?
Do you need to deploy additional cloud Does the service require load-
services? balancing?
Federation server requirements for Does the Windows Server AD FS Create one cloud-service for each virtual
public and private IP addressing instance need to be reached directly IP address that is required by your
(dynamic IP vs. virtual IP) from the Internet? deployment
Does the application being deployed
in the cloud require its own Internet-
facing IP address and port?
Windows Server AD FS high availability How many nodes in my Windows Resiliency and fault tolerance
configuration Server AD FS server farm?
How many nodes to deploy in my
Windows Server AD FS proxy farm?
Network topology
In order to meet the IP address consistency and DNS requirements of Windows Server AD DS, it is necessary to first
create an Azure virtual network and attach your virtual machines to it. During its creation, you must decide whether
to optionally extend connectivity to your on-premises corporate network, which transparently connects Azure
virtual machines to on-premises machines this is achieved using traditional VPN technologies and requires that
a VPN endpoint be exposed on the edge of the corporate network. That is, the VPN is initiated from Azure to the
corporate network, not vice-versa.
Note that additional charges apply when extending a virtual network to your on-premises network beyond the
standard charges that apply to each VM. Specifically, there are charges for CPU time of the Azure Virtual Network
gateway and for the egress traffic generated by each VM that communicates with on-premises machines across the
VPN. For more information about network traffic charges, see Azure pricing at-a-glance.
DC deployment configuration
The way you configure the DC depends on the requirements for the service you want to run on Azure. For example,
you might deploy a new forest, isolated from your own corporate forest, for testing a proof-of-concept, a new
application, or some other short term project that requires directory services but not specific access to internal
corporate resources.
As a benefit, an isolated forest DC does not replicate with on-premises DCs, resulting in less outbound network
traffic generated by the system itself, directly reducing costs. For more information about network traffic charges,
see Azure pricing at-a-glance.
As another example, suppose you have privacy requirements for a service, but the service depends on access to
your internal Windows Server Active Directory. If you are allowed to host data for the service in the cloud, you
might deploy a new child domain for your internal forest on Azure. In this case, you can deploy a DC for the new
child domain (without the global catalog in order to help address privacy concerns). This scenario, along with a
replica DC deployment, requires a virtual network for connectivity with your on-premises DCs.
If you create a new forest, choose whether to use Active Directory trusts or Federation trusts. Balance the
requirements dictated by compatibility, security, compliance, cost, and resiliency. For example, to take advantage of
selective authentication you might choose to deploy a new forest on Azure and create a Windows Server Active
Directory trust between the on-premises forest and the cloud forest. If the application is claims-aware, however,
you might deploy federation trusts instead of Active Directory forest trusts. Another factor will be the cost to either
replicate more data by extending your on-premises Windows Server Active Directory to the cloud or generate more
outbound traffic as a result of authentication and query load.
Requirements for availability and fault tolerance also affect your choice. For example, if the link is interrupted,
applications leveraging either a Kerberos trust or a federation trust are all likely entirely broken unless you have
deployed sufficient infrastructure on Azure. Alternative deployment configurations such as replica DCs (writeable or
RODCs) increase the likelihood of being able to tolerate link outages.
Windows Server Active Directory site topology
You need to correctly define sites and site links in order to optimize traffic and minimize cost. Sites, site-links, and
subnets affect the replication topology between DCs and the flow of authentication traffic. Consider the following
traffic charges and then deploy and configure DCs according to the requirements of your deployment scenario:
There is a nominal fee per hour for the gateway itself:
It can be started and stopped as you see fit
If stopped, Azure VMs are isolated from the corporate network
Inbound traffic is free
Outbound traffic is charged, according to Azure pricing at-a-glance. You can optimize site link properties
between on-premises sites and the cloud sites as follows:
If you are using multiple virtual networks, configure the site-links and their costs appropriately to prevent
Windows Server AD DS from prioritizing the Azure site over one that can provide the same levels of
service at no charge. You might also consider disabling the Bridge all site link (BASL) option (which is
enabled by default). This ensures that only directly-connected sites replicate with one another. DCs in
transitively connected sites are no longer able to replicate directly with each other, but must replicate
through a common site or sites. If the intermediary sites become unavailable for some reason, replication
between DCs in transitively connected sites will not occur even if connectivity between the sites is
available. Finally, where sections of transitive replication behavior remain desirable, create site link
bridges that contain the appropriate site-links and sites, such as on-premises, corporate network sites.
Configure site link costs appropriately to avoid unintended traffic. For example, if Try Next Closest Site
setting is enabled, make sure the virtual network sites are not the next closest by increasing the cost
associated of the site-link object that connects the Azure site back to the corporate network.
Configure site link intervals and schedules according to consistency requirements and rate of object
changes. Align replication schedule with latency tolerance. DCs replicate only the last state of a value, so
decreasing the replication interval can save costs if there is a sufficient object change rate.
If minimizing costs is a priority, ensure replication is scheduled and change notification is not enabled. This is the
default configuration when replicating between sites. This is not important if you are deploying an RODC on a
virtual network because the RODC will not replicate any changes outbound. But if you deploy a writable DC, you
should make sure the site link is not configured to replicate updates with unnecessary frequency. If you deploy a
global catalog server (GC), make sure that every other site that contains a GC replicates domain partitions from
a source DC in a site that is connected with a site-link or site-links that have a lower cost than the GC in the
Azure site.
It is possible to further still reduce network traffic generated by replication between sites by changing the
replication compression algorithm. The compression algorithm is controlled by the REG_DWORD registry entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Replicator compression
algorithm. The default value is 3, which correlates to the Xpress Compress algorithm. You can change the value
to 2, which changes the algorithm to MSZip. In most cases, this will increase the compression, but it does so at
the expense of CPU utilization. For more information, see How Active Directory replication topology works.
IP addressing and DNS
Azure virtual machines are allocated DHCP-leased addresses by default. Because Azure virtual network dynamic
addresses persist with a virtual machine for the lifetime of the virtual machine, the requirements of Windows
Server AD DS are met.
As a result, when you use a dynamic address on Azure, you are in effect using a static IP address because it is
routable for the period of the lease, and the period of the lease is equal to the lifetime of the cloud service.
However, the dynamic address is deallocated if the VM is shutdown. To prevent the IP address from being
deallocated, you can use Set-AzureStaticVNetIP to assign a static IP address.
For name resolution, deploy your own (or leverage your existing) DNS server infrastructure; Azure-provided DNS
does not meet the advanced name resolution needs of Windows Server AD DS. For example, it does not support
dynamic SRV records, and so on. Name resolution is a critical configuration item for DCs and domain-joined clients.
DCs must be capable of registering resource records and resolving other DCs resource records. For fault tolerance
and performance reasons, it is optimal to install the Windows Server DNS service on the DCs running on Azure.
Then configure the Azure virtual network properties with the name and IP address of the DNS server. When other
VMs on the virtual network start, their DNS client resolver settings will be configured with DNS server as part of the
dynamic IP address allocation.
NOTE
You cannot join on-premises computers to a Windows Server AD DS Active Directory domain that is hosted on Azure directly
over the Internet. The port requirements for Active Directory and the domain-join operation render it impractical to directly
expose the necessary ports and in effect, an entire DC to the Internet.
VMs register their DNS name automatically on startup or when there is a name change.
For more information about this example and another example that shows how to provision the first VM and install
AD DS on it, see Install a new Active Directory forest on Microsoft Azure. For more information about using
Windows PowerShell, see Install Azure PowerShell and Azure Management Cmdlets.
Geo -distributed DCs
Azure offers advantages when hosting multiple DCs on different virtual networks:
Multi-site fault-tolerance
Physical proximity to branch offices (lower latency)
For information about configuring direct communication between virtual networks, see Configure virtual network
to virtual network connectivity.
Read-only DCs
You need to choose whether to deploy read-only or writeable DCs. You might be inclined to deploy RODCs because
you will not have physical control over them, but RODCs are designed to be deployed in locations where their
physical security is at risk, such as branch offices.
Azure does not present the physical security risk of a branch office, but RODCs might still prove to be more cost
effective because the features they provide are well-suited to these environments albeit for very different reasons.
For example, RODCs have no outbound replication and are able to selectively populate secrets (passwords). On the
downside, the lack of these secrets might require on-demand outbound traffic to validate them as a user or
computer authenticates. But secrets can be selectively prepopulated and cached.
RODCs provide an additional advantage in and around HBI and PII concerns because you can add attributes that
contain sensitive data to the RODC filtered attribute set (FAS). The FAS is a customizable set of attributes that are
not replicated to RODCs. You can use the FAS as a safeguard in case you are not permitted or do not want to store
PII or HBI on Azure. For more information, see [RODC filtered attribute
set[(https://technet.microsoft.com/library/cc753459)].
Make sure that applications will be compatible with RODCs you plan to use. Many Windows Server Active
Directory-enabled applications work well with RODCs, but some applications can perform inefficiently or fail if they
do not have access to a writable DC. For more information, see Read-Only DCs application compatibility guide.
Global catalog
You need to choose whether to install a global catalog (GC). In a single domain forest, you should configure all DCs
as global catalog servers. It will not increase costs because there will be no additional replication traffic.
In a multidomain forest, GCs are necessary to expand Universal Group memberships during the authentication
process. If you do not deploy a GC, workloads on the virtual network that authenticate against a DC on Azure will
indirectly generate outbound authentication traffic to query GCs on-premises during each authentication attempt.
The costs associated with GCs are less-predictable because they host every domain (in-part). If the workload hosts
an Internet-facing service and authenticates users against Windows Server AD DS, the costs could be completely
unpredictable. To help reduce GC queries outside of the cloud site during authentication, you can enable Universal
Group Membership Caching.
Installation method
You need to choose how to install the DCs on the virtual network:
Promote new DCs. For more information, see Install a new Active Directory forest on an Azure virtual network.
Move the VHD of an on-premises virtual DC to the cloud. In this case, you must ensure that the on-premises
virtual DC is moved, not copied or cloned.
Use only Azure virtual machines for DCs (as opposed to Azure web or worker role VMs). They are durable and
durability of state for a DC is required. Azure virtual machines are designed for workloads such as DCs.
Do not use SYSPREP to deploy or clone DCs. The ability to clone DCs is only available beginning in Windows Server
2012. The cloning feature requires support for VMGenerationID in the underlying hypervisor. Hyper-V in Windows
Server 2012 and Azure virtual networks both support VMGenerationID, as do third-party virtualization software
vendors.
Placement of the Windows Server AD DS database and SYSVOL
Select where to locate the Windows Server AD DS database, logs, and SYSVOL. They must be deployed on Azure
Data disks.
NOTE
Azure Data disks are constrained to 1 TB.
Data disk drives do not cache writes by default. Data disk drives that are attached to a VM use write-through
caching. Write-through caching makes sure the write is committed to durable Azure storage before the transaction
is complete from the perspective of the VMs operating system. It provides durability, at the expense of slightly
slower writes.
This is important for Windows Server AD DS because write-behind disk-caching invalidates assumptions made by
the DC. Windows Server AD DS attempts to disable write caching but it is up to the disk IO system to honor it.
Failure to disable write caching may, under certain circumstances, introduce USN rollback resulting in lingering
objects and other problems.
As a best practice for virtual DCs, do the following:
Set the Host Cache Preference setting on the Azure data disk for NONE. This prevents issues with write caching
for AD DS operations.
Store the database, logs, and SYSVOL on the either same data disk or separate data disks. Typically, this is a
separate disk from the disk used for the operating system itself. The key takeaway is that the Windows Server
AD DS database and SYSVOL must not be stored on an Azure Operating System disk type. By default, the AD DS
installation process installs these components in %systemroot% folder, which is NOT recommended for Azure.
Backup and restore
Be aware of what is and is not supported for backup and restore of a DC in general, and more specifically, those
running in a VM. See Backup and Restore Considerations for Virtualized DCs.
Create system state backups by using only backup software that is specifically aware of backup requirements for
Windows Server AD DS, such as Windows Server Backup.
Do not copy or clone VHD files of DCs instead of performing regular backups. Should a restore ever be required,
doing so using cloned or copied VHDs without Windows Server 2012 and a supported hypervisor will introduce
USN bubbles.
Federation server configuration
The configuration of Windows Server AD FS federation servers (STSs) depends in part on whether the applications
that you want to deploy on Azure need to access resources on your on-premises network.
If the applications meet the following criteria, you could deploy the applications in isolation from your on-premises
network.
They accept SAML security tokens
They are exposable to the Internet
They do not access on-premises resources
In this case, configure Windows Server AD FS STSs as follows:
1. Configure an isolated single-domain forest on Azure.
2. Provide federated access to the forest by configuring a Windows Server AD FS federation server farm.
3. Configure Windows Server AD FS (federation server farm and federation server proxy farm) in the on-premises
forest.
4. Establish a federation trust relationship between the on-premises and Azure instances of Windows Server AD
FS.
On the other hand, if the applications require access to on-premises resources, you could configure Windows
Server AD FS with the application on Azure as follows:
1. Configure connectivity between on-premises networks and Azure.
2. Configure a Windows Server AD FS federation server farm in the on-premises forest.
3. Configure a Windows Server AD FS federation server proxy farm on Azure.
This configuration has the advantage of reducing the exposure of on-premises resources, similar to configuring
Windows Server AD FS with applications in a perimeter network.
Note that in either scenario, you can establish trusts relationships with more identity providers, if business-to-
business collaboration is needed.
Cloud services configuration
Cloud services are necessary if you want to expose a VM directly to the Internet or to expose an Internet-facing
load-balanced application. This is possible because each cloud service offers a single configurable virtual IP address.
Federation server requirements for public and private IP addressing (dynamic IP vs. virtual IP)
Each Azure virtual machine receives a dynamic IP address. A dynamic IP address is a private address accessible only
within Azure. In most cases, however, it will be necessary to configure a virtual IP address for your Windows Server
AD FS deployments. The virtual IP is necessary to expose Windows Server AD FS endpoints to the Internet, and will
be used by federated partners and clients for authentication and ongoing management. A virtual IP address is a
property of a cloud service which contains one or more Azure virtual machines. If the claims-aware application
deployed on Azure and Windows Server AD FS are both Internet-facing and share common ports, each will require
a virtual IP address of its own and it will therefore be necessary to create one cloud service for the application and a
second for Windows Server AD FS.
For definitions of the terms virtual IP address and dynamic IP address, see Terms and definitions.
Windows Server AD FS high availability configuration
While it is possible to deploy standalone Windows Server AD FS federation services, it is recommended to deploy a
farm with at least two nodes for both AD FS STS and proxies for production environments.
See AD FS 2.0 deployment topology considerations in the AD FS 2.0 Design Guide to decide which deployment
configuration options best suit your particular needs.
NOTE
In order to get load balancing for Windows Server AD FS endpoints on Azure, configure all members of the Windows Server
AD FS farm in the same cloud service, and use the load balancing capability of Azure for HTTP (default 80) and HTTPS ports
(default 443). For more information, see Azure load-balancer probe. Windows Server Network Load Balancing (NLB) is not
supported on Azure.
Install a replica Active Directory domain controller in
an Azure virtual network
1/17/2017 8 min to read Edit on GitHub
This topic shows how to install additional domain controllers (also known as replica DCs) for an on-premises
Active Directory domain on Azure virtual machines (VMs) in an Azure virtual network.
You might also be interested in these related topics:
You can optionally install a new Active Directory forest on an Azure virtual network. For those steps, see Install
a new Active Directory forest on an Azure virtual network.
For conceptual guidance about installing Active Directory Domain Services (AD DS) on an Azure virtual
network, see Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines.
Scenario diagram
In this scenario, external users need to access applications that run on domain-joined servers. The VMs that run
the application servers and the replica DCs are installed in an Azure virtual network. The virtual network can be
connected to the on-premises network by a site-to-site VPN connection, as shown in the following diagram, or
you can use ExpressRoute for a faster connection.
The application servers and the DCs are deployed within separate cloud services to distribute compute processing
and within availability sets for improved fault tolerance. The DCs replicate with each other and with on-premises
DCs by using Active Directory replication. No synchronization tools are needed.
Create an Active Directory site for the Azure virtual network
Its a good idea to create a site in Active Directory that represents the network region corresponding to the virtual
network. That helps optimize authentication, replication, and other DC location operations. The following steps
explain how to create a site, and for more background, see Adding a New Site.
1. Open Active Directory Sites and Services: Server Manager > Tools > Active Directory Sites and Services.
2. Create a site to represent the region where you created an Azure virtual network: click Sites > Action > New
site > type the name of the new site, such as Azure US West > select a site link > OK.
3. Create a subnet and associate with the new site: double-click Sites > right-click Subnets > New subnet >
type the IP address range of the virtual network (such as 10.1.0.0/16 in the scenario diagram) > select the new
Azure site > OK.
Virtual Network Details Name: Type a name for the virtual network, such as
WestUSVNet.
Region: Choose the closest region.
DNS and VPN connectivity DNS Servers: Specify the name and IP address of one
or more on-premises DNS servers.
Connectivity: Select Configure a site-to-site VPN.
Local network: Specify a new local network.
If you are using ExpressRoute instead of a VPN, see
Configure an ExpressRoute Connection through an
Exchange Provider.
Virtual network address spaces Address Space: Specify the IP address range for VMs
that you want to run in the Azure virtual network
(such as 10.1.0.0/16 in the scenario diagram). This
address range cannot overlap with the address ranges
of the on-premises network.
Subnets: Specify a name and address for a subnet for
the application servers (such as Frontend, 10.1.1.0/24)
and for the DCs (such as Backend, 10.1.2.0/24).
Click add gateway subnet.
2. Next, you'll configure the virtual network gateway to create a secure site-to-site VPN connection. See Configure
a Virtual Network Gateway for the instructions.
3. Create the site-to-site VPN connection between the new virtual network and an on-premises VPN device. See
Configure a Virtual Network Gateway for the instructions.
Virtual Machine Configuration Virtual Machine Name: Type a single label name (such
as AzureDC1).
New User Name: Type the name of a user. This user
will be a member of the local Administrators group on
the VM. You will need this name to sign in to the VM
for the first time. The built-in account named
Administrator will not work.
New Password/Confirm: Type a password
Virtual Machine Configuration Cloud Service: Choose Create a new cloud service
for the first VM and select that same cloud service
name when you create more VMs that will host the
DC role.
Cloud Service DNS Name: Specify a globally unique
name
Region/Affinity Group/Virtual Network: Specify the
virtual network name (such as WestUSVNet).
Storage Account: Choose Use an automatically
generated storage account for the first VM and
then select that same storage account name when
you create more VMs that will host the DC role.
Availability Set: Choose Create an availability set.
Availability set name: Type a name for the availability
set when you create the first VM and then select that
same name when you create more VMs.
Virtual Machine Configuration Select Install the VM Agent and any other extensions
you need.
2. Attach a disk to each VM that will run the DC server role. The additional disk is needed to store the AD
database, logs, and SYSVOL. Specify a size for the disk (such as 10 GB) and leave the Host Cache Preference
set to None. For the steps, see How to Attach a Data Disk to a Windows Virtual Machine.
3. After you first sign in to the VM, open Server Manager > File and Storage Services to create a volume on
this disk using NTFS.
4. Reserve a static IP address for VMs that will run the DC role. To reserve a static IP address, download the
Microsoft Web Platform Installer and install Azure PowerShell and run the Set-AzureStaticVNetIP cmdlet.
For example:
'Get-AzureVM -ServiceName AzureDC1 -Name AzureDC1 | Set-AzureStaticVNetIP -IPAddress 10.0.0.4 |
Update-AzureVM
For more information about setting a static IP address, see Configure a Static Internal IP Address for a VM.
Virtual Machine Configuration Virtual Machine Name: Type a single label name (such
as AppServer1).
New User Name: Type the name of a user. This user
will be a member of the local Administrators group on
the VM. You will need this name to sign in to the VM
for the first time. The built-in account named
Administrator will not work.
New Password/Confirm: Type a password
ON THIS WIZARD PAGE SPECIFY THESE VALUES
Virtual Machine Configuration Cloud Service: Choose Create a new cloud service
for the first VM and select that same cloud service
name when you create more VMs that will host the
application.
Cloud Service DNS Name: Specify a globally unique
name
Region/Affinity Group/Virtual Network: Specify the
virtual network name (such as WestUSVNet).
Storage Account: Choose Use an automatically
generated storage account for the first VM and
then select that same storage account name when
you create more VMs that will host the application.
Availability Set: Choose Create an availability set.
Availability set name: Type a name for the availability
set when you create the first VM and then select that
same name when you create more VMs.
Virtual Machine Configuration Select Install the VM Agent and any other extensions
you need.
2. After each VM is provisioned, sign in and join it to the domain. In Server Manager, click Local Server >
WORKGROUP > Change and then select Domain and type the name of your on-premises domain. Provide
credentials of a domain user, and then restart the VM to complete the domain join.
To create the VMs by using Windows PowerShell instead of the UI, see Use Azure PowerShell to create and
preconfigure Windows-based Virtual Machines.
For more information about using Windows PowerShell, see Get Started with Azure Cmdlets and Azure Cmdlet
Reference.
Additional resources
Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
How to upload existing on-premises Hyper-V domain controllers to Azure by using Azure PowerShell
Install a new Active Directory forest on an Azure virtual network
Azure Virtual Network
Microsoft Azure IT Pro IaaS: (01) Virtual Machine Fundamentals
Microsoft Azure IT Pro IaaS: (05) Creating Virtual Networks and Cross-Premises Connectivity
Azure PowerShell
Azure Management Cmdlets
Install a new Active Directory forest on an Azure
virtual network
1/17/2017 7 min to read Edit on GitHub
This topic shows how to create a new Windows Server Active Directory environment on an Azure virtual network
on a virtual machine (VM) on an Azure virtual network. In this case, the Azure virtual network is not connected to
an on-premises network.
You might also be interested in these related topics:
For a video that shows these steps, see How to install a new Active Directory forest on an Azure virtual
network
You can optionally configure a site-to-site VPN and then either install a new forest or extend an on-premises
forest to an Azure virtual network. For those steps, see Install a Replica Active Directory Domain Controller in
an Azure Virtual Network.
For conceptual guidance about installing Active Directory Domain Services (AD DS) on an Azure virtual
network, see Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines.
Scenario Diagram
In this scenario, external users need to access applications that run on domain-joined servers. The VMs that run
the application servers and the VMs that run domain controllers are installed installed in their own cloud service
in an Azure virtual network. They are also included within an availability set for improved fault tolerance.
IP address for the domain Assign static IP address on the network Run the Set-AzureStaticVNetIP cmdlet
controller adapter properties to assign a static IP address
DNS client resolver Set Preferred and Alternate DNS server Set DNS server address on the the
address on the network adapter virtual network properties
properties of domain members
Active Directory database storage Optionally change the default storage You need to change default storage
location from C:\ location from C:\
Virtual Network Details Name: Enter a name for your virtual network
Region: Choose the closest region
Virtual network address spaces Subnet name: Enter a name for your subnet
Starting IP: 10.0.0.0
CIDR: /24 (256)
Create VMs to run the domain controller and DNS server roles
Repeat the following steps to create VMs to host the DC role as needed. You should deploy at least two virtual
DCs to provide fault tolerance and redundancy. If the Azure virtual network includes at least two DCs that are
similarly configured (that is, they are both GCs, run DNS server, and neither holds any FSMO role, and so on) then
place the VMs that run those DCs in an availability set for improved fault tolerance.
To create the VMs by using Windows PowerShell instead of the UI, see Use Azure PowerShell to create and
preconfigure Windows-based Virtual Machines.
1. In the classic portal, click New > Compute > Virtual Machine > From Gallery. Use the following values
to complete the wizard. Accept the default value for a setting unless another value is suggested or required.
Virtual Machine Configuration Virtual Machine Name: Type a single label name (such
as AzureDC1).
New User Name: Type the name of a user. This user
will be a member of the local Administrators group
on the VM. You will need this name to sign in to the
VM for the first time. The built-in account named
Administrator will not work.
New Password/Confirm: Type a password
Virtual Machine Configuration Cloud Service: Choose Create a new cloud service
for the first VM and select that same cloud service
name when you create more VMs that will host the
DC role.
Cloud Service DNS Name: Specify a globally unique
name
Region/Affinity Group/Virtual Network: Specify the
virtual network name (such as WestUSVNet).
Storage Account: Choose Use an automatically
generated storage account for the first VM and
then select that same storage account name when
you create more VMs that will host the DC role.
Availability Set: Choose Create an availability set.
Availability set name: Type a name for the availability
set when you create the first VM and then select that
same name when you create more VMs.
Virtual Machine Configuration Select Install the VM Agent and any other
extensions you need.
2. Attach a disk to each VM that will run the DC server role. The additional disk is needed to store the AD
database, logs, and SYSVOL. Specify a size for the disk (such as 10 GB) and leave the Host Cache Preference
set to None. For the steps, see How to Attach a Data Disk to a Windows Virtual Machine.
3. After you first sign in to the VM, open Server Manager > File and Storage Services to create a volume on
this disk using NTFS.
4. Reserve a static IP address for VMs that will run the DC role. To reserve a static IP address, download the
Microsoft Web Platform Installer and install Azure PowerShell and run the Set-AzureStaticVNetIP cmdlet.
For example:
Get-AzureVM -ServiceName AzureDC1 -Name AzureDC1 | Set-AzureStaticVNetIP -IPAddress 10.0.0.4 | Update-
AzureVM
For more information about setting a static IP address, see Configure a Static Internal IP Address for a VM.
Virtual Machine Configuration Virtual Machine Name: Type a single label name (such
as AppServer1).
New User Name: Type the name of a user. This user
will be a member of the local Administrators group
on the VM. You will need this name to sign in to the
VM for the first time. The built-in account named
Administrator will not work.
New Password/Confirm: Type a password
Virtual Machine Configuration Cloud Service: Choose Create a new cloud service
for the first VM and select that same cloud service
name when you create more VMs that will host the
application.
Cloud Service DNS Name: Specify a globally unique
name
Region/Affinity Group/Virtual Network: Specify the
virtual network name (such as WestUSVNet).
Storage Account: Choose Use an automatically
generated storage account for the first VM and
then select that same storage account name when
you create more VMs that will host the application.
Availability Set: Choose Create an availability set.
Availability set name: Type a name for the availability
set when you create the first VM and then select that
same name when you create more VMs.
ON THIS WIZARD PAGE SPECIFY THESE VALUES
Virtual Machine Configuration Select Install the VM Agent and any other
extensions you need.
2. After each VM is provisioned, sign in and join it to the domain. In Server Manager, click Local Server >
WORKGROUP > Change and then select Domain and type the name of your on-premises domain. Provide
credentials of a domain user, and then restart the VM to complete the domain join.
To create the VMs by using Windows PowerShell instead of the UI, see Use Azure PowerShell to create and
preconfigure Windows-based Virtual Machines.
For more information about using Windows PowerShell, see Get Started with Azure Cmdlets and Azure Cmdlet
Reference.
See Also
How to install a new Active Directory forest on an Azure virtual network
Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
Configure a Site-to-Site VPN
Install a Replica Active Directory Domain Controller in an Azure virtual network
Microsoft Azure IT Pro IaaS: (01) Virtual Machine Fundamentals
Microsoft Azure IT Pro IaaS: (05) Creating Virtual Networks and Cross-Premises Connectivity
Virtual Network Overview
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set Azure VM Static IP Address
How to assign Static IP to Azure VM
Install a New Active Directory Forest
Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)
Azure Active Directory Hybrid Identity Design
Considerations
1/17/2017 3 min to read Edit on GitHub
Consumer-based devices are proliferating the corporate world, and cloud-based software-as-a-service (SaaS)
applications are easy to adopt. As a result, maintaining control of users application access across internal
datacenters and cloud platforms is challenging. Microsofts identity solutions span on-premises and cloud-based
capabilities, creating a single user identity for authentication and authorization to all resources, regardless of
location. We call this Hybrid Identity. There are different design and configuration options for hybrid identity
using Microsoft solutions, and in some case it might be difficult to determine which combination will best meet
the needs of your organization. This Hybrid Identity Design Considerations Guide will help you to understand
how to design a hybrid identity solution that best fits the business and technology needs for your organization.
This guide will detail a series of steps and tasks that you can follow to help you design a hybrid identity solution
that meets your organizations unique requirements. Throughout the steps and tasks, the guide will present the
relevant technologies and feature options available to organizations to meet functional and service quality (such
as availability, scalability, performance, manageability, and security) level requirements. Specifically, the hybrid
identity design considerations guide goals are to answer the following questions:
What questions do I need to ask and answer to drive a hybrid identity-specific design for a technology or
problem domain that best meets my requirements?
What sequence of activities should I complete to design a hybrid identity solution for the technology or
problem domain?
What hybrid identity technology and configuration options are available to help me meet my requirements?
What are the trade-offs between those options so that I can select the best option for my business?
Plan for enhancing data security through strong identity Determine data protection requirements
solution Determine content management requirements
Determine access control requirements
Determine incident response requirements
Define data protection strategy
Plan for hybrid identity lifecycle Determine hybrid identity management tasks
Synchronization Management
Determine hybrid identity management adoption strategy
The first step in designing a hybrid identity solution is to determine the requirements for the business organization
that will be leveraging this solution. Hybrid identity starts as a supporting role (it supports all other cloud solutions
by providing authentication) and goes on to provide new and interesting capabilities that unlock new workloads for
users. These workloads or services that you wish to adopt for your users will dictate the requirements for the
hybrid identity design. These services and workloads need to leverage hybrid identity both on-premises and in the
cloud.
You need to go over these key aspects of the business to understand what it is a requirement now and what the
company plans for the future. If you dont have the visibility of the long term strategy for hybrid identity design,
chances are that your solution will not be scalable as the business needs grow and change. T he diagram below
shows an example of a hybrid identity architecture and the workloads that are being unlocked for users. This is just
an example of all the new possibilities that can be unlocked and delivered with a solid hybrid identity strategy.
Some components that are part of the hybrid identity architecture
NOTE
If you dont have an accurate mapping of all your apps and cloud services, you can use the Cloud App Discovery tool. This
tool can provide your IT department with visibility into all your organizations business and consumer cloud apps. That makes
it easier than ever to discover shadow IT in your organization, including details on usage patterns and any users accessing
your cloud applications. To access this tool go to https://appdiscovery.azure.com
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Determine incident response
requirements will go over the options available and pros/cons of each option. By having answered those questions you will
select which option best suits your business needs.
Next steps
Determine directory synchronization requirements
See also
Design considerations overview
Determine directory synchronization requirements
1/17/2017 3 min to read Edit on GitHub
Synchronization is all about providing users an identity in the cloud based on their on-premises identity. Whether
or not they will use synchronized account for authentication or federated authentication, the users will still need to
have an identity in the cloud. This identity will need to be maintained and updated periodically. The updates can
take many forms, from title changes to password changes.
Start by evaluating the organizations on-premises identity solution and user requirements. This evaluation is
important to define the technical requirements for how user identities will be created and maintained in the cloud.
For a majority of organizations, Active Directory is on-premises and will be the on-premises directory that users
will by synchronized from, however in some cases this will not be the case.
Make sure to answer the following questions:
Do you have one AD forest, multiple, or none?
How many Azure AD directories will you be synchronizing to?
1. Are you using filtering?
2. Do you have multiple Azure AD Connect servers planned?
Do you currently have a synchronization tool on-premises?
If yes, does your users if users have a virtual directory/integration of identities?
Do you have any other directory on-premises that you want to synchronize (e.g. LDAP Directory, HR database,
etc)?
Are you going to be doing any GALSync?
What is the current state of UPNs in your organization?
Do you have a different directory that users authenticate against?
Does your company use Microsoft Exchange?
Do they plan of having a hybrid exchange deployment?
Now that you have an idea about your synchronization requirements, you need to determine which tool is the
correct one to meet these requirements. Microsoft provides several tools to accomplish directory integration and
synchronization. See the Hybrid Identity directory integration tools comparison table for more information.
Now that you have your synchronization requirements and the tool that will accomplish this for your company,
you need to evaluate the applications that use these directory services. This evaluation is important to define the
technical requirements to integrate these applications to the cloud. Make sure to answer the following questions:
Will these applications be moved to the cloud and use the directory?
Are there special attributes that need to be synchronized to the cloud so these applications can use them
successfully?
Will these applications need to be re-written to take advantage of cloud auth?
Will these applications continue to live on-premises while users access them using the cloud identity?
You also need to determine the security requirements and constraints directory synchronization. This evaluation is
important to get a list of the requirements that will be needed in order to create and maintain users identities in
the cloud. Make sure to answer the following questions:
Where will the synchronization server be located?
Will it be domain joined?
Will the server be located on a restricted network behind a firewall, such as a DMZ?
Will you be able to open the required firewall ports to support synchronization?
Do you have a disaster recovery plan for the synchronization server?
Do you have an account with the correct permissions for all forests you want to synch with?
If your company doesnt know the answer for this question, review the section Permissions for
password synchronization in the article Install the Azure Active Directory Sync Service and determine if
you already have an account with these permissions or if you need to create one.
If you have mutli-forest sync is the sync server able to get to each forest?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Determine incident response
requirements will go over the options available. By having answered those questions you will select which option best suits
your business needs.
Next steps
Determine multi-factor authentication requirements
See also
Design considerations overview
Determine multi-factor authentication requirements
for your hybrid identity solution
1/17/2017 2 min to read Edit on GitHub
In this world of mobility, with users accessing data and applications in the cloud and from any device, securing this
information has become paramount. Every day there is a new headline about a security breach. Although, there is
no guarantee against such breaches, multi-factor authentication, provides an additional layer of security to help
prevent these breaches. Start by evaluating the organizations requirements for multi-factor authentication. That is,
what is the organization trying to secure. This evaluation is important to define the technical requirements for
setting up and enabling the organizations users for multi-factor authentication.
NOTE
If you are not familiar with MFA and what it does, it is strongly recommended that you read the article What is Azure Multi-
Factor Authentication? prior to continue reading this section.
See also
Design considerations overview
Determine hybrid identity lifecycle adoption strategy
1/17/2017 9 min to read Edit on GitHub
In this task, youll define the identity management strategy for your hybrid identity solution to meet the business
requirements that you defined in Determine hybrid identity management tasks.
To define the hybrid identity management tasks according to the end-to-end identity lifecycle presented earlier in
this step, you will have to consider the options available for each lifecycle phase.
LIFECYCLE MANAGEMENT
PHASE ON PREMISES CLOUD HYBRID
LIFECYCLE MANAGEMENT
PHASE ON PREMISES CLOUD HYBRID
Account Management and By using the Active You have to create an Extend Active Directory
Provisioning Directory Domain Services account for every user who identities into the cloud
(AD DS) server role, you can will access a Microsoft cloud through synchronization and
create a scalable, secure, and service. You can also change federation
manageable infrastructure user accounts or delete
for user and resource them when theyre no
management, and provide longer needed. By default,
support for directory- users do not have
enabled applications such as administrator permissions,
Microsoft Exchange Server. but you can optionally
assign them. For more
You can provision groups in information, see Managing
AD DS through an Identity Users in Azure AD.
manager
You can provision users in Within Azure Active
AD DS Directory, one of the major
features is the ability to
Administrators can use manage access to resources.
access control to manage These resources can be part
user access to shared of the directory, as in the
resources for security case of permissions to
purposes. In Active manage objects through
Directory, access control is roles in the directory, or
administered at the object resources that are external
level by setting different to the directory, such as
levels of access, or SaaS applications, Azure
permissions, to objects, such services, and SharePoint
as Full Control, Write, Read, sites or on premise
or No Access. Access control resources.
in Active Directory defines
how different users can use At the center of Azure Active
Active Directory objects. By Directorys access
default, permissions on management solution is the
objects in Active Directory security group. The resource
are set to the most secure owner (or the administrator
setting. of the directory) can assign a
group to provide a certain
access right to the resources
they own. The members of
the group will be provided
the access, and the resource
owner can delegate the right
to manage the members list
of a group to someone else
such as a department
manager or a helpdesk
administrator
License management
Group-based license management in Azure AD lets administrators assign users to a security group and Azure AD
automatically assigns licenses to all the members of the group. If a user is subsequently added to, or removed from
the group, a license will be automatically assigned or removed as appropriate.
You can use groups you synchronize from on-premises AD or manage in Azure AD. Pairing this up with Azure AD
premium Self-Service Group Management you can easily delegate license assignment to the appropriate decision
makers. You can be assured that problems like license conflicts and missing location data are automatically sorted
out.
NOTE
For more information, see Setting up Azure AD for self service application access management
Federation-based (through AD FS) Enabled by Security Token Service (STS). Requires specialized personnel for
When you configure an STS to provide deployment and maintenance of
single sign-on access with a Microsoft dedicated on-prem AD FS servers. There
cloud service, you will be creating a are restrictions on the use of strong
federated trust between your on- authentication if you plan to use AD FS
premises STS and the federated domain for your STS. For more information, see
youve specified in your Azure AD Configuring Advanced Options for AD
tenant. FS 2.0.
Allows end users to use the same set of
credentials to obtain access to multiple
resources
end users do not have to maintain
multiple sets of credentials. Yet, the
users have to provide their credentials
to each one of the participating
resources.,B2B and B2C scenarios
supported.
NOTE
For more information see, Integrating your on-premises identities with Azure Active Directory.
See Also
Design considerations overview
Define data protection strategy for your hybrid
identity solution
1/17/2017 14 min to read Edit on GitHub
In this task, youll define the data protection strategy for your hybrid identity solution to meet the business
requirements that you defined in:
Determine data protection requirements
Determine content management requirements
Determine access control requirements
Determine incident response requirements
VM-to-VM Encryption X
SSL/TLS X
VPN X
NOTE
Read Compliance by Feature at Microsoft Azure Trust Center to know more about the certifications that each Azure service
is compliant with. Since the options for data protection use a multilayer approach, comparison between those options are
not applicable for this task. Ensure that you are leveraging all options available for each state that the data will be.
Centralized on-premises (Active Full control over the server Higher,maintenance (keep up with
Directory Rights Management Server) infrastructure responsible for classifying updates, configuration and potential
the data upgrades),since IT owns the Server
Built-in capability in Windows Server, Require a server infrastructure on-
no need for extra license or subscription premises
Can be integrated with Azure AD in a Doesntleverage Azure capabilities
hybrid scenario natively
Supports information rights
management (IRM) capabilities in
Microsoft Online services such as
Exchange Online and SharePoint
Online, as well as Office 365
Supports on-premises Microsoft server
products, such as Exchange Server,
SharePoint Server, and file servers that
run Windows Server and File
Classification Infrastructure (FCI).
Centralized in the cloud (Azure RMS) Easier to manage compared to the on- Your organization must have a cloud
premises solution subscription that supports RMS
Can be integrated with AD DS in a Your organization must have an Azure
hybrid scenario AD directory to support user
Fully integrated with Azure AD authentication for RMS
Doesnt require a server on-premises in
order to deploy the service
Supports on-premises Microsoft server
products such as Exchange Server,
SharePoint,Server, and file servers that
run Windows Server and File
Classification,Infrastructure (FCI)
IT,can have complete control over their
tenants key with BYOK capability.
Hybrid (Azure RMS integrated with,On- This scenario accumulates the Your organization must have a cloud
Premises Active Directory Rights advantages of both, centralized on- subscription that supports RMS
Management Server) premises and in the cloud. Your organization must have an Azure
AD directory to support user
authentication for RMS,
Requires a connection between Azure
cloud service and on-premises
infrastructure
NOTE
read Azure Active Directory Authentication Protocols to know more details about each protocol and its capabilities in Azure.
Using the Azure AD support, mobile business applications can use the same easy Mobile Services authentication
experience to allow employees to sign into their mobile applications with their corporate Active Directory
credentials. With this feature, Azure AD is supported as an identity provider in Mobile Services alongside with the
other identity providers we already support (which include Microsoft Accounts, Facebook ID, Google ID, and
Twitter ID). If the on-premises apps uses the users credential located at the companys AD DS, the access from
partners and users coming from the cloud should be transparent. You can manage users conditional access
control to (cloud-based) web applications, web API, Microsoft cloud services, 3rd party SaaS applications, and
native (mobile) client applications, and have the benefits of security, auditing, reporting all in one place. However, it
is recommended to validate this in a non-production environment or with a limited amount of users.
TIP
it is important to mention that Azure AD does not have Group Policy as AD DS has. In order to enforce policy for devices
you will need a mobile device management solution such as Microsoft Intune.
Once the user is authenticated using Azure AD, it is important to evaluate the level of access that the user will have
it. The level of access that the user will have over a resource can vary, while Azure AD can add an additional
security layer by controlling access to some resources, you must also keep in mind that the resource itself can also
have its own access control list separately, such as the access control for files located in a File Server. The figure
below summarizes the levels of access control that you can have in a hybrid scenario:
Each interaction in the diagram showed in Figure X represents one access control scenario that can be covered by
Azure AD. Below you have a description of each scenario:
1.Conditional Access to applications that are hosted on-premises: You can use registered devices with access
policies for applications that are configured to use AD FS with Windows Server 2012 R2. For more information
about setting up conditional access for on-premises, see Setting up On-premises Conditional Access using Azure
Active Directory Device Registration. 2.Access Control to Azure Management Portal: Azure also has the capability
to control access to the Management Portal by using RBAC (Role Based Access Control). This method enables the
company to restrict the amount of operations that an individual can do once he has access to Azure Management
Portal. By using RBAC to control access to the portal, IT Admins ca delegate access by using the following access
management approaches:
Group-based role assignment: You can assign access to Azure AD groups that can be synced from your local
Active Directory. This enables you to leverage the existing investments that your organization has made in
tooling and processes for managing groups. You can also use the delegated group management feature of
Azure AD Premium.
Leverage built in roles in Azure: You can use three roles Owner, Contributor, and Reader, to ensure that
users and groups have permission to do only the tasks they need to do their jobs.
Granular access to resources: You can assign roles to users and groups for a particular subscription, resource
group, or an individual Azure resource such as a website or database. In this way, you can ensure that users
have access to all the resources they need and no access to resources that they do not need to manage.
NOTE
read Role-based access control in Azure to know more details about this capability. For developers that are building
applications and want to customize the access control for them, it is also possible to use Azure AD Application Roles for
authorization. Review this WebApp-RoleClaims-DotNet example on how to build your app to use this capability.
3.Conditional Access for Office 365 applications with Microsoft Intune: IT admins can provision conditional access
device policies to secure corporate resources, while at the same time allowing information workers on compliant
devices to access the services. For more information, see Conditional Access Device Policies for Office 365 services.
4.Conditional Access for Saas apps: This feature allows you to configure per-application multi-factor authentication
access rules and the ability to block access for users not on a trusted network. You can apply the multi-factor
authentication rules to all users that are assigned to the application, or only for users within specified security
groups. Users may be excluded from the multi-factor authentication requirement if they are accessing the
application from an IP address that in inside the organizations network.
Since the options for access control use a multilayer approach, comparison between those options are not
applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to
control access to your resources.
TIP
Another report that can also help the Incident Response team working on a case is the user with leaked credentials report.
This report surfaces any matches between these leaked credentials list and your tenant.
Other important built in reports in Azure AD that can be used during an incident response investigation and are:
Password reset activity: provide the admin with insights into how actively password reset is being used in the
organization.
Password reset registration activity: provides insights into which users have registered their methods for
password reset, and which methods they have selected.
Group activity: provides a history of changes to the group (ex: users added or removed) that were initiated in
the Access Panel.
In addition to the core reporting capability available in Azure AD Premium that can be leveraged during an
Incident Response investigation process, IT can also leverage Audit Report to obtain information such as:
Changes in role membership (ex: user added to Global Admin role)
Credential updates (ex: password changes)
Domain management (ex: verifying a custom domain, removing a domain)
Adding or removing applications
User management (ex: adding, removing, updating a user)
Adding or removing licenses
Since the options for incident response use a multilayer approach, comparison between those options are not
applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to
use Azure AD reporting capability as part of your companys incident response process.
Next steps
Determine hybrid identity management tasks
See Also
Design considerations overview
Plan for enhancing data security through strong
identity solution
1/17/2017 4 min to read Edit on GitHub
The first step to protect the data is identify who can access that data and as part of this process you need to have
an identity solution that can integrates with your system to provide authentication and authorization capabilities.
Authentication and authorization are often confused with each other and their roles misunderstood. In reality they
are quite different, as shown in the figure below:
NOTE
Once you finish planning for data security, review Determine multi-factor authentication requirements to ensure that your
selections regarding multi-factor authentication requirements were not affected by the decisions you made in this section.
Compliance
Regulations, laws and regulatory compliance requirements will vary according to the industry that your company
belongs. Companies in high regulated industries must address identity-management concerns related to
compliance issues. Regulations such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability
Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS)
are very strict regarding identity and access. The hybrid identity solution that your company will adopt must have
the core capabilities that will fulfill the requirements of one or more of these regulations. For this area, ensure that
the following questions are asked:
Is the hybrid identity solution compliant with the regulatory requirements for your business?
Does the hybrid identity solution has built in capabilities that will enable your company to be compliant
regulatory requirements?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Determine content management requirements
See Also
Design considerations overview
Determine content management requirements for
your hybrid identity solution
1/17/2017 2 min to read Edit on GitHub
Understanding the content management requirements for your business may direct affect your decision on which
hybrid identity solution to use. With the proliferation of multiple devices and the capability of users to bring their
own devices (BYOD), the company must protect its own data but it also must keep users privacy intact. Usually
when a user has his own device he might have also multiple credentials that will be alternating according to the
application that he uses. It is important to differentiate what content was created using personal credentials versus
the ones created using corporate credentials. Your identity solution should be able to interact with cloud services
to provide a seamless experience to the end user while ensure his privacy and increase the protection against data
leakage.
Your identity solution will be leveraged by different technical controls in order to provide content management as
shown in the figure below:
NOTE
Read data classification for cloud readiness for more information about best practices and guidelines for data classification.
When planning your hybrid identity solution ensure that the following questions are answered according to your
organizations requirements:
Does your company have security controls in place to enforce data privacy?
If yes, will those security controls be able to integrate with the hybrid identity solution that you are going
to adopt?
Does your company use data classification?
If yes, is the current solution able to integrate with the hybrid identity solution that you are going to
adopt?
Does your company currently have any solution for data leakage?
If yes, is the current solution able to integrate with the hybrid identity solution that you are going to
adopt?
Does your company need to audit access to resources?
If yes, what type of resources?
If yes, what level of information is necessary?
If yes, where the audit log must reside? On-premises or in the cloud?
Does your company need to encrypt any emails that contain sensitive data (SSNs, credit card numbers, etc)?
Does your company need to encrypt all documents/contents shared with external business partners?
Does your company need to enforce corporate policies on certain kinds of emails (do no reply all, do not
forward)?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Determine access control requirements
See Also
Design considerations overview
Determine access control requirements for your
hybrid identity solution
1/17/2017 3 min to read Edit on GitHub
When an organization is designing their hybrid identity solution they can also use this opportunity to review
access requirements for the resources that they are planning to make it available for users. The data access cross
all four pillars of identity, which are:
Administration
Authentication
Authorization
Auditing
The sections that follows will cover authentication and authorization in more details, administration and auditing
are part of the hybrid identity lifecycle. Read Determine hybrid identity management tasks for more information
about these capabilities.
NOTE
Read The Four Pillars of Identity - Identity Management in the Age of Hybrid IT for more information about each one of
those pillars.
Access Control
While authentication and authorization are core elements to enable access to corporate data through users
validation, it is also important to control the level of access that these users will have and the level of access
administrators will have over the resources that they are managing. Your hybrid identity solution must be able to
provide granular access to resources, delegation and role base access control. Ensure that the following question
are answered regarding access control:
Does your company have more than one user with elevated privilege to manage your identity system?
If yes, does each user need the same access level?
Would your company need to delegate access to users to manage specific resources?
If yes, how frequently this happens?
Would your company need to integrate access control capabilities between on-premises and cloud resources?
Would your company need to limit access to resources according to some conditions?
Would your company have any application that needs custom control access to some resources?
If yes, where are those apps located (on-premises or in the cloud)?
If yes, where are those target resources located (on-premises or in the cloud)?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By answering those questions you will select
which option best suits your business needs.
Next steps
Determine incident response requirements
See Also
Design considerations overview
Determine incident response requirements for your
hybrid identity solution
1/17/2017 3 min to read Edit on GitHub
Large or medium organizations most likely will have a security incident response in place to help IT take actions
accordingly to the level of incident. The identity management system is an important component in the incident
response process because it can be used to help identifying who performed a specific action against the target.
The hybrid identity solution must be able to provide monitoring and reporting capabilities that can be leveraged
by IT to take actions to identify and mitigate a potential threat. In a typical incident response plan you will have the
following phases as part of the plan:
1. Initial assessment.
2. Incident communication.
3. Damage control and risk reduction.
4. Identification of what it was compromise and severity.
5. Evidence preservation.
6. Notification to appropriate parties.
7. System recovery.
8. Documentation.
9. Damage and cost assessment.
10. Process and plan revision.
During the identification of what it was compromise and severity- phase, it will be necessary to identify the
systems that have been compromised, files that have been accessed and determine the sensitivity of those files.
Your hybrid identity system should be able to fulfill these requirements to assist you identifying the user that
made those changes.
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define data protection strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Define data protection strategy
See Also
Design considerations overview
Plan for Hybrid Identity Lifecycle
1/17/2017 3 min to read Edit on GitHub
Identity is one of the foundations of your enterprise mobility and application access strategy. Whether you are
signing on to your mobile device or SaaS app, your identity is the key to gaining access to everything. At its
highest level, an identity management solution encompasses unifying and syncing between your identity
repositories which includes automating and centralizing the process of provisioning resources. The identity
solution should be a centralized identity across on-premises and cloud and also use some form of identity
federation to maintain centralized authentication and securely share and collaborate with external users and
businesses. Resources range from operating systems and applications to people in, or affiliated with, an
organization. Organizational structure can be altered to accommodate the provisioning policies and procedures.
It is also important to have an identity solution geared to empower your users by providing them with self-service
experiences to keep them productive. Your identity solution is more robust if it enables single sign-on for users
across all the resources they need access Administrators at all levels can use standardized procedures for
managing user credentials. Some levels of administration can be reduced or eliminated, depending on the breadth
of the provisioning management solution. Furthermore, you can securely distribute administration capabilities,
manually or automatically, among various organizations. For example, a domain administrator can serve only the
people and resources in that domain. This user can do administrative and provisioning tasks, but is not authorized
to do configuration tasks, such as creating workflows.
To define hybrid identity management tasks, you must understand some essential characteristics of the
organization that will be adopting hybrid identity. It is important to understand the current repositories being used
for identity sources. By knowing those core elements, you will have the foundational requirements and based on
that you will need to ask more granular questions that will lead you to a better design decision for your Identity
solution.
While defining those requirements, ensure that at least the following questions are answered
Provisioning options:
Does the hybrid identity solution support a robust account access management and provisioning
system?
How are users, groups, and passwords going to be managed?
Is the identity lifecycle management responsive?
How long does password updates account suspension take?
License management:
Does the hybrid identity solution handles license management?
If yes, what capabilities are available?
Does the solution handle group-based license management?
Synchronization Management
One of the goals of an identity manager, to be able to bring all the identity providers and keep them synchronized.
You keep the data synchronized based on an authoritative master identity provider. In a hybrid identity scenario,
with a synchronized management model, you manage all user and device identities in an on-premises server and
synchronize the accounts and, optionally, passwords to the cloud. The user enters the same password on-premises
as he or she does in the cloud, and at sign-in, the password is verified by the identity solution. This model uses a
directory synchronization tool.
Next steps
Determine hybrid identity management adoption strategy
See Also
Design considerations overview
Define a hybrid identity adoption strategy
1/17/2017 11 min to read Edit on GitHub
In this task, youll define the hybrid identity adoption strategy for your hybrid identity solution to meet the business
requirements that were discussed in :
Determine business needs
Determine directory synchronization requirements
Determine multi-factor authentication requirements
The following table will help in determining the advantages and disadvantages of each of the following strategies:
Cloud identities Easier to manage for small organization. Users will need to sign-in when
Nothing to install on-premises- No accessing workloads in the cloud
additional hardware needed Passwords may or may not be the same
Easily disabled if the user leaves the for cloud and on-premises identities
company
Federated Users can have single sign-on (SSO) More steps to setup and configure
If a user is terminated or leaves, the Higher maintenance
account can,be immediately disabled May require additional hardware for the
and access revoked, STS infrastructure
Supports advanced scenarios that May require additional hardware to
cannot be,accomplished with install the federation server.Additional
synchronized software is required if AD FS is used
Require extensive setup for SSO
Critical point of failure if the federation
server is down, users wont be able to
authenticate
Client experience
The strategy that you use will dictate the user sign-in experience. The following tables provide you with information
on what the users should expect their sign-in experience to be. Note that not all federated identity providers
support SSO in all scenarios.
Doman-joined and private network applications:
Web Browsers Forms based authentication single sign on, sometimes required to
supply organization ID
Skype for Business (Lync) Prompt for credentials single-sign on for Lync, prompted
credentials for Exchange
Outlook, Skype for Business (Lync), Prompt for credentials Prompt for credentials
Skydrive Pro, Office subscription
If you have determined from task 1 that you have a 3rd party IdP or are going to use one to provide federation
with Azure AD, you need to be aware of the following supported capabilities:
Any SAML 2.0 provider which is compliant for the SP-Lite profile can support authentication to Azure AD and
associated applications
Supports passive authentication, which facilitates auth to OWA, SPO, etc.
Exchange Online clients can be supported via the SAML 2.0 Enhanced Client Profile (ECP)
You must also be aware of what capabilities will not be available:
Without WS-Trust/Federation support, all other active clients will break
That means no Lync client, OneDrive client, Office Subscription, Office Mobile prior to Office 2016
Transition of Office to passive authentication will allow them to support pure SAML 2.0 IdPs, but support will
still be on a client-by-client basis
NOTE
For the most updated list read the article http://aka.ms/ssoproviders.
Supported topologies
When defining a synchronization strategy, the topology that is used must be determined. Depending on the
information that was determined in step 2 you can determine which topology is the proper one to use. The single
forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single
instance of Azure AD. This is going to be used in a majority of the scenarios and is the expected topology when
using Azure AD Connect Express installation as shown in the figure below.
Single
Forest Scenario It is very common for large and even small organizations to have multiple forests, as shown in
Figure 5.
NOTE
For more information about the different on-premises and Azure AD topologies with Azure AD Connect sync read the article
Topologies for Azure AD Connect.
Multi-Forest Scenario
If this the case then the multi-forest-single Azure AD topology should be considered if the following items are true:
Users have only 1 identity across all forests the uniquely identifying users section below describes this in
more detail.
The user authenticates to the forest in which their identity is located
UPN and Source Anchor (immutable id) will come from this forest
All forests are accessible by Azure AD Connect this means it does not need to be domain joined and can be
placed in a DMZ if this facilitates this.
Users have only one mailbox
The forest that hosts a users mailbox has the best data quality for attributes visible in the Exchange Global
Address List (GAL)
If there is no mailbox on the user, then any forest may be used to contribute these values
If you have a linked mailbox, then there is also another account in a different forest used to sign in.
NOTE
Objects that exist in both on-premises and in the cloud are connected via a unique identifier. In the context of Directory
Synchronization, this unique identifier is referred to as the SourceAnchor. In the context of Single Sign-On, this is referred to
as the ImmutableId. Design concepts for Azure AD Connect for more considerations regarding the use of SourceAnchor.
If the above are not true and you have more than one active account or more than one mailbox, Azure AD Connect
will pick one and ignore the other. If you have linked mailboxes but no other account, these accounts will not be
exported to Azure AD and that user will not be a member of any groups. This is different from how it was in the
past with DirSync and is intentional to better support these multi-forest scenarios. A multi-forest scenario is shown
in the figure below.
Even though you may have settled on a solution for your strategy, you still need to use the evaluation from above
on where your users are located. This may cause the solution to change. Use the table below to assist you
determining this:
NOTE
You should also ensure that the multi-factor authentication design option that you selected supports the features that are
required for your design. For more information read Choose the multi-factor security solution for you.
Multi-Factor Auth Provider
Multi-factor authentication is available by default for global administrators who have a Azure Active Directory
tenant. However, if you wish to extend multi-factor authentication to all of your users and/or want to your global
administrators to be able to take advantage features such as the management portal, custom greetings, and
reports, then you must purchase and configure Multi-Factor Authentication Provider.
NOTE
You should also ensure that the multi-factor authentication design option that you selected supports the features that are
required for your design.
Next steps
Determine data protection requirements
See also
Design considerations overview
Azure Active Directory hybrid identity design
considerations- next steps
1/17/2017 2 min to read Edit on GitHub
Now that youve completed defining your requirements and examining all the options for your mobile device
management solution, youre ready to take the next steps for deploying the supporting infrastructure thats right
for you and your organization.
See also
Design considerations overview
Hybrid Identity directory integration tools
comparison
1/17/2017 3 min to read Edit on GitHub
Over the years the directory integration tools have grown and evolved. This document is to help provide a
consolidated view of these tools and a comparison of the features that are available in each.
NOTE
Azure AD Connect incorporates the components and functionality previously released as Dirsync and AAD Sync. These tools
are no longer being released individually, and all future improvements will be included in updates to Azure AD Connect, so
that you always know where to get the most current functionality.
DirSync and Azure AD Sync are deprecated. More information can be found in here.
Connect to single
on-premises AD
forest
Connect to
multiple on-
premises AD
forests
Connect to
multiple on-
premises
Exchange Orgs
Connect to single FR
on-premises
LDAP directory
Connect to FR
multiple on-
premises LDAP
directories
AZURE ACTIVE
DIRECTORY AZURE ACTIVE FOREFRONT MICROSOFT
AZURE ACTIVE SYNCHRONIZATIO DIRECTORY IDENTITY IDENTITY
DIRECTORY N SERVICES (AAD SYNCHRONIZATIO MANAGER 2010 R2 MANAGER 2016
FEATURE CONNECT SYNC) N TOOL (DIRSYNC) (FIM) (MIM)
Connect to on- FR
premises AD and
on-premises
LDAP directories
Connect to FR
custom systems
(i.e. SQL, Oracle,
MySQL, etc.)
Synchronize
customer defined
attributes
(directory
extensions)
Connect to on- FR
premises HR (i.e.,
SAP, Oracle
eBusiness,People
Soft)
Supports FIM
synchronization
rules and
connectors for
provisioning to
on-premises
systems.
Writeback of
devices
Attribute
writeback (for
Exchange hybrid
deployment )
Writeback of
groups objects
AZURE ACTIVE AZURE ACTIVE FOREFRONT MICROSOFT
AZURE ACTIVE DIRECTORY DIRECTORY IDENTITY IDENTITY
DIRECTORY SYNCHRONIZATIO SYNCHRONIZATIO MANAGER 2010 R2 MANAGER 2016
FEATURE CONNECT N SERVICES N TOOL (DIRSYNC) (FIM) (MIM)
Writeback of
passwords (from
self-service
password reset
(SSPR) and
password
change)
Password Sync
for single on-
premises AD
forest
Password Sync
for multiple on-
premises AD
forests
Single Sign-on
with Federation
Writeback of
passwords (from
SSPR and
password
change)
Supports installation
on a Domain
Controller
Supports installation
using SQL Express
Localization of Admin
UX to Windows
Server languages
Localization of end
user UX to Windows
Server languages
Filter on
Domains and
Organizational
Units
Filter on objects
attribute values
Allow different
service templates
to be applied for
attribute flows
Allow removing
attributes from
flowing from AD
to Azure AD
Allow advanced
customization for
attribute flows
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
1 min to read
Edit on Git Hub
High availability cross-geographic AD FS deployment
in Azure with Azure Traffic Manager
1/17/2017 6 min to read Edit on GitHub
AD FS deployment in Azure provides step-by-step guideline as to how you can deploy a simple AD FS
infrastructure for your organization in Azure. This article provides the next steps to create a cross-geographic
deployment of AD FS in Azure using Azure Traffic Manager. Azure Traffic Manager helps create a geographically
spread high availability and high-performance AD FS infrastructure for your organization by making use of range
of routing methods available to suit different needs from the infrastructure.
A highly available cross-geographic AD FS infrastructure enables:
Elimination of single point of failure: With failover capabilities of Azure Traffic Manager, you can achieve a
highly available AD FS infrastructure even when one of the data centers in a part of the globe goes down
Improved performance: You can use the suggested deployment in this article to provide a high-performance
AD FS infrastructure that can help users authenticate faster.
Design principles
The basic design principles will be same as listed in Design principles in the article AD FS deployment in Azure. The
diagram above shows a simple extension of the basic deployment to another geographical region. Below are some
points to consider when extending your deployment to new geographical region
Virtual network: You should create a new virtual network in the geographical region you want to deploy
additional AD FS infrastructure. In the diagram above you see Geo1 VNET and Geo2 VNET as the two virtual
networks in each geographical region.
Domain controllers and AD FS servers in new geographical VNET: It is recommended to deploy domain
controllers in the new geographical region so that the AD FS servers in the new region do not have to contact a
domain controller in another far away network to complete an authentication and thereby improving the
performance.
Storage accounts: Storage accounts are associated with a region. Since you will be deploying machines in a
new geographic region, you will have to create new storage accounts to be used in the region.
Network Security Groups: As storage accounts, Network Security Groups created in a region cannot be used
in another geographical region. Therefore, you will need to create new network security groups similar to those
in the first geographical region for INT and DMZ subnet in the new geographical region.
DNS Labels for public IP addresses: Azure Traffic Manager can refer to endpoints ONLY via DNS labels.
Therefore, you are required to create DNS labels for the External Load Balancers public IP addresses.
Azure Traffic Manager: Microsoft Azure Traffic Manager allows you to control the distribution of user traffic to
your service endpoints running in different datacenters around the world. Azure Traffic Manager works at the
DNS level. It uses DNS responses to direct end-user traffic to globally-distributed endpoints. Clients then
connect to those endpoints directly. With different routing options of Performance, Weighted and Priority, you
can easily choose the routing option best suited for your organizations needs.
V-net to V-net connectivity between two regions: You do not need to have connectivity between the virtual
networks itself. Since each virtual network has access to domain controllers and has AD FS and WAP server in
itself, they can work without any connectivity between the virtual networks in different regions.
2. Traffic routing method: There are three routing options available in traffic manager:
Priority
Performance
Weighted
Performance is the recommended option to achieve highly responsive AD FS infrastructure.
However, you can choose any routing method best suited for your deployment needs. The AD FS
functionality is not impacted by the routing option selected. See Traffic Manager traffic routing
methods for more information. In the sample screenshot above you can see the Performance
method selected.
3. Configure endpoints: In the traffic manager page, click on endpoints and select Add. This will open an Add
endpoint page similar to the screenshot below
NOTE
Ensure that the status of the endpoints is ONLINE once the configuration is complete. If all endpoints are in
degraded state, Azure Traffic Manager will do a best attempt to route the traffic assuming that the diagnostics is
incorrect and all endpoints are reachable.
5. Modifying DNS records for Azure Traffic Manager: Your federation service should be a CNAME to the
Azure Traffic Manager DNS name. Create a CNAME in the public DNS records so that whoever is trying to
reach the federation service actually reaches the Azure Traffic Manager.
For example, to point the federation service fs.fabidentity.com to the Traffic Manager, you would need to
update your DNS resource record to be the following:
fs.fabidentity.com IN CNAME mysts.trafficmanager.net
Test the routing and AD FS sign-in
Routing test
A very basic test for the routing would be to try ping the federation service DNS name from a machine in each
geographic region. Depending on the routing method chosen, the endpoint it actually pings will be reflected in the
ping display. For example, if you selected the performance routing, then the endpoint nearest to the region of the
client will be reached. Below is the snapshot of two pings from two different region client machines, one in EastAsia
region and one in West US.
AD FS sign-in test
The easiest way to test AD FS is by using the IdpInitiatedSignon.aspx page. In order to be able to do that, it is
required to enable the IdpInitiatedSignOn on the AD FS properties. Follow the steps below to verify your AD FS
setup
1. Run the below cmdlet on the AD FS server, using PowerShell, to set it to enabled. Set-AdfsProperties -
EnableIdPInitiatedSignonPage $true
2. From any external machine access https:///adfs/ls/IdpInitiatedSignon.aspx
3. You should see the AD FS page like below:
and on successful sign-in, it will provide you with a success message as shown below:
Related links
Basic AD FS deployment in Azure
Microsoft Azure Traffic Manager
Traffic Manager traffic routing methods
Next steps
Manage an Azure Traffic Manager profile
Add, disable, enable or delete endpoints
Change signature hash algorithm for Office 365
replying party trust
1/17/2017 1 min to read Edit on GitHub
Overview
Azure Active Directory Federation Services (AD FS) signs its tokens to Microsoft Azure Active Directory to ensure
that they cannot be tampered with. This signature can be based on SHA1 or SHA256. Azure Active Directory now
supports tokens signed with an SHA256 algorithm, and we recommend setting the token-signing algorithm to
SHA256 for the highest level of security. This article describes the steps needed to set the token-signing algorithm
to the more secure SHA256 level.
AD FS PowerShell cmdlets
1. On any AD FS server, open PowerShell under administrator privileges.
2. Set the secure hash algorithm by using the Set-AdfsRelyingPartyTrust cmdlet.
Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' -SignatureAlgorithm
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
Also read
Repair Office 365 trust with Azure AD Connect
Troubleshooting: 'Active Directory' item is missing or
not available
1/17/2017 1 min to read Edit on GitHub
Many of the instructions for using Azure Active Directory features and services begin with "Go to the Azure
Management Portal and click Active Directory." But what do you do if the Active Directory extension or menu item
does not appear or if it is marked Not Available? This topic is designed to help. It describes the conditions under
which Active Directory does not appear or is unavailable and explains how to proceed.
The Active Directory item appears in the left navigation menu when any of the following conditions is true.
Otherwise, the item does not appear.
The current user signed on with a Microsoft account (formerly known as a Windows Live ID).
OR
The Azure tenant has a directory and the current account is a directory administrator.
OR
The Azure tenant has at least one Azure AD Access Control (ACS) namespace. For more information, see
Access Control Namespace.
OR
The Azure tenant has at least one Azure Multi-Factor Authentication provider. For more information, see
Administering Azure Multi-Factor Authentication Providers.
To create an Access Control namespace or a Multi-Factor Authentication provider, click +New > App Services >
Active Directory.
To get administrative rights to a directory, have an administrator assign an administrator role to your account. For
details, see Assigning administrator roles.
This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD) service.
If youre looking for the full set of Microsoft Azure service limits, see Azure Subscription and Service Limits, Quotas,
and Constraints.
Here are the usage constraints and other service limits for the Azure Active Directory service.
CATEGORY LIMITS
What's next
Sign up for Azure as an organization
How Azure subscriptions are associated with Azure AD
Integrating your on-premises identities with Azure
Active Directory
1/17/2017 7 min to read Edit on GitHub
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to
provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
This topic will guide you through the planning, deployment, and operation steps. It is a collection of links to the
topics related to this area.
IMPORTANT
Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great time
to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these tools are
now deprecated and will reach end of support on April 13, 2017.
Synchronization - This component is responsible for creating users, groups, and other objects. It is also
responsible for making sure identity information for your on-premises users and groups is matching the cloud.
AD FS - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment
using an on-premises AD FS infrastructure. This can be used by organizations to address complex
deployments, such as domain join SSO, enforcement of AD sign-in policy, and smart card or 3rd party MFA.
Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in
the Azure portal to view this activity. For additional information, see Azure Active Directory Connect Health.
SOLUTION SCENARIO
Before you start - Hardware and prerequisites Steps to complete before you start to install Azure AD
Connect.
Customized settings Used when you have multiple forests. Supports many on-
premises topologies.
Customize your sign-in option, such as ADFS for federation
or use a 3rd party identity provider.
Customize synchronization features, such as filtering and
writeback.
Upgrade from DirSync Used when you have an existing DirSync server already
running.
Upgrade from Azure AD Sync or Azure AD Connect There are several different methods depending on your
preference.
After installation you should verify it is working as expected and assign licenses to the users.
Next steps to Install Azure AD Connect
TOPIC LINK
TOPIC LINK
Accounts used for installation More about Azure AD Connect credentials and permissions
Understanding the default configuration Azure AD Connect sync: Understanding the default
configuration
Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts
Change the default configuration Best practices for changing the default configuration
Configure federation features
ADFS can be configured to support multiple domains. For example you might have multiple top domains you
need to use for federation.
if your ADFS server has not been configured to automatically update certificates from Azure AD or if you use a
non-ADFS solution, then you will be notified when you have to update certificates.
Next steps to configure federation features
TOPIC LINK
Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD
Manually updating federation certificates Renewing Federation Certificates for Office 365 and Azure AD
Compare DirSync, Azure ADSync, and Azure AD Connect Directory integration tools comparison
Additional Resources
Ignite 2015 presentation on extending your on-premises directories to the cloud.
Monitor your on-premises identity infrastructure and
synchronization services in the cloud
1/17/2017 6 min to read Edit on GitHub
Azure AD Connect Health helps you monitor and gain insight into your on-premises identity infrastructure and
the synchronization services. It enables you to maintain a reliable connection to Office 365 and Microsoft Online
Services by providing monitoring capabilities for your key identity components such as AD FS Servers, Azure AD
Connect servers (aka Sync Engine), Active Directory Domain Controllers etc. It also makes the key data points
about these components easily accessible, making it easy to get usage and other important insights to take
informed decisions.
The information is presented to you in the Azure AD Connect Health Portal. Using the Azure AD Connect Health
portal you can view alerts, performance monitoring, usage analytics and much more. Azure AD Connect Health
enables the single lens of health for your key identity components, all at one place.
Future updates to Azure AD Connect Health will include additional monitoring and insight into additional identity
components. Thus providing you a single dash board through the lens of identity, enabling you to have an even
more robust, healthy, and integrated environment that your users can take advantage of to increase their ability
to get things done.
NOTE
Remember that before you see any data in your Azure AD Connect Health Dashboard, you will need to install the Azure AD
Connect Health Agents on your targeted servers.
Quick Start by selecting this you will open the Quick Start blade. Here you will be able to download the
Azure AD Connect Health agent by choosing Get Tools, access documentation, and provide feedback.
Active Directory Federation Services this represents all of the AD FS services that Azure AD Connect
Health is currently monitoring. By selecting one of the instances, a blade will open with information about that
services instance. This information includes an overview, properties, alerts, monitoring, and usage analytics.
Read more about the capabilities here.
Azure Active Directory Connect (Sync) this represents your Azure AD Connect servers that Azure AD
Connect Health is currently monitoring. By selecting the entry, a blade will open with information about your
Azure AD Connect servers. Read more about the capabilities here.
Active Directory Domain Services this represents all of the AD DS forests that Azure AD Connect Health is
currently monitoring. By selecting one of the forests, a blade will open with information about that forest. This
information includes an overview of essential information, Domain Controllers dashboard, Replication Status
dashboard, alerts and monitoring. Read more about the capabilities here.
Configure this allows you to turn the following on or off:
1. Auto update to automatically update the Azure AD Connect Health agent to the latest version - This
means that you will be automatically updated to the latest version of the Azure AD Connect Health
Agent when they become available. This is enabled by default.
2. Allow Microsoft access to your Azure AD directorys health data for troubleshooting purposes only -
This means that if this is enabled, Microsoft will be able to see the same data that you are seeing. This
can help with troubleshooting and assistance with issues. This is disabled by default.
Related links
Azure AD Connect Health Agent Installation
Azure AD Connect Health Operations
Using Azure AD Connect Health with AD FS
Using Azure AD Connect Health for Sync
Using Azure AD Connect Health with AD DS
Azure AD Connect Health FAQ
Azure AD Connect Health Version History
Integrating with Azure Active Directory
1/17/2017 6 min to read Edit on GitHub
Azure Active Directory provides organizations with enterprise-grade identity management for cloud applications.
Azure AD integration gives your users a streamlined sign-in experience, and helps your application conform to IT
policy.
How To Integrate
There are several ways for your application to integrate with Azure AD. Take advantage of as many or as few of
these scenarios as is appropriate for your application.
Support Azure AD as a Way to Sign In to Your Application
Reduce sign in friction and reduce support costs. By using Azure AD to sign in to your application, your users
won't have one more name and password to remember. As a developer, you'll have one less password to store and
protect. Not having to handle forgotten password resets may be a significant savings alone. Azure AD powers sign
in for some of the world's most popular cloud applications, including Office 365 and Microsoft Azure. With
hundreds of millions users from millions of organizations, chances are your user is already signed in to Azure AD.
Learn more about adding support for Azure AD sign in.
Simplify sign up for your application. During sign up for your application, Azure AD can send essential
information about a user so that you can pre-fill your sign up form or eliminate it completely. Users can sign up for
your application using their Azure AD account via a familiar consent experience similar to those found in social
media and mobile applications. Any user can sign up and sign in to an application that is integrated with Azure AD
without requiring IT involvement. Learn more about signing-up your application for Azure AD Account login.
Browse for Users, Manage User Provisioning, and Control Access to Your Application
Browse for users in the directory. Use the Graph API to help users search and browse for other people in their
organization when inviting others or granting access, instead of requiring them to type email addresses. Users can
browse using a familiar address book style interface, including viewing the details of the organizational hierarchy.
Learn more about the Graph API.
Re-use Active Directory groups and distribution lists your customer is already managing. Azure AD
contains the groups that your customer is already using for email distribution and managing access. Using the
Graph API, re-use these groups instead of requiring your customer to create and manage a separate set of groups
in your application. Group information can also be sent to your application in sign in tokens. Learn more about the
Graph API.
Use Azure AD to control who has access to your application. Administrators and application owners in Azure
AD can assign access to applications to specific users and groups. Using the Graph API, you can read this list and
use it to control provisioning and de-provisioning of resources and access within your application.
Use Azure AD for Roles Based Access Control. Administrators and application owners can assign users and
groups to roles that you define when you register your application in Azure AD. Role information is sent to your
application in sign in tokens and can also be read using the Graph API. Learn more about using Azure AD for
authorization.
Get Access to User's Profile, Calendar, Email, Contacts, Files, and More
Azure AD is the authorization server for Office 365 and other Microsoft business services. If you support
Azure AD for sign in to your application or support linking your current user accounts to Azure AD user accounts
using OAuth 2.0, you can request read and write access to a user's profile, calendar, email, contacts, files, and other
information. You can seamlessly write events to user's calendar, and read or write files to their OneDrive. Learn
more about accessing the Office 365 APIs.
Promote Your Application in the Azure and Office 365 Marketplaces
Promote your application to the millions of organizations who are already using Azure AD. Users who
search and browse these marketplaces are already using one or more cloud services, making them qualified cloud
service customers. Learn more about promoting your application in the Azure Marketplace.
When users sign up for your application, it will appear in their Azure AD access panel and Office 365 app
launcher. Users will be able to quickly and easily return to your application later, improving user engagement.
Learn more about the Azure AD access panel.
Secure Device -to -Service and Service -to -Service Communication
Using Azure AD for identity management of services and devices reduces the code you need to write and
enables IT to manage access. Services and devices can get tokens from Azure AD using OAuth and use those
tokens to access web APIs. Using Azure AD you can avoid writing complex authentication code. Since the identities
of the services and devices are stored in Azure AD, IT can manage keys and revocation in one place instead of
having to do this separately in your application.
Benefits of Integration
Integration with Azure AD comes with benefits that do not require you to write additional code.
Integration with Enterprise Identity Management
Help your application comply with IT policies. Organizations integrate their enterprise identity management
systems with Azure AD, so when a person leaves an organization, they will automatically lose access to your
application without IT needing to take extra steps. IT can manage who can access your application and determine
what access policies are required - for example multi-factor authentication - reducing your need to write code to
comply with complex corporate policies. Azure AD provides administrators with a detailed audit log of who signed
in to your application so IT can track usage.
Azure AD extends Active Directory to the cloud so that your application can integrate with AD. Many
organizations around the world use Active Directory as their principal sign-in and identity management system,
and require their applications to work with AD. Integrating with Azure AD integrates your app with Active Directory.
Advanced Security Features
Multi-factor authentication. Azure AD provides native multi-factor authentication. IT administrators can require
multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn
more about Multi-Factor Authentication.
Anomalous sign in detection. Azure AD processes more than a billion sign-ins a day, while using machine
learning algorithms to detect suspicious activity and notify IT administrators of possible problems. By supporting
Azure AD sign-in, your application gets the benefit of this protection. Learn more about viewing Azure Active
Directory access report.
Conditional access. In addition to multi-factor authentication, administrators can require specific conditions be
met before users can sign-in to your application. Conditions that can be set include the IP address range of client
devices, membership in specified groups, and the state of the device being used for access. Learn more about Azure
Active Directory conditional access.
Easy Development
Industry standard protocols. Microsoft is committed to supporting industry standards. Azure AD supports the
SAML 2.0, OpenID Connect 1.0, OAuth 2.0, and WS-Federation 1.2 authentication protocols. The Graph API is OData
4.0 compliant. If your application already supports the SAML 2.0 or OpenID Connect 1.0 protocols for federated
sign in, adding support for Azure AD can be straightforward. Learn more about Azure AD supported authentication
protocols.
Open source libraries. Microsoft provides fully supported open source libraries for popular languages and
platforms to speed development. The source code is licensed under Apache 2.0, and you are free to fork and
contribute back to the projects. Learn more about Azure AD authentication libraries.
Worldwide Presence and High Availability
Azure AD is deployed in datacenters around the world and is managed and monitored around the clock.
Azure AD is the identity management system for Microsoft Azure and Office 365 and is deployed in 28 datacenters
around the world. Directory data is guaranteed to be replicated to at least three datacenters. Global load balancers
ensure users access the closest copy of Azure AD containing their data, and automatically re-route requests to other
datacenters if a problem is detected.
Next Steps
Get started writing code.
Sign Users In Using Azure AD
Securing privileged access in Azure AD
1/17/2017 2 min to read Edit on GitHub
Securing privileged access is a critical first step to help protect business assets in a modern organization. Privileged
accounts are those that administer and manage IT systems. Cyber-attackers target these accounts to gain access to
an organizations data and systems. In order to secure privileged access, you should isolate the accounts and
systems from the risk of being exposed to a malicious user.
More users are starting to get privileged access through cloud services. This can include global administrators of
Office365, Azure subscription administrators, and users who have administrative access in VMs or on SaaS apps.
Microsoft recommends you follow this roadmap on Securing Privileged Access.
For customers using Azure Active Directory to manage access to Azure, Office 365, or other Microsoft services and
applications, these principles apply whether user accounts are managed and authenticated by Active Directory or in
Azure Active Directory. The following sections provide more information on Azure AD features to support securing
privileged access.
Multi-factor authentication
To increase the security of administrator authentication, you should require multi-factor authentication (MFA)
before granting privileges. MFA is a method of verifying who you are that requires the use of more than just a
username and password. It provides a second layer of security to user sign-ins and transactions.
Azure Multi-Factor Authentication helps safeguard access to data and applications while meeting user demand for
a simple sign-in process. It delivers strong authentication via a range of easy verification options including phone
calls, text messages, mobile app notifications, or verification code and 3rd party OATH tokens.
For an overview of how Azure Multi-Factor Authentication works see the following video.
For more details, see MFA for Office 365 and MFA for Azure.
Time-bound privileges
Some organizations may find that they have too many users in highly privileged roles. A user might have been
added to the role for a particular activity, like to sign up for a service, but didn't use those privileges frequently
afterward.
To lower the exposure time of privileges and increase your visibility into their use, limit users to only taking on
their privileges Just in Time (JIT), when they need to perform a task. For Azure Active Directory and Microsoft
Online Services, you can use Azure AD Privileged Identity Management (PIM).
Attack detection
Azure Active Directory Identity Protection provides a consolidated view into risk events and potential vulnerabilities
affecting your organizations identities. Based on risk events, Identity Protection calculates a user risk level for each
user, enabling you to configure risk-based policies to automatically protect the identities of your organization.
These policies, along with other conditional access controls provided by Azure Active Directory and EMS, can
automatically block the user or offer suggestions that include password resets and multi-factor authentication
enforcement.
Conditional access
With conditional access control, Azure Active Directory checks the specific conditions you choose when
authenticating a user, before allowing access to an application. Once those conditions are met, the user is
authenticated and allowed access to the application.
Related articles
Enable Azure Multi-Factor Authentication
Enable Azure AD Privileged Identity Management
Enable Azure AD Identity Protection
Enable conditional access controls
For more information on building a complete security roadmap, see the Customer responsibilities and roadmap
section of the Microsoft Cloud Security for Enterprise Architects document. For more information on engaging
Microsoft services to assist with any of these topics, contact your Microsoft representative or visit our
Cybersecurity solutions page.