Documente Academic
Documente Profesional
Documente Cultură
Overview
What is Azure Active Directory?
About Azure identity management
Understand Azure identity solutions
Choose a hybrid identity solution
Associate Azure subscriptions
FAQs
What's New
Get started
Get started with Azure AD
Sign up for Azure AD Premium
Add a custom domain name
Configure company branding
Add users to Azure AD
Assign licenses to users
Configure Self-service password reset
How to
Plan and design
Understand Azure AD architecture
Claims mapping in Azure Active Directory
Deploy a hybrid identity solution
Manage users
Add new users to Azure AD
Manage user profiles
Share accounts
Assign users to admin roles
Restore a deleted user
Add guest users from another directory (B2B)
Manage groups and members
Manage groups
Manage group members
Manage group owners
Manage group membership
Assign licenses using groups
Set up Office 365 groups expiration
View all groups
Add group access to SaaS apps
Restore a deleted Office 365 group
Manage group settings
Create advanced rules
Set up self-service groups
Troubleshoot
Manage reports
Sign-ins activity
Audit activity
Users at risk
Risky sign-ins
Risk events
FAQ
Tasks
Reference
Troubleshoot
Programmatic Access
Manage passwords
Passwords overview
User documents
SSPR How it works
SSPR Deployment guide
SSPR and Windows 10
SSPR Policies
SSPR Customization
SSPR Data requirements
SSPR Reporting
IT Admins: Reset passwords
License SSPR
Password writeback
Troubleshoot
FAQ
Manage devices
Introduction
Using the Azure portal
Plan Azure AD Join
FAQs
Tasks
Troubleshoot
Manage apps
Overview
Getting started
SaaS app integration tutorials
Cloud App Discovery
Access apps remotely with App Proxy
Manage enterprise apps
Configure Sign-In Auto-Acceleration using HRD Policy
Manage access to apps
Troubleshoot
Develop apps
Document library
Manage your directory
Azure AD Connect
Custom domain names
Administer your directory
Multiple directories
Self-service signup
Take over an unmanaged directory
Enterprise State Roaming
Integrate on-premises identities using Azure AD Connect
Manage access to Azure
Manage access overview
Resource access in Azure
Role-Based Access Control (RBAC)
Privileged Identity Management (PIM) for RBAC
Conditional access for Azure management
Managed Service Identity
Delegate access to resources
Administrator roles
Administrative units
Configure token lifetimes
Manage emergency access administrative accounts
Access reviews
Access reviews overview
Complete an access review
Create an access review
How to perform an access review
How to review your access
Guest access with access reviews
Managing user access with reviews
Managing programs and controls
Secure your identities
Conditional access
Windows Hello
Certificate-based Authentication
Azure AD Identity Protection
Privileged Identity Management
Integrate other services with Azure AD
Enable LinkedIn integration
Deploy AD DS on Azure VMs
Windows Server Active Directory on Azure VMs
Replica domain controller in an Azure virtual network
New forest on an Azure virtual network
Deploy AD FS in Azure
High availability
Change signature hash algorithm
Troubleshoot
Troubleshoot Active Directory item is missing or not available
Deploy Azure AD Proof of Concept (PoC)
PoC Playbook: Introduction
PoC Playbook: Ingredients
PoC Playbook: Implementation
PoC Playbook: Building Blocks
Reference
Code samples
Azure PowerShell cmdlets
Java API Reference
.NET API
Service limits and restrictions
Related
Multi-Factor Authentication
Azure AD Connect
Azure AD Connect Health
Azure AD for developers
Azure AD Privileged Identity Management
Resources
Azure feedback forum
Azure Roadmap
MSDN forum
Pricing
Pricing calculator
Service updates
Stack Overflow
Videos
What is Azure Active Directory?
12/11/2017 • 5 min to read • Edit Online
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory and identity management
service. Azure AD combines core directory services, advanced identity governance, and application access
management. Azure AD also offers a rich, standards-based platform that enables developers to deliver access
control to their applications, based on centralized policy and rules.
For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners
single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce.com, DropBox, and
Concur.
For application developers, Azure AD lets you focus on building your application by making it fast and simple to
integrate with a world class identity management solution used by millions of organizations around the world.
Azure AD also includes a full suite of identity management capabilities including multi-factor authentication,
device registration, self-service password management, self-service group management, privileged account
management, role based access control, application usage monitoring, rich auditing and security monitoring and
alerting. These capabilities can help secure cloud based applications, streamline IT processes, cut costs and help
ensure that corporate compliance goals are met.
Additionally, with just four clicks, Azure AD can be integrated with an existing Windows Server Active Directory,
giving organizations the ability to leverage their existing on-premises identity investments to manage access to
cloud based SaaS applications.
If you are an Office 365, Azure or Dynamics CRM Online customer, you might not realize that you are already
using Azure AD. Every Office 365, Azure and Dynamics CRM tenant is actually already an Azure AD tenant.
Whenever you want you can start using that tenant to manage access to thousands of other cloud applications
Azure AD integrates with!
NOTE
For the pricing options of these editions, see Azure Active Directory Pricing. Azure Active Directory Premium P1, Premium
P2, and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory
Forum for more information.
Azure Active Directory Basic - Designed for task workers with cloud-first needs, this edition provides cloud
centric application access and self-service identity management solutions. With the Basic edition of Azure
Active Directory, you get productivity enhancing and cost reducing features like group-based access
management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy
(to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA
of 99.9 percent uptime.
Azure Active Directory Premium P1 - Designed to empower organizations with more demanding identity
and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level
identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud
capabilities. This edition includes everything you need for information worker and identity administrators in
hybrid environments across application access, self-service identity and access management (IAM), identity
protection and security in the cloud. It supports advanced administration and delegation resources like
dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises
identity and access management suite) and provides cloud write-back capabilities enabling solutions like self-
service password reset for your on-premises users.
Azure Active Directory Premium P2 - Designed with advanced protection for all your users and
administrators, this new offering includes all the capabilities in Azure AD Premium P1 as well as our new
Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages
billions of signals to provide risk-based conditional access to your applications and critical company data. We
also help you manage and protect privileged accounts with Azure Active Directory Privileged Identity
Management so you can discover, restrict and monitor administrators and their access to resources and
provide just-in-time access when needed.
NOTE
A number of Azure Active Directory capabilities are available through "pay as you go" editions:
Active Directory B2C is the identity and access management solution for your consumer-facing applications. For more
details, see Azure Active Directory B2C
Azure Multi-Factor Authentication can be used through per user or per authentication providers. For more details, see
What is Azure Multi-Factor Authentication?
How can I get started?
If you are an IT admin:
Try it out! - you can sign up for a free 30 day trial today and deploy your first cloud solution in under 5
minutes using this link
Read Getting started with Azure AD for tips and tricks on getting an Azure AD tenant up and running fast
If you are a developer:
Check out our Developers Guide to Azure Active Directory
Start a trial – sign up for a free 30 day trial today and start integrating your apps with Azure AD
Next steps
Learn more about the fundamentals of Azure identity and access management
Fundamentals of Azure identity management
1/9/2018 • 5 min to read • Edit Online
As more and more company digital resources live outside the corporate network, in the cloud and on devices, a
great cloud-based identity and access management solution is becoming a necessity. Cloud-based identities are
now the best way to maintain control over, and visibility into, how and when users access corporate applications
and data.
Microsoft has been securing cloud-based identities for over a decade and now, with Azure Active Directory (AD),
these same protection systems are available to you. With Azure AD, enterprise administrators can easily ensure
user and administrator accountability with better security and governance than ever before.
Azure AD Premium is a cloud-based identity and access management solution with advanced protection
capabilities that enables one secure identity for all apps, identity protection (enhanced by the Microsoft intelligence
security graph), and Privileged Identity Management. Not just another monitoring or reporting tool, Azure AD
Premium can protect your user’s identities in real time and enable you to create risk-based, adaptive access policies
to protect your organization’s data.
Watch this short video for a quick overview of Azure AD identity management and protection:
Microsoft not only provides an identity that takes you everywhere, but also a set of tools to automate, help secure,
and manage IT within your organization. Even after the advent of cloud computing, there is still demand to manage
and control IT tasks like helpdesk calls to reset user passwords, user group management, and application requests.
Complicating things further, employees are now bringing their personal devices to work and using readily available
SaaS applications. This makes maintaining control over their applications across corporate datacenters and public
cloud platforms a significant challenge.
NOTE
To learn if specific features are supported by your license type, check the Azure Active Directory Pricing information page.
Next steps
Learn more about Azure identity solutions
Understand Azure identity solutions
12/11/2017 • 12 min to read • Edit Online
Microsoft Azure Active Directory (Azure AD) is an identity and access management cloud solution that provides
directory services, identity governance, and application access management. Azure AD quickly enables single sign
on (SSO) to 1,000’s of pre-integrated commercial and custom apps in the Azure AD application gallery. Many of
these apps you probably already use such as Office 365, Salesforce.com, Box, ServiceNow, and Workday.
A single Azure AD directory is automatically associated with an Azure subscription when it is created. As the identity
service in Azure, Azure AD then provides all identity management and access control functions for cloud-based
resources. These resources can include users, apps, and groups for an individual tenant (organization) as shown in
the following diagram:
Microsoft Azure offers several ways to leverage identity as a service (IDaaS) with varying levels of complexity to
meet your individual organization’s needs. The rest of this article helps you understand basic Azure identity
terminology and concepts as well as recommendations for you to make the best choice from the available options.
Terms to know
Before you can decide on an Azure identity solution for your organization, you need a basic understanding of the
terms commonly used when talking about Azure identity services.
Azure subscription Subscriptions are used to pay for Azure cloud services and are
usually linked to a credit card. You can have several
subscriptions, but it can be difficult to share resources
between subscriptions.
Azure AD directory Each Azure tenant has a dedicated, trusted Azure AD directory
that contains the tenant’s users, groups, and applications. It is
used to perform identity and access management functions
for tenant resources. Because a unique Azure AD directory is
automatically provisioned to represent your organization
when you sign up for a Microsoft cloud service like Azure,
Microsoft Intune, or Office 365, you’ll sometimes see the
terms tenant, Azure AD, and Azure AD directory used
interchangeably.
Custom domain When you first sign up for a Microsoft cloud service
subscription, your tenant (organization) uses an
.onmicrosoft.com domain name. However, most organizations
have one or more domain names that are used to do business
and that end users use to access company resources. You can
add your custom domain name to Azure AD so that the
domain name is familiar to your users, such as
alice@contoso.com instead of
alice@contoso.onmicrosoft.com.
Azure AD account These are identities that are created by using Azure AD or
another Microsoft cloud service such as Office 365. They are
stored in Azure AD and accessible to any of the organization’s
cloud service subscriptions.
Azure subscription administrator The account administrator is the person who signed up for or
bought the Azure subscription. They can use the Account
Center to perform various management tasks like create
subscriptions, cancel subscriptions, change the billing for a
subscription, or change the Service Administrator.
Azure AD Global administrator Azure AD Global administrators have full access to all Azure
AD administrative features. The person who signs up for a
Microsoft cloud service subscription automatically becomes a
global administrator by default. You can have more than one
global administrator, but only global administrators can assign
any of the other administrator roles to users.
Microsoft account Microsoft accounts (created by you for personal use) provide
access to consumer-oriented Microsoft products and cloud
services, like Outlook (Hotmail), OneDrive, Xbox LIVE, or Office
365. These identities are created and stored in the Microsoft
consumer identity account system run by Microsoft.
Concepts to understand
Now that you know the basic Azure identity terms, you should learn more about these Azure identity concepts that
help you make an informed Azure identity service decision.
CONCEPT TO UNDERSTAND DESCRIPTION
How Azure subscriptions are associated with Azure Active Every Azure subscription has a trust relationship with an Azure
Directory AD directory to authenticate users, services, and devices.
Multiple subscriptions can trust the same Azure AD directory,
but a subscription will only trust a single Azure AD directory.
This trust relationship is unlike the relationship that a
subscription has with other Azure resources (websites,
databases, and so on), which are more like child resources of a
subscription. If a subscription expires, then access to resources
associated with the subscription other than Azure AD also
stops. However, the Azure AD directory remains in Azure, so
that you can associate another subscription with that directory
and continue to manage tenant resources.
How Azure AD licensing works When you purchase or activate Enterprise Mobility Suite,
Azure AD Premium, or Azure AD Basic, your directory is
updated with the subscription, including its validity period and
prepaid licenses. Once the subscription is active, the service
can be managed by Azure AD global administrators and used
by licensed users. Your subscription information, including the
number of assigned or available licenses, is available in the
Azure portal from the Azure Active Directory > Licenses
blade. This is also the best place to manage your license
assignments.
Role-Based Access Control in the Azure portal Azure Role-Based Access Control (RBAC) helps provide fine-
grained access management for Azure resources. Too many
permissions can expose and account to attackers. Too few
permissions means that employees can’t get their work done
efficiently. Using RBAC, you can give employees the exact
permissions they need based on three basic roles that apply to
all resource groups: owner, contributor, reader. You can also
create up to 2,000 of your own custom RBAC roles to meet
your specific needs.
TIP
Want to learn more about using Azure AD identity management with Office 365? Get the e-book.
TIP
To learn more about how CIOs have made Azure Active Directory a central part of their IT strategies, download the CIO’s
Guide to Azure Active Directory.
My organization has made large investments in on-premises The most widely used Azure identity solution is hybrid identity.
Windows Server Active Directory, but we want to extend If you’ve already made investments in on-premises AD DS,
identity to the cloud. you can easily extend identity to the cloud using Azure AD
Connect.
My business was born in the cloud and we have no Azure Active Directory is the best choice for cloud-only
investments in on-premises identity solutions. businesses with no on-premises investments.
I need lightweight Azure VM configuration and control to Azure AD Domain Services is a good choice if you need to use
meet on-premises identity requirements for app development AD DS for lightweight Azure VM configuration control or are
and testing. looking to develop or migrate legacy, directory-aware on-
premises applications to the cloud.
I need to support a few virtual machines in Azure, but my Use DIY AD DS to use Azure VMs when you need to support
company is still heavily invested in on-premises Active a few virtual machines and have large AD DS investments on-
Directory (AD DS). premises.
Next steps
Now that you understand Azure identity concepts and the options available to you, you can use the following
resources to get started implementing the option you’ve chosen:
Learn more about Azure hybrid identity solutions
Learn more in an Azure Proof of Concept environment
Deploy Azure AD in production
Microsoft hybrid identity solutions
1/3/2018 • 5 min to read • Edit Online
Microsoft Azure Active Directory (Azure AD) hybrid identity solutions enable you to synchronize on-premises
directory objects with Azure AD while still managing your users on-premises. The first decision to make when
planning to synchronize your on-premises Windows Server Active Directory with Azure AD is whether you want to
use synchronized identity or federated identity. Synchronized identities, and optionally password hashes, enable
your users to use the same password to access both on-premises and cloud-based organizational resources. For
more advanced scenario requirements, such as single-sign-on (SSO) or on-premises MFA, you need to deploy
Active Directory Federation Services (AD FS) to federate identities.
There are several options available for configuring hybrid identity. This article provides information to help you
choose the best one for your organization based on ease of deployment and your specific identity and access
management needs. As you consider which identity model best fits your organization’s needs, you also need to
think about time, existing infrastructure, complexity, and cost. These factors are different for every organization, and
might change over time. However, if your requirements do change, you also have the flexibility to switch to a
different identity model.
TIP
These solutions are all delivered by Azure AD Connect.
Synchronized identity
Synchronized identity is the simplest way to synchronize on-premises directory objects (users and groups) with
Azure AD.
While synchronized identity is the easiest and quickest method, your users still need to maintain a separate
password for cloud-based resources. To avoid this, you can also (optionally) synchronize a hash of user passwords
to your Azure AD directory. Synchronizing password hashes enables users to log in to cloud-based organizational
resources with the same user name and password that they use on-premises. Azure AD Connect periodically checks
your on-premises directory for changes and keeps your Azure AD directory synchronized. When a user attribute or
password is changed on-premises Active Directory, it is automatically updated in Azure AD.
For most organizations who only need to enable their users to sign in to Office 365, SaaS applications, and other
Azure AD-based resources, the default password synchronization option is recommended. If that doesn’t work for
you, you'll need to decide between pass-through authentication and AD FS.
TIP
User passwords are stored in on-premises Windows Server Active Directory in the form of a hash value that represents the
actual user password. A hash value is a result of a one-way mathematical function (the hashing algorithm). There is no
method to revert the result of a one-way function to the plain text version of a password. You cannot use a password hash
to sign in to your on-premises network. When you opt to synchronize passwords, Azure AD Connect extracts password
hashes from the on-premises Active Directory and applies extra security processing to the password hash before it is
synchronized to Azure AD. Password synchronization can also be used together with password write-back to enable self-
service password reset in Azure AD. In addition, you can enable single sign-on (SSO) for users on domain-joined computers
that are connected to the corporate network. With single sign-on, enabled users only need to enter a username to securely
access cloud resources.
Pass-through authentication
Azure AD pass-through authentication provides a simple password validation solution for Azure AD-based services
using your on-premises Active Directory. If security and compliance policies for your organization do not permit
sending users' passwords, even in a hashed form, and you only need to support desktop SSO for domain joined
devices, it is recommended that you evaluate using pass-through authentication. Pass-through authentication does
not require any deployment in the DMZ, which simplifies the deployment infrastructure when compared with AD
FS. When users sign in using Azure AD, this authentication method validates users' passwords directly against your
on-premises Active Directory.
With pass-through authentication, there's no need for a complex network infrastructure, and you don't need to
store on-premises passwords in the cloud. Combined with single sign-on, pass-through authentication provides a
truly integrated experience when signing in to Azure AD or other cloud services.
Pass-through authentication is configured with Azure AD Connect, which uses a simple on-premises agent that
listens for password validation requests. The agent can be easily deployed to multiple machines to provide high
availability and load balancing. Since all communications are outbound only, there is no requirement for the
connector to be installed in a DMZ. The server computer requirements for the connector are as follows:
Windows Server 2012 R2 or higher
Joined to a domain in the forest through which users are validated
Pass-through authentication is not currently supported when using Windows 10 devices joined to Azure AD.
However, you can use password hash synchronization as an automatic fallback to support Windows 10 and the
legacy clients mentioned previously. During the preview, password hash synchronization is enabled by default
when pass-through authentication is selected as the sign-in option in Azure AD Connect.
Also called identity federation, this sign-in method ensures that all user authentication is controlled on-premises
and allows administrators to implement more rigorous levels of access control. Identity federation with AD FS is the
most complicated option and requires deploying additional servers in your on-premises environment. Identity
federation also commits you to providing 24x7 support for your Active Directory and AD FS infrastructure. This
high level of support is necessary because if your on-premises Internet access, domain controller, or AD FS servers
are unavailable, users can't sign in to cloud services.
TIP
If you decide to use Federation with Active Directory Federation Services (AD FS), you can optionally set up password
synchronization as a backup in case your AD FS infrastructure fails.
Support smartcard
authentication for my users4
4 AD FS can be integrated with your enterprise PKI to allow sign-in using certificates. These certificates can be
soft-certificates deployed via trusted provisioning channels such as MDM or GPO or smartcard certificates
(including PIV/CAC cards) or Hello for Business (cert-trust). For more information about smartcard
authentication support, see this blog.
Next steps
Learn more in an Azure Proof of Concept environment
Install Azure AD Connect
Monitor hybrid identity synchronization
How to associate or add an Azure subscription to
Azure Active Directory
1/6/2018 • 2 min to read • Edit Online
This article covers information about the relationship between an Azure subscription and Azure Active Directory
(Azure AD), and how to add an existing subscription to your Azure AD directory. Your Azure subscription has a
trust relationship with Azure AD, which means that it trusts the directory to authenticate users, services, and
devices. Multiple subscriptions can trust the same directory, but each subscription trusts only one directory.
The trust relationship that a subscription has with a directory is unlike the relationship that it has with other
resources in Azure (websites, databases, and so on). If a subscription expires, access to the other resources
associated with the subscription also stops. But an Azure AD directory remains in Azure, and you can associate a
different subscription with that directory and manage the directory using the new subscription.
All users have a single home directory that authenticates them, but they can also be guests in other directories. In
Azure AD, you can see the directories of which your user account is a member or guest.
3. Review the warnings. All Role-Based Access Control (RBAC) users with assigned access and all subscription
admins lose access when the subscription directory changes.
4. Select a directory.
5. Click Change.
6. Success! Use the directory switcher to go to the new directory. It might take up to 10 minutes for everything
to show up properly.
Changing the subscription directory is a service-level operation. It doesn't affect subscription billing ownership,
and the Account Admin can still change Service Admin using the Account Center. If you want to delete the original
directory, you must transfer the subscription billing ownership to a new Account Admin. To learn more about
transferring billing ownership, see Transfer ownership of an Azure subscription to another account.
Next steps
To learn more about creating a new Azure AD directory for free, see How to get an Azure Active Directory
tenant
To learn more about transferring billing ownership of an Azure subscription, see Transfer ownership of an
Azure subscription to another account
To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource access
in Azure
For more information on how to assign roles in Azure AD, see Assigning administrator roles in Azure Active
Directory
Azure Active Directory FAQ
12/14/2017 • 8 min to read • Edit Online
Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS) solution that spans all aspects of
identity, access management, and security.
For more information, see What is Azure Active Directory?.
Q: What’s the relationship between Azure AD, Office 365, and Azure?
A: Azure AD provides you with common identity and access capabilities to all web services. Whether you are using
Office 365, Microsoft Azure, Intune, or others, you're already using Azure AD to help turn on sign-on and access
management for all these services.
All users who are set up to use web services are defined as user accounts in one or more Azure AD instances. You
can set up these accounts for free Azure AD capabilities like cloud application access.
Azure AD paid services like Enterprise Mobility + Security complement other web services like Office 365 and
Microsoft Azure with comprehensive enterprise-scale management and security solutions.
Q: What are the differences between Subscription Administrator and Directory Administrator?
A: By default, you are assigned the Subscription Administrator role when you sign up for Azure. A subscription
admin can use either a Microsoft account or a work or school account from the directory that the Azure
subscription is associated with. This role is authorized to manage services in the Azure portal.
If others need to sign in and access services by using the same subscription, you can add them as co-admins. This
role has the same access privileges as the service admin, but can’t change the association of subscriptions to Azure
directories. For additional information on subscription admins, see How to add or change Azure administrator roles
and How Azure subscriptions are associated with Azure Active Directory.
Azure AD has a different set of admin roles to manage the directory and identity-related features. These admins will
have access to various features in the Azure portal or the Azure portal. The admin's role determines what they can
do, like create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, or
manage domains. For additional information on Azure AD directory admins and their roles, see Assigning
administrator roles in Azure Active Directory.
Additionally, Azure AD paid services like Enterprise Mobility + Security complement other web services, such as
Office 365 and Microsoft Azure, with comprehensive enterprise-scale management and security solutions.
Q: Is there a report that shows when my Azure AD user licenses will expire?
A: No. This is not currently available.
Password management
Q: Can I use Azure AD password write-back without password sync? (In this scenario, is it possible to use
Azure AD self-service password reset (SSPR) with password write-back and not store passwords in the
cloud?)
A: You do not need to synchronize your Active Directory passwords to Azure AD to enable write-back. In a
federated environment, Azure AD single sign-on (SSO) relies on the on-premises directory to authenticate the user.
This scenario does not require the on-premises password to be tracked in Azure AD.
Q: How long does it take for a password to be written back to Active Directory on-premises?
A: Password write-back operates in real time.
For more information, see Getting started with password management.
Q: Can I use password write-back with passwords that are managed by an admin?
A: Yes, if you have password write-back enabled, the password operations performed by an admin are written back
to your on-premises environment.
For more answers to password-related questions, see Password management frequently asked questions.
Q: What can I do if I can't remember my existing Office 365/Azure AD password while trying to change
my password?
A: For this type of situation, there are a couple of options. Use self-service password reset (SSPR) if it's available.
Whether SSPR works depends on how it's configured. For more information, see How does the password reset
portal work.
For Office 365 users, your admin can reset the password by using the steps outlined in Reset user passwords.
For Azure AD accounts, admins can reset passwords by using one of the following:
Reset accounts in the Azure portal
Using PowerShell
Security
Q: Are accounts locked after a specific number of failed attempts or is there a more sophisticated
strategy used?
We use a more sophisticated strategy to lock accounts. This is based on the IP of the request and the passwords
entered. The duration of the lockout also increases based on the likelihood that it is an attack.
Q: Certain (common) passwords get rejected with the messages ‘this password has been used to many
times’, does this refer to passwords used in the current active directory?
This refers to passwords that are globally common, such as any variants of “Password” and “123456”.
Q: Will a sign-in request from dubious sources (botnets, tor endpoint) be blocked in a B2C tenant or does
this require a Basic or Premium edition tenant?
We do have a gateway that filters requests and provides some protection from botnets, and is applied for all B2C
tenants.
Application access
Q: Where can I find a list of applications that are pre-integrated with Azure AD and their capabilities?
A: Azure AD has more than 2,600 pre-integrated applications from Microsoft, application service providers, and
partners. All pre-integrated applications support single sign-on (SSO). SSO lets you use your organizational
credentials to access your apps. Some of the applications also support automated provisioning and de-
provisioning.
For a complete list of the pre-integrated applications, see the Active Directory Marketplace.
Q: What are the different ways Azure AD enables authentication and single sign-on to applications?
A: Azure AD supports many standardized protocols for authentication and authorization, such as SAML 2.0, OpenID
Connect, OAuth 2.0, and WS-Federation. Azure AD also supports password vaulting and automated sign-in
capabilities for apps that only support forms-based authentication.
For more information, see:
Authentication Scenarios for Azure AD
Active Directory authentication protocols
How does single sign-on with Azure Active Directory work?
Q: How do I require multi-factor authentication for users who access a particular application?
A: With Azure AD conditional access, you can assign a unique access policy for each application. In your policy, you
can require multi-factor authentication always, or when users are not connected to the local network.
For more information, see Securing access to Office 365 and other apps connected to Azure Active Directory.
Stay up-to-date with what's new in Azure Active Directory by subscribing to our feed.
We are improving Azure Active Directory on an ongoing basis. To enable you to stay up to date with the most
recent developments, this topic provides you with information about:
The latest releases
Known issues
Bug fixes
Deprecated functionality
Plans for changes
Please revisit this page regularly as we are updating it on a monthly basis.
December 2017
Terms of use in the access panel for end users
Type: New feature
Service Category: Terms of Use
Product Capability: Governance/Compliance
End users now have the ability to go to access panel and view the terms of use that they have previously accepted.
Users can review and see the terms of use that they have accepted. This can be done using the following procedure:
1. Navigate and sign-in to the MyApps portal.
2. In upper right corner, click your name and select Profile from the drop-down.
3. On your Profile, click Review terms of use.
4. From there you can review the terms of use you have accepted.
For more information, see Azure Active Directory Terms of Use feature (Preview)
Fewer login prompts: A new “Keep me signed in” experience for Azure AD login
Type: New feature
Service Category: Azure AD
Product Capability: User Authentication
We have replaced the Keep me signed in checkbox on the Azure AD login page with a new prompt that shows up
after the user successfully authenticates.
If a user responds Yes to this prompt, the service gives them a persistent refresh token. This is the same behavior
as when the user checks the Keep me signed in checkbox in the old experience. For federated tenants, this prompt
will show after the user successfully authenticates with the federated service.
For more information, see Fewer login prompts: The new “Keep me signed in” experience for Azure AD is in
preview
SAML SSO for Bitbucket by resolution SAML 2.0 SSO Bitbucket delegates authentication
GmbH to Azure AD, users already logged-in to
Azure AD can access Bitbucket directly.
Users can be created and updated on-
the-fly with data from SAML attributes.
SAML SSO for Bamboo by resolution SAML 2.0 SSO Bamboo delegates authentication
GmbH to Azure AD, users already logged-in to
Azure AD can access Bamboo directly.
Zenegy Azure AD Integration OpenID Connect & OAuth With this App you can use your
company’s Azure Active Directory
credentials to log into Zenegy.
NAME INTEGRATION TYPE DESCRIPTION
Updates to Azure Active Directory Privileged Identity Management (PIM ) for Azure RBAC (preview)
Type: Changed feature
Service Category: PIM
Product Capability: Privileged Identity Management
With our Public Preview Refresh of Azure Active Directory Privileged Identity Management (PIM) for Azure RBAC,
you can now:
Use Just Enough Administration Require approval to activate resource roles Schedule a future activation of a role
that requires approval for both AAD and Azure RBAC Roles
For more information, see PIM for Azure resources (Preview)
November 2017
Retiring ACS
Type: Plan for change
Service Category: ACS
Product Capability: Access Control Service
Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) will be retired in
late 2018. Further information, including a detailed schedule & high-level migration guidance, will be provided in
the next few weeks. In the meantime, leave comments on this page with any questions regarding ACS, and a
member of our team will help to answer.
Restrict browser access to the Intune managed browser
Type: Plan for change
Service Category: Conditional Access
Product Capability: Identity Security & Protection
With this behavior, you will be able to restrict browser access to Office 365 and other Azure AD-connected cloud
apps using the Intune Managed Browser as an approved app.
This change allows you to configure the following condition for application-based conditional access:
Client apps: Browser
What is the effect of the change?
Today, access is blocked when using this condition. When the preview of this behavior is available, all access will
require the use of the managed browser application.
Look for this capability and more in the upcoming blogs and release notes.
For more information, see Conditional access in Azure Active Directory.
October 2017
Deprecating Azure AD reports
Type: Plan for change
Service Category: Reporting
Product Capability: Identity Lifecycle Management
The Azure portal provides you with:
A new Azure Active Directory administration console
New APIs for activity and security reports
Due to these new capabilities, the report APIs under the /reports endpoint will be retired on December 10, 2017.
Hiding third-party applications from My Apps and the Office 365 launcher
Type: New feature
Service Category: My Apps
Product Capability: SSO
You can now better manage apps that show up on your user portals through a new hide app property. Hiding
apps helps with cases where app tiles are showing up for backend services or duplicate tiles and end up cluttering
user's app launchers. The toggle is located on the properties section of the third-party app and is labeled Visible to
user? You can also hide an app programmatically through PowerShell.
For more information, see Hide a third-party application from user's experience in Azure Active Directory.
What's available?
As part of the transition to the new admin console, 2 new APIs for retrieving Azure AD Activity Logs are available.
The new set of APIs provides richer filtering and sorting functionality in addition to providing richer audit and sign-
in activities. The data previously available through the security reports can now be accessed through the Identity
Protection risk events API in Microsoft Graph.
September 2017
Hotfix for Microsoft Identity Manager
Type: Changed feature
Service Category: Microsoft Identity Manager
Product Capability: Identity Lifecycle Management
A hotfix rollup package (build 4.4.1642.0) is available as of September 25, 2017, for Microsoft Identity Manager
(MIM) 2016 2016 Service Pack 1 (SP1). This roll-up package:
Resolves issues and adds improvements
Is a cumulative update that replaces all MIM 2016 SP1 updates up to build 4.4.1459.0 for Microsoft Identity
Manager 2016.
Requires you to have Microsoft Identity Manager 2016 build 4.4.1302.0.
For more information, see Hotfix rollup package (build 4.4.1642.0) is available for Microsoft Identity Manager 2016
SP1.
Get started with Azure AD
1/9/2018 • 4 min to read • Edit Online
Modern identity management requires scaleable, consistent reliablity to ensure the availablity of applications and
services to only authenticated users. To adequately support the identity management needs of users, IT needs a
way to provide access to approved, public software as a service (SaaS) apps, a way to host internal line of business
apps, and even ways to enhance on-premises app development and usage. All of these requirements point to the
need of a cloud-based identity management solution.
Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud based directory and identity management
service. Azure AD combines core directory services, advanced identity governance, and application access
management. The multi-tenant, geo-distributed, high availability design of Azure AD means that you can rely on it
for your most critical business needs.
Azure AD includes a full suite of identity management capabilities including the ability to synchronize on-premises
resource information, customizable company branding, simple license management, and even self-service
password management. These easy-to-deploy capabilities can help you get started using Azure AD to secure cloud-
based applications, streamline IT processes, cut costs, and help ensure that corporate compliance goals are met.
The rest of this article tells you how to get started with Azure AD.
Assign licenses
Although obtaining a subscription is all you need to configure paid capabilities, you must still assign user licenses
for Azure AD Premium paid features. Any user who should have access to, or who is managed through, an Azure
AD paid feature must be assigned a license. License assignment is a mapping between a user and a purchased
service, such as Azure AD Premium, Basic, or Enterprise Mobility + Security.
You can use group-based license assignment to set up rules such as in the following examples:
All users in your directory automatically get a license
Everyone with the appropriate job title gets a license
You can delegate the decision to other managers in the organization (by using self-service groups)
Verification step
Review assigned and available licenses under Azure Active Directory > Licenses > All products.
Configure self-service password reset
Self-service password reset (SSPR) offers a simple means for IT administrators to enable users to reset or unlock
their passwords or accounts. The system includes detailed reporting to track when users use the system along with
notifications to alert you to misuse or abuse.
Verification step
Review enabled SSPR properties under Azure Active Directory > Password reset to ensure the proper user and
group assignments have been made.
Next steps
Azure Active Directory service page
Azure Active Directory pricing information page
Quickstart: Sign up for Azure Active Directory
Premium
12/11/2017 • 3 min to read • Edit Online
To get started with Azure Active Directory (Azure AD) Premium, you can purchase licenses and associate them
with your Azure subscription. If you create a new Azure subscription, you also need to activate your licensing plan
and Azure AD service access as described in the following sections.
NOTE
Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of
Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Microsoft
Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.
If you have previously purchased and activated Azure AD licenses for the same Azure subscription that you used
in the preceding steps, then the licenses are automatically activated in the same directory. If not, continue with the
steps described in the rest of this article.
Activate your license plan
Is this your first Azure AD license plan you've purchase from Microsoft? If so, a confirmation email is generated
and sent to you when your purchase has been completed. You need this email to activate your first license plan.
To activate your license plan, perform one of the following steps:
1. To start the activation, click either Sign In or Sign Up.
If you have an existing tenant, click Sign In to sign in with your existing administrator account. Sign
in with global administrator credentials for the tenant where the licenses must be activated.
If you want to create a new Azure AD tenant to use with your licensing plan, click Sign Up to open
the Create Account Profile dialog.
When you are done, the following dialog shows up as confirmation for the activation of the license plan for your
tenant:
TIP
You cannot access Azure AD for your new tenant until you activate Azure AD directory access using the welcome email sent
automatically when the license provisioning process has completed.
2. After signing in successfully, you also need to complete a second factor authentication using a mobile
device:
The activation should only take a few minutes and then you will have access to manage your Azure AD.
Next steps
In this quickstart, you’ve learned how to sign up for Azure AD Premium and activate your Azure Active Directory
access.
If you already have an Azure subscription, you can use the following link to start a trial or purchase Azure AD
Premium licenses from the Azure portal.
Activate Azure AD Premium licenses
Quickstart: Add a custom domain name to Azure
Active Directory
12/11/2017 • 4 min to read • Edit Online
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The
initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as
well. For example, your organization probably has other domain names used to do business and users who sign in
using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user names in
the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain
name.onmicrosoft.com'. The process is simple:
1. Add the custom domain name to your directory
2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
4. On Custom domain names, enter the name of your custom domain in the box, such as 'contoso.com', and then
select Add Domain. Be sure to include the .com, .net, or other top-level extension.
5. On domainname (that is, your new domain name is the title), gather the DNS entry information to use later
to verify the custom domain name in Azure AD.
TIP
If you plan to federate your on-premises Windows Server AD with Azure AD, then you need to select the I plan to configure
this domain for single sign-on with my local Active Directory checkbox when you run the Azure AD Connect tool to
synchronize your directories. You also need to register the same domain name you select for federating with your on-
premises directory in the Azure AD Domain step in the wizard. You can see what that step in the wizard looks like in these
instructions. If you do not have the Azure AD Connect tool, you can download it here.
Add a DNS entry for the domain name at the domain name registrar
The next step to use your custom domain name with Azure AD is to update the DNS zone file for the domain. Azure
AD can then verify that your organization owns the custom domain name. You can use Azure DNS for your
Azure/Office 365/external DNS records within Azure, or add the DNS entry at a different DNS registrar.
1. Sign in to the domain name registrar for the domain. If you don't have access to update the DNS entry, ask the
person or team who has this access to complete step 2 and to let you know when it is completed.
2. Update the DNS zone file for the domain by adding the DNS entry provided to you by Azure AD. The DNS entry
doesn't change any behaviors such as mail routing or web hosting.
Troubleshooting
If you can't verify a custom domain name, try the following troubleshooting steps:
1. Wait an hour. DNS records must propagate before Azure AD can verify the domain. This process can take an
hour or more.
2. Ensure the DNS record was entered, and that it is correct. Complete this step at the website for the
domain name registrar for the domain. Azure AD can't verify the domain name if
The DNS entry is not present in the DNS zone file
It is not an exact match with the DNS entry that Azure AD provided you.
If you do not have access to update DNS records for the domain at the domain name registrar, share the
DNS entry with the person or team at your organization who has this access, and ask them to add the DNS
entry.
3. Delete the domain name from another directory in Azure AD. A domain name can be verified in only a
single directory. If a domain name is currently verified in a different directory, it can't be verified in your new
directory until it is deleted on the other one. To learn about deleting domain names, read Manage custom
domain names.
Repeat the steps in this article to add each of your domain names.
Learn more
Conceptual overview of custom domain names in Azure AD
Manage custom domain names
Next steps
In this quickstart, you’ve learned how to add a custom domain to Azure AD.
You can use the following link to add a new custom domain in Azure AD from the Azure portal.
Add a custom domain
Quickstart: Add company branding to your sign-in
page in Azure AD
12/11/2017 • 5 min to read • Edit Online
To avoid confusion, many companies want to apply a consistent look and feel across all the websites and services
they manage. Azure Active Directory (Azure AD) provides this capability by allowing you to customize the
appearance of the sign-in page with your company logo and custom color schemes. The sign-in page is the page
that appears when you sign in to Office 365 or other web-based applications that are using Azure AD as your
identity provider. You interact with this page to enter your credentials.
NOTE
Company branding is available only if you upgraded to the Premium or Basic edition of Azure AD, or have an Office
365 license. To learn if a feature is supported by your license type, check the Azure Active Directory pricing
information page.
Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance
of Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the
Microsoft Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active
Directory Forum.
NOTE
Your domain name must appear as “Active" in the Domains portion of the Azure portal in which you have configured
branding. For more information, see Add a custom domain name.
Sign-in page branding doesn’t carry over to the sign-in page for personal Microsoft accounts. If your employees or
business guests sign in with a personal Microsoft account, their sign-in page does not reflect the branding of your
organization.
Banner logo
DESCRIPTION CONSTRAINTS RECOMMENDATIONS
The banner logo is displayed on the Transparent JPG or PNG Use your organization’s logo here.
sign-in and the Access panel pages. Max height: 36 px Use a transparent image. Don’t assume
On the sign-in page, this shows once Max width: 245 px that the background will be white.
the user’s organization is determined, Do not add padding around your logo
usually after the username is entered. in the image or your logo will look
disproportionately small.
Username hint
DESCRIPTION CONSTRAINTS RECOMMENDATIONS
This customizes the hint text in the Unicode text up to 64 characters We recommend that you do not set
username field. Plain text only this if you expect guest users outside
your organization to sign in to your
app.
This appears at the bottom of the sign- Unicode text up to 256 characters
in form and can be used to Plain text only (no links or HTML tags)
communicate additional information
such as the phone number to your help
desk, or a legal statement.
Background Color
DESCRIPTION CONSTRAINTS RECOMMENDATIONS
This color is used in place of the RGB color in hexadecimal (example: We suggest using the primary color of
background image on low-bandwidth #FFFFFF the banner logo or your organization
connections. color.
Azure AD sign in gives the user the This does not affect session lifetime.
option to remain signed in when they Some features of SharePoint Online and
close and re-open their browser. Use Office 2010 depend on users being able
this to hide that option. to choose to remain signed in. If you
Set this to “No” to hide this option from set this to be hidden, your users may
your users. see additional and unexpected prompts
to sign-in.
NOTE
All elements are optional. For example, if you specify a banner logo with no background image, the sign-in page will show
your logo and the background image for the destination site (for example, Office 365).
Add company branding to your directory
1. Sign in to the Azure portal with an account that's a global admin for the directory.
2. Select More services, enter Users and groups in the text box, and then select Enter.
5. Modify the elements you want to customize. All elements are optional.
6. Click Save.
It can take up to an hour for any changes you made to the sign-in page branding to appear.
5. Modify the elements you want to customize. All elements are optional.
6. Click Save.
It can take up to an hour for any changes you made to the sign-in page branding to appear.
Next steps
In this quickstart, you’ve learned how to add company branding to your Azure AD directory.
You can use the following link to configure your company branding in Azure AD from the Azure portal.
Configure company branding
Quickstart: Add new users to Azure Active Directory
1/9/2018 • 1 min to read • Edit Online
This article explains how to delete or add users in your organization into your orgnization's Azure Active Directory
(Azure AD) tenant using the Azure portal or by synchronizing your on-premises Windows Server AD user account
data.
4. Enter details for the user, such as Name and User name. The domain name portion of the user name must
either be the initial default domain name "[domain name].onmicrosoft.com" or a verified, non-federated custom
domain name such as "contoso.com."
5. Copy or otherwise note the generated user password so that you can provide it to the user after this process is
complete.
6. Optionally, you can open and fill out the information in Profile, Groups, or Directory role for the user. For
more information about user and administrator roles, see Assigning administrator roles in Azure AD.
7. On User, select Create.
8. Securely distribute the generated password to the new user so that the user can sign in.
TIP
You can also synchronize user account data from on-premises Windows Server AD. Microsoft’s identity solutions span on-
premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources,
regardless of location. We call this Hybrid Identity. Azure AD Connect can be used to integrate your on-premises directories
with Azure Active Directory for hybrid identity scenarios. This allows you to provide a common identity for your users for
Office 365, Azure, and SaaS applications integrated with Azure AD.
Delete users from Azure AD
1. Sign in to the Azure Active Directory admin center with an account that's a global admin for the directory.
2. Select Users and groups.
3. On the Users and groups blade, select the user to delete from the list.
4. On the blade for the selected user, select Overview, and then in the command bar, select Delete.
Learn more
Add guest users from another directory
Assign a user to a role in your Azure AD
Manage user profiles
Restore a deleted user
Next steps
In this quickstart, you’ve learned how to add new users to Azure AD Premium.
You can use the following link to create a new user in Azure AD from the Azure portal.
Add users to Azure AD
Quickstart: License users in Azure Active Directory
12/11/2017 • 4 min to read • Edit Online
License-based Azure AD services work by activating an Azure Active Directory (Azure AD) subscription in your
Azure tenant. After the subscription is active, service capabilities are managed by Azure AD administrators and
used by licensed users. When you purchase Enterprise Mobility + Security, Azure AD Premium, or Azure AD Basic,
your tenant is updated with the subscription, including its validity period and prepaid licenses. Your subscription
information, including the number of assigned or available licenses, is available through the Azure portal under
Azure Active Directory by opening the Licenses tile. The Licenses blade is also the best place to manage your
license assignments.
Although obtaining a subscription is all you need to configure paid capabilities, you must still assign user licenses
for paid Azure AD paid features. Any user who should have access to, or who is managed through, an Azure AD
paid feature must be assigned a license. License assignment is a mapping between a user and a purchased service,
such as Azure AD Premium, Basic, or Enterprise Mobility + Security.
You can use group-based license assignment to set up rules such as the following:
All users in your directory automatically get a license
Everyone with the appropriate job title gets a license
You can delegate the decision to other managers in the organization (by using self-service groups)
TIP
For a detailed discussion of license assignment to groups, including advanced scenarios and Office 365 licensing scenarios,
see Assign licenses to users by group membership in Azure Active Directory.
NOTE
Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator must
specify the Usage location property for the user. You can set this property under User > Profile > Settings in the Azure
portal. When using group license assignment, any user whose usage location is not specified inherits the location of the
directory.
To assign a license, under Azure Active Directory > Licenses > All Products, select one or more products, and
then select Assign on the command bar.
You can use the Users and groups blade to choose multiple users or groups or to disable service plans in the
product. Use the search box on top to search for user and group names.
When you assign licenses to a group, it can take some time before all users inherit the license depending on the
size of the group. You can check the processing status on the Group blade, under the Licenses tile.
Assignment errors can occur during Azure AD license assignment but are relatively rare when managing Azure AD
and Enterprise Mobility + Security products. Potential assignment errors are limited to:
Assignment conflict: When a user was previously assigned a license that is incompatible with the current license.
In this case, assigning the new license requires removing the current one.
Exceeded available licenses: When the number of users in assigned groups exceeds the available licenses, a
user's assignment status reflects a failure to assign due to missing licenses.
Azure AD B2B collaboration licensing
B2B collaboration allows you to invite guest users into your Azure AD tenant to provide access to Azure AD
services and any Azure resources you make available.
There is no charge for inviting B2B users and assigning them to an application in Azure AD. Up to 10 apps per
guest user and 3 basic reports are also free for B2B collaboration users. If your guest user has any appropriate
licenses assigned in the partner's Azure AD tenant, they'll be licensed in yours as well.
It's not required, but if you want to provide access to paid Azure AD features, those B2B guest users must be
licensed with appropriate Azure AD licenses. An inviting tenant with an Azure AD paid license can assign B2B
collaboration user rights to an additional five guest users invited to the tenant. For scenarios and information, see
B2B collaboration licensing guidance.
Similarly, the Licensed Groups list shows all groups to which licenses have been assigned. Select a user or group
to open the Licenses blade, which shows all licenses assigned to that object.
Remove a license
To remove a license, go to the user or group, and open the Licenses tile. Select the license, and click Remove.
Licenses inherited by the user from a group cannot be removed directly. Instead, remove the user from the group
from which they are inheriting the license.
Next steps
In this quickstart, you’ve learned how to assign licenses to users and groups in Azure AD directory.
You can use the following link to configure subscription license assignments in Azure AD from the Azure portal.
Assign Azure AD licenses
Azure AD self-service password reset rapid
deployment
1/17/2018 • 5 min to read • Edit Online
IMPORTANT
Are you here because you're having problems signing in? If so, see Help, I forgot my Azure AD password.
Self-service password reset (SSPR) offers a simple means for IT administrators to empower users to reset or
unlock their passwords or accounts. The system includes detailed reporting that tracks when users access the
system, along with notifications to alert you to misuse or abuse.
This guide assumes you already have a working trial or licensed Azure Active Directory (Azure AD) tenant. If you
need help setting up Azure AD, see Getting started with Azure AD.
IMPORTANT
Azure Administrator accounts will always have the ability to reset their passwords no matter what this option is set
to.
4. Recommended: Under Customization, you can change the Contact your administrator link to point to
a page or email address you define. We recommend that you set this link to something like an email
address or website that your users already use for support questions.
5. Optional: The Registration page provides administrators with the option to:
Require users to register when they sign in.
Set the number of days before users are asked to reconfirm their authentication information.
6. Optional: The Notifications page provides administrators with the option to:
Notify users on password resets.
Notify all admins when other admins reset their password.
At this point, you have configured SSPR for your Azure AD tenant. Your users can now use the instructions found
in the articles Register for self-service password reset and Reset or change your password to update their
password without administrator intervention. You can stop here if you're cloud-only. Or you can continue to the
next section to configure the synchronization of passwords to an on-premises Active Directory domain.
TIP
Test SSPR with a user rather than an administrator, because Microsoft enforces strong authentication requirements for
Azure administrator accounts. For more information regarding the administrator password policy, see our password policy
article.
Azure Active Directory (Azure AD) enables you to securely manage access to Azure services and resources for your
users. Included with Azure AD is a full suite of identity management capabilities. For information about Azure AD
features, see What is Azure Active Directory?
With Azure AD, you can create and manage users and groups, and enable permissions to allow and deny access to
enterprise resources. For information about identity management, see The fundamentals of Azure identity
management.
Azure AD architecture
Azure AD's geographically distributed architecture combines extensive monitoring, automated rerouting, failover,
and recovery capabilities enable us to deliver enterprise-level availability and performance to our customers.
The following architecture elements are covered in this article:
Service architecture design
Scalability
Continuous availability
Data centers
Service architecture design
The most common way to build a scalable, highly-available, data-rich system is through independent building
blocks or scale units for the Azure AD data tier, scale units are called partitions.
The data tier has several front-end services that provide read-write capability. The diagram below shows how the
components of a single-directory partition are distributed throughout geographically-distributed data centers.
The components of Azure AD architecture include a primary replica and secondary replicas.
Primary replica
The primary replica receives all writes for the partition it belongs to. Any write operation is immediately replicated
to a secondary replica in a different datacenter before returning success to the caller, thus ensuring geo-redundant
durability of writes.
Secondary replicas
All directory reads are serviced from secondary replicas, which are at data centers that are physically located across
different geographies. There are many secondary replicas, as data is replicated asynchronously. Directory reads,
such as authentication requests, are serviced from data centers that are close to our customers. The secondary
replicas are responsible for read scalability.
Scalability
Scalability is the ability of a service to expand to meet increasing performance demands. Write scalability is
achieved by partitioning the data. Read scalability is achieved by replicating data from one partition to multiple
secondary replicas distributed throughout the world.
Requests from directory applications are generally routed to the datacenter that they are physically closest to.
Writes are transparently redirected to the primary replica to provide read-write consistency. Secondary replicas
significantly extend the scale of partitions because the directories are typically serving reads most of the time.
Directory applications connect to the nearest datacenters. This improves performance, and therefore scaling out is
possible. Since a directory partition can have many secondary replicas, secondary replicas can be placed closer to
the directory clients. Only internal directory service components that are write-intensive target the active primary
replica directly.
Continuous availability
Availability (or uptime) defines the ability of a system to perform uninterrupted. The key to Azure AD’s high-
availability is that our services can quickly shift traffic across multiple geographically-distributed data centers. Each
data center is independent, which enables de-correlated failure modes.
Azure AD’s partition design is simplified compared to the enterprise AD design, which is critical for scaling up the
system. We adopted a single-master design that includes a carefully orchestrated and deterministic primary replica
failover process.
Fault tolerance
A system is more available if it is tolerant to hardware, network, and software failures. For each partition on the
directory, a highly available master replica exists: The primary replica. Only writes to the partition are performed at
this replica. This replica is being continuously and closely monitored, and writes can be immediately shifted to
another replica (which becomes the new primary) if a failure is detected. During failover, there could be a loss of
write availability typically of 1-2 minutes. Read availability is not affected during this time.
Read operations (which outnumber writes by many orders of magnitude) only go to secondary replicas. Since
secondary replicas are idempotent, loss of any one replica in a given partition is easily compensated by directing
the reads to another replica, usually in the same datacenter.
Data durability
A write is durably committed to at least two data centers prior to it being acknowledged. This happens by first
committing the write on the primary, and then immediately replicating the write to at least one other data center.
This ensures that a potential catastrophic loss of the data center hosting the primary does not result in data loss.
Azure AD maintains a zero Recovery Time Objective (RTO) for token issuance and directory reads and in the order
of minutes (~5 minutes) RTO for directory writes. We also maintain zero Recovery Point Objective (RPO) and will
not lose data on failovers.
Data centers
Azure AD’s replicas are stored in datacenters located throughout the world. For more information, see Azure
datacenters.
Azure AD operates across data centers with the following characteristics:
Authentication, Graph and other AD services reside behind the Gateway service. The Gateway manages load
balancing of these services. It will failover automatically if any unhealthy servers are detected using transactional
health probes. Based on these health probes, the Gateway dynamically routes traffic to healthy data centers.
For reads, the directory has secondary replicas and corresponding front-end services in an active-active
configuration operating in multiple data centers. In case of a failure of an entire data center, traffic will be
automatically routed to a different datacenter.
For writes, the directory will failover primary (master) replica across data centers via planned (new primary is
synchronized to old primary) or emergency failover procedures. Data durability is achieved by replicating any
commit to at least two data centers.
Data consistency
The directory model is one of eventual consistency. One typical problem with distributed asynchronously
replicating systems is that the data returned from a “particular” replica may not be up to date.
Azure AD provides read-write consistency for applications targeting a secondary replica by routing its writes to the
primary replica, and synchronously pulling the writes back to the secondary replica.
Application writes using the Graph API of Azure AD are abstracted from maintaining affinity to a directory replica
for read-write consistency. The Azure AD Graph service maintains a logical session, which has affinity to a
secondary replica used for reads; affinity is captured in a “replica token” that the graph service caches using a
distributed cache. This token is then used for subsequent operations in the same logical session.
NOTE
Writes are immediately replicated to the secondary replica to which the logical session's reads were issued.
Backup protection
The directory implements soft deletes, instead of hard deletes, for users and tenants for easy recovery in case of
accidental deletes by a customer. If your tenant administrator accidently deletes users, they can easily undo and
restore the deleted users.
Azure AD implements daily backups of all data, and therefore can authoritatively restore data in case of any logical
deletions or corruptions. Our data tier employs error correcting codes, so that it can check for errors and
automatically correct particular types of disk errors.
Metrics and monitors
Running a high availability service requires world-class metrics and monitoring capabilities. Azure AD continually
analyzes and reports key service health metrics and success criteria for each of its services. We continuously
develop and tune metrics, monitoring and alerting for each scenario, within each Azure AD service and across all
services.
If any Azure AD service is not working as expected, we immediately take action to restore functionality as quickly as
possible. The most important metric Azure AD tracks is how quickly we can detect and mitigate a customer or live
site issue. We invest heavily in monitoring and alerts to minimize time to detect (TTD Target: <5 minutes) and
operational readiness to minimize time to mitigate (TTM Target: <30 minutes).
Secure operations
We employ operational controls such as multi-factor authentication (MFA) for any operation, as well as auditing of
all operations. In addition, we use a just-in-time elevation system to grant necessary temporary access for any
operational task-on-demand on an ongoing basis. For more information, see The Trusted Cloud.
Next steps
Azure Active Directory developer's guide
Claims mapping in Azure Active Directory (public
preview)
1/10/2018 • 13 min to read • Edit Online
NOTE
This feature replaces and supersedes the claims customization offered through the portal today. If you customize claims using
the portal in addition to the Graph/PowerShell method detailed in this document on the same application, tokens issued for
that application will ignore the configuration in the portal. Configurations made through the methods detailed in this
document will not be reflected in the portal.
This feature is used by tenant admins to customize the claims emitted in tokens for a specific application in their
tenant. You can use claims mapping policies to:
Select which claims are included in tokens.
Create claim types that do not already exist.
Choose or change the source of data emitted in specific claims.
NOTE
This capability currently is in public preview. Be prepared to revert or remove any changes. The feature is available in any
Azure Active Directory (Azure AD) subscription during public preview. However, when the feature becomes generally available,
some aspects of the feature might require an Azure Active Directory premium subscription.
Claim sets
There are certain sets of claims that define how and when they are used in tokens.
Core claim set
Claims in the core claim set are present in every token, regardless of policy. These claims are also considered
restricted, and cannot be modified.
Basic claim set
The basic claim set includes the claims that are emitted by default for tokens (in addition to the core claim set).
These claims can be omitted or modified by using the claims mapping policies.
Restricted claim set
Restricted claims cannot be modified by using policy. The data source cannot be changed, and no transformation is
applied when generating these claims.
Table 1: JSON Web Token (JW T) restricted claim set
_claim_names
_claim_sources
access_token
account_type
acr
actor
actortoken
aio
altsecid
amr
app_chain
app_displayname
app_res
appctx
appctxsender
appid
appidacr
assertion
at_hash
aud
auth_data
auth_time
authorization_code
azp
azpacr
CLAIM TYPE (NAME)
c_hash
ca_enf
cc
cert_token_use
client_id
cloud_graph_host_name
cloud_instance_name
cnf
code
controls
credential_keys
csr
csr_type
deviceid
dns_names
domain_dns_name
domain_netbios_name
e_exp
endpoint
enfpolids
exp
expires_on
grant_type
graph
CLAIM TYPE (NAME)
group_sids
groups
hasgroups
hash_alg
home_oid
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration
http://schemas.microsoft.com/ws/2008/06/identity/claims/expired
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
iat
identityprovider
idp
in_corp
instance
ipaddr
isbrowserhostedapp
iss
jwk
key_id
key_type
mam_compliance_url
mam_enrollment_url
CLAIM TYPE (NAME)
mam_terms_of_use_url
mdm_compliance_url
mdm_enrollment_url
mdm_terms_of_use_url
nameid
nbf
netbios_name
nonce
oid
on_prem_id
onprem_sam_account_name
onprem_sid
openid2_id
password
platf
polids
pop_jwk
preferred_username
previous_refresh_token
primary_sid
puid
pwd_exp
pwd_url
redirect_uri
refresh_token
CLAIM TYPE (NAME)
refreshtoken
request_nonce
resource
role
roles
scope
scp
sid
signature
signin_state
src1
src2
sub
tbid
tenant_display_name
tenant_region_scope
thumbnail_photo
tid
tokenAutologonEnabled
trustedfordelegation
unique_name
upn
user_setting_sync_url
username
uti
CLAIM TYPE (NAME)
ver
verified_primary_email
verified_secondary_email
wids
win_ver
http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration
http://schemas.microsoft.com/ws/2008/06/identity/claims/expired
http://schemas.microsoft.com/identity/claims/accesstoken
http://schemas.microsoft.com/identity/claims/openid2_id
http://schemas.microsoft.com/identity/claims/identityprovider
http://schemas.microsoft.com/identity/claims/objectidentifier
http://schemas.microsoft.com/identity/claims/puid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier[MR1]
http://schemas.microsoft.com/identity/claims/tenantid
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod
http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
http://schemas.microsoft.com/claims/groups.link
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
http://schemas.microsoft.com/ws/2008/06/identity/claims/wids
http://schemas.microsoft.com/2014/09/devicecontext/claims/iscompliant
http://schemas.microsoft.com/2014/02/devicecontext/claims/isknown
http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged
CLAIM TYPE (URI)
http://schemas.microsoft.com/2014/03/psso
http://schemas.microsoft.com/claims/authnmethodsreferences
http://schemas.xmlsoap.org/ws/2009/09/identity/claims/actor
http://schemas.microsoft.com/ws/2008/06/identity/claims/samlissuername
http://schemas.microsoft.com/ws/2008/06/identity/claims/confirmationkey
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecision
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/sid
http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid
http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlywindowsdevicegroup
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdeviceclaim
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsdevicegroup
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsfqbnversion
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowssubauthority
http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsuserclaim
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishedname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn
http://schemas.microsoft.com/ws/2008/06/identity/claims/ispersistent
CLAIM TYPE (URI)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
http://schemas.microsoft.com/identity/claims/scope
NOTE
Claims in the core claim set are present in every token, regardless of what this property is set to.
Claims schema
String: ClaimsSchema
Data type: JSON blob with one or more claim schema entries
Summary: This property defines which claims are present in the tokens affected by the policy, in addition to the
basic claim set and the core claim set. For each claim schema entry defined in this property, certain information is
required. You must specify where the data is coming from (Value or Source/ID pair), and which claim the data is
emitted as (Claim Type).
Claim schema entry elements
Value: The Value element defines a static value as the data to be emitted in the claim.
Source/ID pair: The Source and ID elements define where the data in the claim is sourced from.
The Source element must be set to one of the following:
"user": The data in the claim is a property on the User object.
"application": The data in the claim is a property on the application (client) service principal.
"resource": The data in the claim is a property on the resource service principal.
"audience": The data in the claim is a property on the service principal that is the audience of the token (either
the client or resource service principal).
“company”: The data in the claim is a property on the resource tenant’s Company object.
"transformation": The data in the claim is from claims transformation (see the "Claims transformation" section
later in this article).
If the source is transformation, the TransformationID element must be included in this claim definition as well.
The ID element identifies which property on the source provides the value for the claim. The following table lists the
values of ID valid for each value of Source.
Table 3: Valid ID values per source
SOURCE ID DESCRIPTION
TransformationID: The TransformationID element must be provided only if the Source element is set to
“transformation”.
This element must match the ID element of the transformation entry in the ClaimsTransformation property
that defines how the data for this claim is generated.
Claim Type: The JwtClaimType and SamlClaimType elements define which claim this claim schema entry refers
to.
The JwtClaimType must contain the name of the claim to be emitted in JWTs.
The SamlClaimType must contain the URI of the claim to be emitted in SAML tokens.
NOTE
Names and URIs of claims in the restricted claim set cannot be used for the claim type elements. For more information, see
the "Exceptions and restrictions" section later in this article.
Claims transformation
String: ClaimsTransformation
Data type: JSON blob, with one or more transformation entries
Summary: Use this property to apply common transformations to source data, to generate the output data for
claims specified in the Claims Schema.
ID: Use the ID element to reference this transformation entry in the TransformationID Claims Schema entry. This
value must be unique for each transformation entry within this policy.
TransformationMethod: The TransformationMethod element identifies which operation is performed to generate
the data for the claim.
Based on the method chosen, a set of inputs and outputs is expected. These are defined by using the InputClaims,
InputParameters and OutputClaims elements.
Table 4: Transformation methods and expected inputs and outputs
InputClaims: Use an InputClaims element to pass the data from a claim schema entry to a transformation. It has
two attributes: ClaimTypeReferenceId and TransformationClaimType.
ClaimTypeReferenceId is joined with ID element of the claim schema entry to find the appropriate input claim.
TransformationClaimType is used to give a unique name to this input. This name must match one of the
expected inputs for the transformation method.
InputParameters: Use an InputParameters element to pass a constant value to a transformation. It has two
attributes: Value and ID.
Value is the actual constant value to be passed.
ID is used to give a unique name to this input. This name must match one of the expected inputs for the
transformation method.
OutputClaims: Use an OutputClaims element to hold the data generated by a transformation, and tie it to a claim
schema entry. It has two attributes: ClaimTypeReferenceId and TransformationClaimType.
ClaimTypeReferenceId is joined with the ID of the claim schema entry to find the appropriate output claim.
TransformationClaimType is used to give a unique name to this output. This name must match one of the
expected outputs for the transformation method.
Exceptions and restrictions
SAML NameID and UPN: The attributes from which you source the NameID and UPN values, and the claims
transformations that are permitted, are limited.
Table 5: Attributes allowed as a data source for SAML NameID
SOURCE ID DESCRIPTION
ExtractMailPrefix None
Connect-AzureAD -Confirm
3. To see all policies that have been created in your organization, run the following command. We recommend
that you run this command after most operations in the following scenarios, to check that your policies are
being created as expected.
Get-AzureADPolicy
Example: Create and assign a policy to omit the basic claims from tokens issued to a service principal.
In this example, you create a policy that removes the basic claim set from tokens issued to linked service
principals.
4. Create a claims mapping policy. This policy, linked to specific service principals, removes the basic claim set
from tokens.
a. To create the policy, run this command:
New-AzureADPolicy -Definition @('{"ClaimsMappingPolicy":
{"Version":1,"IncludeBasicClaimSet":"false"}}') -DisplayName "OmitBasicClaims” -Type
"ClaimsMappingPolicy"
b. To see your new policy, and to get the policy ObjectId, run the following command:
Get-AzureADPolicy
5. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
a. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph
Explorer, sign in to your Azure AD account.
b. When you have the ObjectId of your service principal, run the following command:
Example: Create and assign a policy to include the EmployeeID and TenantCountry as claims in tokens issued to a
service principal.
In this example, you create a policy that adds the EmployeeID and TenantCountry to tokens issued to
linked service principals. The EmployeeID is emitted as the name claim type in both SAML tokens and
JWTs. The TenantCountry is emitted as the country claim type in both SAML tokens and JWTs. In this
example, we continue to include the basic claims set in the tokens.
6. Create a claims mapping policy. This policy, linked to specific service principals, adds the EmployeeID and
TenantCountry claims to tokens.
a. To create the policy, run this command:
b. To see your new policy, and to get the policy ObjectId, run the following command:
Get-AzureADPolicy
7. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
a. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph
Explorer, sign in to your Azure AD account.
b. When you have the ObjectId of your service principal, run the following command:
Example: Create and assign a policy that uses a claims transformation in tokens issued to a service principal.
In this example, you create a policy that emits a custom claim “JoinedData” to JWTs issued to linked
service principals. This claim contains a value created by joining the data stored in the
extensionattribute1 attribute on the user object with “.sandbox”. In this example, we exclude the basic
claims set in the tokens.
8. Create a claims mapping policy. This policy, linked to specific service principals, adds the EmployeeID and
TenantCountry claims to tokens.
a. To create the policy, run this command:
b. To see your new policy, and to get the policy ObjectId, run the following command:
Get-AzureADPolicy
9. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
a. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph
Explorer, sign in to your Azure AD account.
b. When you have the ObjectId of your service principal, run the following command:
Consumer-based devices are proliferating the corporate world, and cloud-based software-as-a-service (SaaS)
applications are easy to adopt. As a result, maintaining control of users’ application access across internal
datacenters and cloud platforms is challenging.
Microsoft’s identity solutions span on-premises and cloud-based capabilities, creating a single user identity for
authentication and authorization to all resources, regardless of location. We call this Hybrid Identity. There are
different design and configuration options for hybrid identity using Microsoft solutions, and in some case it might
be difficult to determine which combination will best meet the needs of your organization.
This Hybrid Identity Design Considerations Guide will help you to understand how to design a hybrid identity
solution that best fits the business and technology needs for your organization. This guide details a series of steps
and tasks that you can follow to help you design a hybrid identity solution that meets your organization’s unique
requirements. Throughout the steps and tasks, the guide will present the relevant technologies and feature
options available to organizations to meet functional and service quality (such as availability, scalability,
performance, manageability, and security) level requirements.
Specifically, the hybrid identity design considerations guide goals are to answer the following questions:
What questions do I need to ask and answer to drive a hybrid identity-specific design for a technology or
problem domain that best meets my requirements?
What sequence of activities should I complete to design a hybrid identity solution for the technology or
problem domain?
What hybrid identity technology and configuration options are available to help me meet my requirements?
What are the trade-offs between those options so that I can select the best option for my business?
Plan for enhancing data security through strong identity Determine data protection requirements
solution Determine content management requirements
Determine access control requirements
Determine incident response requirements
Define data protection strategy
Plan for hybrid identity lifecycle Determine hybrid identity management tasks
Synchronization Management
Determine hybrid identity management adoption strategy
The first step in designing a hybrid identity solution is to determine the requirements for the business organization
that will be leveraging this solution. Hybrid identity starts as a supporting role (it supports all other cloud solutions
by providing authentication) and goes on to provide new and interesting capabilities that unlock new workloads for
users. These workloads or services that you wish to adopt for your users will dictate the requirements for the
hybrid identity design. These services and workloads need to leverage hybrid identity both on-premises and in the
cloud.
You need to go over these key aspects of the business to understand what it is a requirement now and what the
company plans for the future. If you don’t have the visibility of the long term strategy for hybrid identity design,
chances are that your solution will not be scalable as the business needs grow and change. T he diagram below
shows an example of a hybrid identity architecture and the workloads that are being unlocked for users. This is just
an example of all the new possibilities that can be unlocked and delivered with a solid hybrid identity strategy.
Some components that are part of the hybrid identity architecture
NOTE
If you don’t have an accurate mapping of all your apps and cloud services, you can use the Cloud App Discovery tool. This
tool can provide your IT department with visibility into all your organization’s business and consumer cloud apps. That makes
it easier than ever to discover shadow IT in your organization, including details on usage patterns and any users accessing
your cloud applications. To get started see Cloud app discovery.
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Determine incident response
requirements will go over the options available and pros/cons of each option. By having answered those questions you will
select which option best suits your business needs.
Next steps
Determine directory synchronization requirements
See also
Design considerations overview
Determine directory synchronization requirements
1/17/2018 • 3 min to read • Edit Online
Synchronization is all about providing users an identity in the cloud based on their on-premises identity. Whether
or not they will use synchronized account for authentication or federated authentication, the users will still need to
have an identity in the cloud. This identity will need to be maintained and updated periodically. The updates can
take many forms, from title changes to password changes.
Start by evaluating the organizations on-premises identity solution and user requirements. This evaluation is
important to define the technical requirements for how user identities will be created and maintained in the cloud.
For a majority of organizations, Active Directory is on-premises and will be the on-premises directory that users
will by synchronized from, however in some cases this will not be the case.
Make sure to answer the following questions:
Do you have one AD forest, multiple, or none?
How many Azure AD directories will you be synchronizing to?
1. Are you using filtering?
2. Do you have multiple Azure AD Connect servers planned?
Do you currently have a synchronization tool on-premises?
If yes, does your users if users have a virtual directory/integration of identities?
Do you have any other directory on-premises that you want to synchronize (e.g. LDAP Directory, HR database,
etc)?
Are you going to be doing any GALSync?
What is the current state of UPNs in your organization?
Do you have a different directory that users authenticate against?
Does your company use Microsoft Exchange?
Do they plan of having a hybrid exchange deployment?
Now that you have an idea about your synchronization requirements, you need to determine which tool is the
correct one to meet these requirements. Microsoft provides several tools to accomplish directory integration and
synchronization. See the Hybrid Identity directory integration tools comparison table for more information.
Now that you have your synchronization requirements and the tool that will accomplish this for your company,
you need to evaluate the applications that use these directory services. This evaluation is important to define the
technical requirements to integrate these applications to the cloud. Make sure to answer the following questions:
Will these applications be moved to the cloud and use the directory?
Are there special attributes that need to be synchronized to the cloud so these applications can use them
successfully?
Will these applications need to be re-written to take advantage of cloud auth?
Will these applications continue to live on-premises while users access them using the cloud identity?
You also need to determine the security requirements and constraints directory synchronization. This evaluation is
important to get a list of the requirements that will be needed in order to create and maintain user’s identities in
the cloud. Make sure to answer the following questions:
Where will the synchronization server be located?
Will it be domain joined?
Will the server be located on a restricted network behind a firewall, such as a DMZ?
Will you be able to open the required firewall ports to support synchronization?
Do you have a disaster recovery plan for the synchronization server?
Do you have an account with the correct permissions for all forests you want to synch with?
If your company doesn’t know the answer for this question, review the section “Permissions for
password synchronization” in the article Install the Azure Active Directory Sync Service and determine if
you already have an account with these permissions or if you need to create one.
If you have mutli-forest sync is the sync server able to get to each forest?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Determine incident response
requirements will go over the options available. By having answered those questions you will select which option best suits
your business needs.
Next steps
Determine multi-factor authentication requirements
See also
Design considerations overview
Determine multi-factor authentication requirements
for your hybrid identity solution
1/17/2018 • 2 min to read • Edit Online
In this world of mobility, with users accessing data and applications in the cloud and from any device, securing this
information has become paramount. Every day there is a new headline about a security breach. Although, there is
no guarantee against such breaches, multi-factor authentication, provides an additional layer of security to help
prevent these breaches. Start by evaluating the organizations requirements for multi-factor authentication. That is,
what is the organization trying to secure. This evaluation is important to define the technical requirements for
setting up and enabling the organizations users for multi-factor authentication.
NOTE
If you are not familiar with MFA and what it does, it is strongly recommended that you read the article What is Azure Multi-
Factor Authentication? prior to continue reading this section.
See also
Design considerations overview
Determine hybrid identity lifecycle adoption strategy
1/17/2018 • 9 min to read • Edit Online
In this task, you’ll define the identity management strategy for your hybrid identity solution to meet the business
requirements that you defined in Determine hybrid identity management tasks.
To define the hybrid identity management tasks according to the end-to-end identity lifecycle presented earlier in
this step, you will have to consider the options available for each lifecycle phase.
LIFECYCLE MANAGEMENT
PHASE ON PREMISES CLOUD HYBRID
LIFECYCLE MANAGEMENT
PHASE ON PREMISES CLOUD HYBRID
Account Management and By using the Active You have to create an Extend Active Directory
Provisioning Directory® Domain Services account for every user who identities into the cloud
(AD DS) server role, you can will access a Microsoft cloud through synchronization and
create a scalable, secure, and service. You can also change federation
manageable infrastructure user accounts or delete
for user and resource them when they’re no
management, and provide longer needed. By default,
support for directory- users do not have
enabled applications such as administrator permissions,
Microsoft® Exchange Server. but you can optionally
assign them. For more
You can provision groups in information, see Managing
AD DS through an Identity Users in Azure AD.
manager
You can provision users in Within Azure Active
AD DS Directory, one of the major
features is the ability to
Administrators can use manage access to resources.
access control to manage These resources can be part
user access to shared of the directory, as in the
resources for security case of permissions to
purposes. In Active manage objects through
Directory, access control is roles in the directory, or
administered at the object resources that are external
level by setting different to the directory, such as
levels of access, or SaaS applications, Azure
permissions, to objects, such services, and SharePoint
as Full Control, Write, Read, sites or on-premises
or No Access. Access control resources.
in Active Directory defines
how different users can use At the center of Azure Active
Active Directory objects. By Directory’s access
default, permissions on management solution is the
objects in Active Directory security group. The resource
are set to the most secure owner (or the administrator
setting. of the directory) can assign a
group to provide a certain
access right to the resources
they own. The members of
the group will be provided
the access, and the resource
owner can delegate the right
to manage the members list
of a group to someone else
– such as a department
manager or a helpdesk
administrator
License management
Group-based license management in Azure AD lets administrators assign users to a security group and Azure AD
automatically assigns licenses to all the members of the group. If a user is subsequently added to, or removed from
the group, a license will be automatically assigned or removed as appropriate.
You can use groups you synchronize from on-premises AD or manage in Azure AD. Pairing this up with Azure AD
premium Self-Service Group Management you can easily delegate license assignment to the appropriate decision
makers. You can be assured that problems like license conflicts and missing location data are automatically sorted
out.
NOTE
For more information, see Setting up Azure AD for self service application access management
Federation-based (through AD FS) Enabled by Security Token Service (STS). Requires specialized personnel for
When you configure an STS to provide deployment and maintenance of
single sign-on access with a Microsoft dedicated on-prem AD FS servers. There
cloud service, you will be creating a are restrictions on the use of strong
federated trust between your on- authentication if you plan to use AD FS
premises STS and the federated domain for your STS. For more information, see
you’ve specified in your Azure AD Configuring Advanced Options for AD
tenant. FS 2.0.
Allows end users to use the same set of
credentials to obtain access to multiple
resources
end users do not have to maintain
multiple sets of credentials. Yet, the
users have to provide their credentials
to each one of the participating
resources.,B2B and B2C scenarios
supported.
NOTE
For more information see, Integrating your on-premises identities with Azure Active Directory.
See Also
Design considerations overview
Define data protection strategy for your hybrid
identity solution
1/17/2018 • 13 min to read • Edit Online
In this task, you’ll define the data protection strategy for your hybrid identity solution to meet the business
requirements that you defined in:
Determine data protection requirements
Determine content management requirements
Determine access control requirements
Determine incident response requirements
VM-to-VM Encryption X
SSL/TLS X
VPN X
NOTE
Read Compliance by Feature at Microsoft Azure Trust Center to know more about the certifications that each Azure service
is compliant with. Since the options for data protection use a multilayer approach, comparison between those options are
not applicable for this task. Ensure that you are leveraging all options available for each state of the data.
NOTE
Read Microsoft Azure Security and Audit Log Management to know more about logging capabilities in Azure. Depending on
how you answered the questions in Determine content management requirements, you should be able to determine how
you want the content to be managed in your hybrid identity solution. While all options exposed in Table 6 are capable of
integrating with Azure AD, it is important to define which is more appropriate for your business needs.
Centralized on-premises (Active Full control over the server Higher maintenance (keep up with
Directory Rights Management Server) infrastructure responsible for classifying updates, configuration and potential
the data upgrades), since IT owns the Server
Built-in capability in Windows Server, Require a server infrastructure on-
no need for extra license or subscription premises
Can be integrated with Azure AD in a Doesn’t leverage Azure capabilities
hybrid scenario natively
Supports information rights
management (IRM) capabilities in
Microsoft Online services such as
Exchange Online and SharePoint
Online, as well as Office 365
Supports on-premises Microsoft server
products, such as Exchange Server,
SharePoint Server, and file servers that
run Windows Server and File
Classification Infrastructure (FCI).
Centralized in the cloud (Azure RMS) Easier to manage compared to the on- Your organization must have a cloud
premises solution subscription that supports RMS
Can be integrated with AD DS in a Your organization must have an Azure
hybrid scenario AD directory to support user
Fully integrated with Azure AD authentication for RMS
Doesn’t require a server on-premises in
order to deploy the service
Supports on-premises Microsoft server
products such as Exchange Server,
SharePoint, Server, and file servers that
run Windows Server and File
Classification, Infrastructure (FCI)
IT, can have complete control over their
tenant’s key with BYOK capability.
Hybrid (Azure RMS integrated with, This scenario accumulates the Your organization must have a cloud
On-Premises Active Directory Rights advantages of both, centralized on- subscription that supports RMS
Management Server) premises and in the cloud. Your organization must have an Azure
AD directory to support user
authentication for RMS,
Requires a connection between Azure
cloud service and on-premises
infrastructure
NOTE
read Azure Active Directory Authentication Protocols to know more details about each protocol and its capabilities in Azure.
Using the Azure AD support, mobile business applications can use the same easy Mobile Services authentication
experience to allow employees to sign into their mobile applications with their corporate Active Directory
credentials. With this feature, Azure AD is supported as an identity provider in Mobile Services alongside the other
identity providers already supported (which include Microsoft Accounts, Facebook ID, Google ID, and Twitter ID). If
the on-premises apps use the user’s credential located at the company’s AD DS, the access from partners and
users coming from the cloud should be transparent. You can manage user’s conditional access control to (cloud-
based) web applications, web API, Microsoft cloud services, third-party SaaS applications, and native (mobile) client
applications, and have the benefits of security, auditing, reporting all in one place. However, it is recommended to
validate the implementation in a non-production environment or with a limited number of users.
TIP
it is important to mention that Azure AD does not have Group Policy as AD DS has. In order to enforce policy for devices,
you need a mobile device management solution such as Microsoft Intune.
Once the user is authenticated using Azure AD, it is important to evaluate the level of access that the user has. The
level of access that the user has over a resource can vary. While Azure AD can add an additional security layer by
controlling access to some resources, keep in mind that the resource itself can also have its own access control list
separately, such as the access control for files located in a File Server. The following figure summarizes the levels
of access control that you can have in a hybrid scenario:
Each interaction in the diagram showed in Figure X represents one access control scenario that can be covered by
Azure AD. Below you have a description of each scenario:
1. Conditional Access to applications that are hosted on-premises: You can use registered devices with access
policies for applications that are configured to use AD FS with Windows Server 2012 R2. For more
information about setting up conditional access for on-premises, see Setting up On-premises Conditional
Access using Azure Active Directory Device Registration.
2. Access Control to the Azure portal: Azure also lets you control access to the portal by using role-based
access control (RBAC)). This method enables the company to restrict the number of operations that an
individual can do in the Azure portal. By using RBAC to control access to the portal, IT Admins can delegate
access by using the following access management approaches:
Group-based role assignment: You can assign access to Azure AD groups that can be synced from your
local Active Directory. This lets you leverage the existing investments that your organization has made in
tooling and processes for managing groups. You can also use the delegated group management feature
of Azure AD Premium.
Use built-in roles in Azure: You can use three roles — Owner, Contributor, and Reader, to ensure that
users and groups have permission to do only the tasks they need to do their jobs.
Granular access to resources: You can assign roles to users and groups for a particular subscription,
resource group, or an individual Azure resource such as a website or database. In this way, you can
ensure that users have access to all the resources they need and no access to resources that they do not
need to manage.
NOTE
If you are building applications and want to customize the access control for them, it is also possible to use Azure AD
Application Roles for authorization. Review this WebApp-RoleClaims-DotNet example on how to build your app to use this
capability.
1. Conditional Access for Office 365 applications with Microsoft Intune: IT admins can provision conditional
access device policies to secure corporate resources, while at the same time allowing information workers
on compliant devices to access the services. For more information, see Conditional Access Device Policies
for Office 365 services.
2. Conditional Access for Saas apps: This feature allows you to configure per-application multi-factor
authentication access rules and the ability to block access for users not on a trusted network. You can apply
the multi-factor authentication rules to all users that are assigned to the application, or only for users within
specified security groups. Users may be excluded from the multi-factor authentication requirement if they
are accessing the application from an IP address that in inside the organization’s network.
Since the options for access control use a multilayer approach, comparison between those options are not
applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to
control access to your resources.
TIP
Another report that can also help the Incident Response team working on a case is the user with leaked credentials report.
This report surfaces any matches between the leaked credentials list and your tenant.
Other important built-in reports in Azure AD that can be used during an incident response investigation and are:
Password reset activity: provide the admin with insights into how actively password reset is being used in the
organization.
Password reset registration activity: provides insights into which users have registered their methods for
password reset, and which methods they have selected.
Group activity: provides a history of changes to the group (ex: users added or removed) that were initiated in
the Access Panel.
In addition to the core reporting capability of Azure AD Premium that you can use during an Incident Response
investigation process, IT can also take advantage of the Audit Report to obtain information such as:
Changes in role membership (for example, user added to Global Admin role)
Credential updates (for example, password changes)
Domain management (for example, verifying a custom domain, removing a domain)
Adding or removing applications
User management (for example, adding, removing, updating a user)
Adding or removing licenses
Since the options for incident response use a multilayer approach, comparison between those options is not
applicable for this task. Ensure that you are leveraging all options available for each scenario that requires you to
use Azure AD reporting capability as part of your company’s incident response process.
Next steps
Determine hybrid identity management tasks
See Also
Design considerations overview
Plan for enhancing data security through strong
identity solution
1/17/2018 • 4 min to read • Edit Online
The first step to protect the data is identify who can access that data and as part of this process you need to have
an identity solution that can integrates with your system to provide authentication and authorization capabilities.
Authentication and authorization are often confused with each other and their roles misunderstood. In reality they
are quite different, as shown in the figure below:
NOTE
Once you finish planning for data security, review Determine multi-factor authentication requirements to ensure that your
selections regarding multi-factor authentication requirements were not affected by the decisions you made in this section.
Compliance
Regulations, laws and regulatory compliance requirements will vary according to the industry that your company
belongs. Companies in high regulated industries must address identity-management concerns related to
compliance issues. Regulations such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability
Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Payment Card Industry Data Security Standard (PCI DSS)
are very strict regarding identity and access. The hybrid identity solution that your company will adopt must have
the core capabilities that will fulfill the requirements of one or more of these regulations. For this area, ensure that
the following questions are asked:
Is the hybrid identity solution compliant with the regulatory requirements for your business?
Does the hybrid identity solution has built in capabilities that will enable your company to be compliant
regulatory requirements?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Determine content management requirements
See Also
Design considerations overview
Determine content management requirements for
your hybrid identity solution
1/17/2018 • 2 min to read • Edit Online
Understanding the content management requirements for your business may direct affect your decision on which
hybrid identity solution to use. With the proliferation of multiple devices and the capability of users to bring their
own devices (BYOD), the company must protect its own data but it also must keep user’s privacy intact. Usually
when a user has his own device he might have also multiple credentials that will be alternating according to the
application that he uses. It is important to differentiate what content was created using personal credentials versus
the ones created using corporate credentials. Your identity solution should be able to interact with cloud services
to provide a seamless experience to the end user while ensure his privacy and increase the protection against data
leakage.
Your identity solution will be leveraged by different technical controls in order to provide content management as
shown in the figure below:
NOTE
Read data classification for cloud readiness for more information about best practices and guidelines for data classification.
When planning your hybrid identity solution ensure that the following questions are answered according to your
organization’s requirements:
Does your company have security controls in place to enforce data privacy?
If yes, will those security controls be able to integrate with the hybrid identity solution that you are going
to adopt?
Does your company use data classification?
If yes, is the current solution able to integrate with the hybrid identity solution that you are going to
adopt?
Does your company currently have any solution for data leakage?
If yes, is the current solution able to integrate with the hybrid identity solution that you are going to
adopt?
Does your company need to audit access to resources?
If yes, what type of resources?
If yes, what level of information is necessary?
If yes, where the audit log must reside? On-premises or in the cloud?
Does your company need to encrypt any emails that contain sensitive data (SSNs, credit card numbers, etc)?
Does your company need to encrypt all documents/contents shared with external business partners?
Does your company need to enforce corporate policies on certain kinds of emails (do no reply all, do not
forward)?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Determine access control requirements
See Also
Design considerations overview
Determine access control requirements for your
hybrid identity solution
1/17/2018 • 3 min to read • Edit Online
When an organization is designing their hybrid identity solution they can also use this opportunity to review
access requirements for the resources that they are planning to make it available for users. The data access cross
all four pillars of identity, which are:
Administration
Authentication
Authorization
Auditing
The sections that follows will cover authentication and authorization in more details, administration and auditing
are part of the hybrid identity lifecycle. Read Determine hybrid identity management tasks for more information
about these capabilities.
NOTE
Read The Four Pillars of Identity - Identity Management in the Age of Hybrid IT for more information about each one of
those pillars.
Access Control
While authentication and authorization are core elements to enable access to corporate data through user’s
validation, it is also important to control the level of access that these users will have and the level of access
administrators will have over the resources that they are managing. Your hybrid identity solution must be able to
provide granular access to resources, delegation and role base access control. Ensure that the following question
are answered regarding access control:
Does your company have more than one user with elevated privilege to manage your identity system?
If yes, does each user need the same access level?
Would your company need to delegate access to users to manage specific resources?
If yes, how frequently this happens?
Would your company need to integrate access control capabilities between on-premises and cloud resources?
Would your company need to limit access to resources according to some conditions?
Would your company have any application that needs custom control access to some resources?
If yes, where are those apps located (on-premises or in the cloud)?
If yes, where are those target resources located (on-premises or in the cloud)?
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define Data Protection Strategy
will go over the options available and advantages/disadvantages of each option. By answering those questions you will select
which option best suits your business needs.
Next steps
Determine incident response requirements
See Also
Design considerations overview
Determine incident response requirements for your
hybrid identity solution
1/17/2018 • 3 min to read • Edit Online
Large or medium organizations most likely will have a security incident response in place to help IT take actions
accordingly to the level of incident. The identity management system is an important component in the incident
response process because it can be used to help identifying who performed a specific action against the target.
The hybrid identity solution must be able to provide monitoring and reporting capabilities that can be leveraged
by IT to take actions to identify and mitigate a potential threat. In a typical incident response plan you will have the
following phases as part of the plan:
1. Initial assessment.
2. Incident communication.
3. Damage control and risk reduction.
4. Identification of what it was compromise and severity.
5. Evidence preservation.
6. Notification to appropriate parties.
7. System recovery.
8. Documentation.
9. Damage and cost assessment.
10. Process and plan revision.
During the identification of what it was compromise and severity- phase, it will be necessary to identify the
systems that have been compromised, files that have been accessed and determine the sensitivity of those files.
Your hybrid identity system should be able to fulfill these requirements to assist you identifying the user that
made those changes.
NOTE
Make sure to take notes of each answer and understand the rationale behind the answer. Define data protection strategy
will go over the options available and advantages/disadvantages of each option. By having answered those questions you
will select which option best suits your business needs.
Next steps
Define data protection strategy
See Also
Design considerations overview
Plan for Hybrid Identity Lifecycle
1/17/2018 • 3 min to read • Edit Online
Identity is one of the foundations of your enterprise mobility and application access strategy. Whether you are
signing on to your mobile device or SaaS app, your identity is the key to gaining access to everything. At its
highest level, an identity management solution encompasses unifying and syncing between your identity
repositories which includes automating and centralizing the process of provisioning resources. The identity
solution should be a centralized identity across on-premises and cloud and also use some form of identity
federation to maintain centralized authentication and securely share and collaborate with external users and
businesses. Resources range from operating systems and applications to people in, or affiliated with, an
organization. Organizational structure can be altered to accommodate the provisioning policies and procedures.
It is also important to have an identity solution geared to empower your users by providing them with self-service
experiences to keep them productive. Your identity solution is more robust if it enables single sign-on for users
across all the resources they need access Administrators at all levels can use standardized procedures for
managing user credentials. Some levels of administration can be reduced or eliminated, depending on the breadth
of the provisioning management solution. Furthermore, you can securely distribute administration capabilities,
manually or automatically, among various organizations. For example, a domain administrator can serve only the
people and resources in that domain. This user can do administrative and provisioning tasks, but is not authorized
to do configuration tasks, such as creating workflows.
To define hybrid identity management tasks, you must understand some essential characteristics of the
organization that will be adopting hybrid identity. It is important to understand the current repositories being used
for identity sources. By knowing those core elements, you will have the foundational requirements and based on
that you will need to ask more granular questions that will lead you to a better design decision for your Identity
solution.
While defining those requirements, ensure that at least the following questions are answered
Provisioning options:
Does the hybrid identity solution support a robust account access management and provisioning
system?
How are users, groups, and passwords going to be managed?
Is the identity lifecycle management responsive?
How long does password updates account suspension take?
License management:
Does the hybrid identity solution handles license management?
If yes, what capabilities are available?
Does the solution handle group-based license management?
Synchronization Management
One of the goals of an identity manager, to be able to bring all the identity providers and keep them synchronized.
You keep the data synchronized based on an authoritative master identity provider. In a hybrid identity scenario,
with a synchronized management model, you manage all user and device identities in an on-premises server and
synchronize the accounts and, optionally, passwords to the cloud. The user enters the same password on-premises
as he or she does in the cloud, and at sign-in, the password is verified by the identity solution. This model uses a
directory synchronization tool.
Next steps
Determine hybrid identity management adoption strategy
See Also
Design considerations overview
Define a hybrid identity adoption strategy
1/17/2018 • 11 min to read • Edit Online
In this task, you’ll define the hybrid identity adoption strategy for your hybrid identity solution to meet the business
requirements that were discussed in :
Determine business needs
Determine directory synchronization requirements
Determine multi-factor authentication requirements
The following table will help in determining the advantages and disadvantages of each of the following strategies:
Cloud identities Easier to manage for small organization. Users will need to sign-in when
Nothing to install on-premises- No accessing workloads in the cloud
additional hardware needed Passwords may or may not be the same
Easily disabled if the user leaves the for cloud and on-premises identities
company
Federated Users can have single sign-on (SSO) More steps to setup and configure
If a user is terminated or leaves, the Higher maintenance
account can,be immediately disabled May require additional hardware for the
and access revoked, STS infrastructure
Supports advanced scenarios that May require additional hardware to
cannot be,accomplished with install the federation server.Additional
synchronized software is required if AD FS is used
Require extensive setup for SSO
Critical point of failure if the federation
server is down, users won’t be able to
authenticate
Client experience
The strategy that you use will dictate the user sign-in experience. The following tables provide you with information
on what the users should expect their sign-in experience to be. Note that not all federated identity providers
support SSO in all scenarios.
Doman-joined and private network applications:
Web Browsers Forms based authentication single sign on, sometimes required to
supply organization ID
Skype for Business (Lync) Prompt for credentials single-sign on for Lync, prompted
credentials for Exchange
Outlook, Skype for Business (Lync), Prompt for credentials Prompt for credentials
Skydrive Pro, Office subscription
If you have determined from task 1 that you have a 3rd party IdP or are going to use one to provide federation
with Azure AD, you need to be aware of the following supported capabilities:
Any SAML 2.0 provider which is compliant for the SP-Lite profile can support authentication to Azure AD and
associated applications
Supports passive authentication, which facilitates auth to OWA, SPO, etc.
Exchange Online clients can be supported via the SAML 2.0 Enhanced Client Profile (ECP)
You must also be aware of what capabilities will not be available:
Without WS-Trust/Federation support, all other active clients will break
That means no Lync client, OneDrive client, Office Subscription, Office Mobile prior to Office 2016
Transition of Office to passive authentication will allow them to support pure SAML 2.0 IdPs, but support will
still be on a client-by-client basis
NOTE
For the most updated list read the article http://aka.ms/ssoproviders.
Supported topologies
When defining a synchronization strategy, the topology that is used must be determined. Depending on the
information that was determined in step 2 you can determine which topology is the proper one to use. The single
forest, single Azure AD topology is the most common and consists of a single Active Directory forest and a single
instance of Azure AD. This is going to be used in a majority of the scenarios and is the expected topology when
using Azure AD Connect Express installation as shown in the figure below.
Single
Forest Scenario It is very common for large and even small organizations to have multiple forests, as shown in
Figure 5.
NOTE
For more information about the different on-premises and Azure AD topologies with Azure AD Connect sync read the article
Topologies for Azure AD Connect.
Multi-Forest Scenario
If this the case then the multi-forest-single Azure AD topology should be considered if the following items are true:
Users have only 1 identity across all forests – the uniquely identifying users section below describes this in
more detail.
The user authenticates to the forest in which their identity is located
UPN and Source Anchor (immutable id) will come from this forest
All forests are accessible by Azure AD Connect – this means it does not need to be domain joined and can be
placed in a DMZ if this facilitates this.
Users have only one mailbox
The forest that hosts a user’s mailbox has the best data quality for attributes visible in the Exchange Global
Address List (GAL)
If there is no mailbox on the user, then any forest may be used to contribute these values
If you have a linked mailbox, then there is also another account in a different forest used to sign in.
NOTE
Objects that exist in both on-premises and in the cloud are “connected” via a unique identifier. In the context of Directory
Synchronization, this unique identifier is referred to as the SourceAnchor. In the context of Single Sign-On, this is referred to
as the ImmutableId. Design concepts for Azure AD Connect for more considerations regarding the use of SourceAnchor.
If the above are not true and you have more than one active account or more than one mailbox, Azure AD Connect
will pick one and ignore the other. If you have linked mailboxes but no other account, these accounts will not be
exported to Azure AD and that user will not be a member of any groups. This is different from how it was in the
past with DirSync and is intentional to better support these multi-forest scenarios. A multi-forest scenario is shown
in the figure below.
Even though you may have settled on a solution for your strategy, you still need to use the evaluation from above
on where your users are located. This may cause the solution to change. Use the table below to assist you
determining this:
NOTE
You should also ensure that the multi-factor authentication design option that you selected supports the features that are
required for your design. For more information read Choose the multi-factor security solution for you.
Multi-Factor Auth Provider
Multi-factor authentication is available by default for global administrators who have a Azure Active Directory
tenant. However, if you wish to extend multi-factor authentication to all of your users and/or want to your global
administrators to be able to take advantage features such as the management portal, custom greetings, and
reports, then you must purchase and configure Multi-Factor Authentication Provider.
NOTE
You should also ensure that the multi-factor authentication design option that you selected supports the features that are
required for your design.
Next steps
Determine data protection requirements
See also
Design considerations overview
Azure Active Directory hybrid identity design
considerations- next steps
12/11/2017 • 2 min to read • Edit Online
Now that you’ve completed defining your requirements and examining all the options for your mobile device
management solution, you’re ready to take the next steps for deploying the supporting infrastructure that’s right
for you and your organization.
See also
Design considerations overview
Hybrid Identity directory integration tools
comparison
1/10/2018 • 3 min to read • Edit Online
Over the years the directory integration tools have grown and evolved. This document is to help provide a
consolidated view of these tools and a comparison of the features that are available in each.
NOTE
Azure AD Connect incorporates the components and functionality previously released as Dirsync and AAD Sync. These tools
are no longer being released individually, and all future improvements will be included in updates to Azure AD Connect, so
that you always know where to get the most current functionality.
DirSync and Azure AD Sync are deprecated. More information can be found in here.
Connect to single ● ● ● ● ●
on-premises AD
forest
Connect to ● ● ● ●
multiple on-
premises AD
forests
Connect to ●
multiple on-
premises
Exchange Orgs
Connect to single ●* ● ●
on-premises
LDAP directory
Connect to ●* ● ●
multiple on-
premises LDAP
directories
AZURE ACTIVE
DIRECTORY AZURE ACTIVE FOREFRONT MICROSOFT
AZURE ACTIVE SYNCHRONIZATIO DIRECTORY IDENTITY IDENTITY
DIRECTORY N SERVICES (AAD SYNCHRONIZATIO MANAGER 2010 R2 MANAGER 2016
FEATURE CONNECT SYNC) N TOOL (DIRSYNC) (FIM) (MIM)
Connect to on- ●* ● ●
premises AD and
on-premises
LDAP directories
Connect to FR ● ●
custom systems
(i.e. SQL, Oracle,
MySQL, etc.)
Synchronize ●
customer defined
attributes
(directory
extensions)
Connect to on- FR ● ●
premises HR (i.e.,
SAP, Oracle
eBusiness,People
Soft)
Supports FIM ● ●
synchronization
rules and
connectors for
provisioning to
on-premises
systems.
* Currently there are two supported options for this. They are:
1. You can use the generic LDAP connector and enable it outside of Azure AD Connect. This is complex and
requires a partner for on-boarding and a premier support agreement to maintain. This option can handle both
single and multiple LDAP directories.
2. You can develop your own solution for moving objects from LDAP to Active Directory. Then synchronize the
objects with Azure AD Connect. MIM or FIM could be used as a possible solution for moving the objects.
Writeback of ● ●
devices
Attribute ● ● ● ● ●
writeback (for
Exchange hybrid
deployment )
AZURE ACTIVE AZURE ACTIVE FOREFRONT MICROSOFT
AZURE ACTIVE DIRECTORY DIRECTORY IDENTITY IDENTITY
DIRECTORY SYNCHRONIZATIO SYNCHRONIZATIO MANAGER 2010 R2 MANAGER 2016
FEATURE CONNECT N SERVICES N TOOL (DIRSYNC) (FIM) (MIM)
Writeback of ●
groups objects
Writeback of ● ●
passwords (from
self-service
password reset
(SSPR) and
password
change)
Password Sync ● ● ●
for single on-
premises AD
forest
Password Sync ● ●
for multiple on-
premises AD
forests
Single Sign-on ● ● ● ● ●
with Federation
Writeback of ● ●
passwords (from
SSPR and
password
change)
Supports installation ● ● ●
on a Domain
Controller
Supports installation ● ● ●
using SQL Express
Localization of Admin ● ● ●
UX to Windows
Server languages
Localization of end ●
user UX to Windows
Server languages
Filter on ● ● ● ● ●
Domains and
Organizational
Units
Filter on objects’ ● ● ● ● ●
attribute values
Allow different ● ●
service templates
to be applied for
attribute flows
Allow removing ● ●
attributes from
flowing from AD
to Azure AD
Allow advanced ● ● ● ●
customization for
attribute flows
Next steps
Learn more about Integrating your on-premises identities with Azure Active Directory.
Quickstart: Add new users to Azure Active Directory
1/9/2018 • 1 min to read • Edit Online
This article explains how to delete or add users in your organization into your orgnization's Azure Active Directory
(Azure AD) tenant using the Azure portal or by synchronizing your on-premises Windows Server AD user account
data.
4. Enter details for the user, such as Name and User name. The domain name portion of the user name must
either be the initial default domain name "[domain name].onmicrosoft.com" or a verified, non-federated
custom domain name such as "contoso.com."
5. Copy or otherwise note the generated user password so that you can provide it to the user after this process is
complete.
6. Optionally, you can open and fill out the information in Profile, Groups, or Directory role for the user. For
more information about user and administrator roles, see Assigning administrator roles in Azure AD.
7. On User, select Create.
8. Securely distribute the generated password to the new user so that the user can sign in.
TIP
You can also synchronize user account data from on-premises Windows Server AD. Microsoft’s identity solutions span on-
premises and cloud-based capabilities, creating a single user identity for authentication and authorization to all resources,
regardless of location. We call this Hybrid Identity. Azure AD Connect can be used to integrate your on-premises directories
with Azure Active Directory for hybrid identity scenarios. This allows you to provide a common identity for your users for
Office 365, Azure, and SaaS applications integrated with Azure AD.
Delete users from Azure AD
1. Sign in to the Azure Active Directory admin center with an account that's a global admin for the directory.
2. Select Users and groups.
3. On the Users and groups blade, select the user to delete from the list.
4. On the blade for the selected user, select Overview, and then in the command bar, select Delete.
Learn more
Add guest users from another directory
Assign a user to a role in your Azure AD
Manage user profiles
Restore a deleted user
Next steps
In this quickstart, you’ve learned how to add new users to Azure AD Premium.
You can use the following link to create a new user in Azure AD from the Azure portal.
Add users to Azure AD
Add or change profile information for a user in Azure
Active Directory
1/4/2018 • 1 min to read • Edit Online
This article explains how to add user profile information, such as a profile picture or phone and email
authentication information, in Azure Active Directory (Azure AD). For information about adding new users in your
organization, see Add new users to Azure Active Directory.
6. Add or change the profile information. Then, in the command bar, select Save.
Next steps
Add new users to Azure Active Directory
Reset the password for a user in Azure Active Directory
Assign a user to administrator roles in Azure Active Directory
Delete a user from a directory in Azure Active Directory
Sharing accounts with Azure AD
12/11/2017 • 3 min to read • Edit Online
Overview
Sometimes organizations need to use a single username and password for multiple people, which typically
happens in two cases:
When accessing applications that require a unique sign in and password for each user, whether on-premises
apps or consumer cloud services (for example, corporate social media accounts).
When creating multi-user environments. You might have a single, local account that has elevated privileges and
is used to do core setup, administration, and recovery activities. For example, the local "global administrator"
account for Office 365 or the root account in Salesforce.
Traditionally, these accounts are shared by distributing the credentials (username and password) to the right
individuals or storing them in a shared location where multiple trusted agents can access them.
The traditional sharing model has several drawbacks:
Enabling access to new applications requires you to distribute credentials to everyone that needs access.
Each shared application may require its own unique set of shared credentials, requiring users to remember
multiple sets of credentials. When users have to remember many credentials, the risk increases that they resort
to risky practices. (for example, writing down passwords).
You can't tell who has access to an application.
You can't tell who has accessed an application.
When you want to remove access to an application, you have to update the credentials and redistribute them to
everyone that needs access to that application.
Sharing an account
To use Azure AD to share an account, you need to:
Add an application app gallery or custom application
Configure the application for password Single Sign-On (SSO)
Use group-based assignment and select the option to enter a shared credential
Optional: in some applications, such as Facebook, Twitter, or LinkedIn, you can enable the option for Azure AD
automated password roll-over
You can also make your shared account more secure with Multi-Factor Authentication (MFA) (learn more about
securing applications with Azure AD) and you can delegate the ability to manage who has access to the application
using Azure AD Self-service Group Management.
Related articles
Article Index for Application Management in Azure Active Directory
Protecting apps with conditional access
Self-service group management/SSAA
Assign a user to administrator roles in Azure Active
Directory
1/9/2018 • 1 min to read • Edit Online
This article explains how to assign an administrative role to a user in Azure Active Directory (Azure AD). For
information about adding new users in your organization, see Add new users to Azure Active Directory. Added
users don't have administrator permissions by default, but you can assign roles to them at any time.
Next steps
Quickstart: Add or delete users in Azure Active Directory
Manage user profiles
Add guest users from another directory
Assign a user to a role in your Azure AD
Restore a deleted user
Restore a deleted user in Azure Active Directory
1/17/2018 • 1 min to read • Edit Online
This article contains instructions to restore or permanently delete a previously deleted user. When you delete a
user in the Azure Active Directory (Azure AD), the deleted user is retained for 30 days from the deletion date.
During that time, the user and its properties can be restored.
Required permissions
The following permissions are sufficient to restore a user.
ROLE PERMISSIONS
Next steps
These articles provide additional information on Azure Active Directory user management.
Quickstart: Add or delete users to Azure Active Directory
Manage user profiles
Add guest users from another directory
Assign a user to a role in your Azure AD
What is Azure AD B2B collaboration?
1/9/2018 • 3 min to read • Edit Online
Azure AD business-to-business (B2B) collaboration capabilities enable any organization using Azure AD to
work safely and securely with users from any other organization, small or large. Those organizations can be
with Azure AD or without, or even with an IT organization or without.
Organizations using Azure AD can provide access to documents, resources, and applications to their partners,
while maintaining complete control over their own corporate data. Developers can use the Azure AD business-
to-business APIs to write applications that bring two organizations together in more securely. Also, it's pretty
easy for end users to navigate.
97% of our customers have told us Azure AD B2B collaboration is very important to them.
As of early April 2017, we had about 3 million users already using Azure AD B2B collaboration capabilities.
And more than 23% of Azure AD organizations that have more than 10 users are already benefiting from
these capabilities.
Use our APIs and sample code to easily build applications to onboard
Bring your external partners on board in ways customized to your organization’s needs.
Using the B2B collaboration invitation APIs, you can customize your onboarding experiences, including
creating self-service sign-up portals. We provide sample code for a self-service portal on Github.
With Azure AD B2B collaboration, you can get the full power of Azure AD to protect your partner relationships
in a way that end users find easy and intuitive. So go ahead, join the thousands of organizations that are
already using Azure AD B2B for their external collaboration!
Next steps
Administrator experiences are found in the Azure portal.
Information worker experiences are available in the Access Panel.
And, as always, connect with the product team for any feedback, discussions, and suggestions through
our Microsoft Tech Community.
Browse our other articles on Azure AD B2B collaboration:
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
B2B collaboration user auditing and reporting
Article Index for Application Management in Azure Active Directory
How do Azure Active Directory admins add B2B
collaboration users?
12/11/2017 • 1 min to read • Edit Online
Global Admins and limited admins can use the Azure portal to invite B2B collaboration users to the directory, to
any group or to any application.
Related articles
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Multi-factor authentication for B2B collaboration users
Azure Active Directory B2B collaboration API and customization
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
How do information workers add B2B collaboration
users to Azure Active Directory?
1/17/2018 • 1 min to read • Edit Online
Information workers can use the Application Access Panel to add B2B collaboration users to groups and
applications that they administer.
NOTE
You cannot add B2B collaboration users to a dynamic group or to a group that is synced with on-premises Active Directory.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
Azure Active Directory B2B collaboration API and
customization
12/11/2017 • 1 min to read • Edit Online
We've had many customers tell us that they want to customize the invitation process in a way that works best for
their organizations. With our API, you can do just that. https://developer.microsoft.com/graph/docs/api-
reference/v1.0/resources/invitation
"invitedUserDisplayName": "Sam"
"invitedUserEmailAddress": "gsamoogle@gmail.com"
2. Customize where you want your users to land after they accept their invitation.
"inviteRedirectUrl": "https://myapps.microsoft.com/"
"sendInvitationMessage": true
4. And choose to cc: people you want to keep in the loop about your inviting this collaborator.
5. Or completely customize your invitation and onboarding workflow by choosing not to send notifications
through Azure AD.
"sendInvitationMessage": false
In this case, you get back a redemption URL from the API that you can embed in an email template, IM, or
other distribution method of your choice.
6. Finally, if you are an admin, you can choose to invite the user as member.
"invitedUserType": "Member"
Authorization model
The API can be run in the following authorization modes:
App + User mode
In this mode, whoever is using the API needs to have the permissions to be create B2B invitations.
App only mode
In app only context, the app needs the User.ReadWrite.All or Directory.ReadWrite.All scopes for the invitation to
succeed.
For more information, refer to: https://graph.microsoft.io/docs/authorization/permission_scopes
PowerShell
It is now possible to use PowerShell to add and invite external users to an organization easily. Create an invitation
using the cmdlet:
New-AzureADMSInvitation
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
Azure Active Directory B2B collaboration code and
PowerShell samples
12/11/2017 • 4 min to read • Edit Online
PowerShell example
You can bulk-invite external users to an organization from email addresses that you have stored in a .CSV file.
1. Prepare the .CSV file Create a new CSV file and name it invitations.csv. In this example, the file is saved in
C:\data, and contains the following information:
NAME INVITEDUSEREMAILADDRESS
2. Get the latest Azure AD PowerShell To use the new cmdlets, you must install the updated Azure AD
PowerShell module, which you can download from the Powershell module's release page
3. Sign in to your tenancy
$cred = Get-Credential
Connect-AzureAD -Credential $cred
This cmdlet sends an invitation to the email addresses in invitations.csv. Additional features of this cmdlet include:
Customized text in the email message
Including a display name for the invited user
Sending messages to CCs or suppressing email messages altogether
Code sample
Here we illustrate how to call the invitation API, in "app-only" mode, to get the redemption URL for the resource to
which you are inviting the B2B user. The goal is to send a custom invitation email. The email can be composed
with an HTTP client, so you can customize how it looks and send it through Graph API.
namespace SampleInviteApp
{
using System;
using System.Linq;
using System.Net.Http;
using System.Net.Http.Headers;
using Microsoft.IdentityModel.Clients.ActiveDirectory;
using Newtonsoft.Json;
class Program
{
/// <summary>
/// Microsoft graph resource.
/// </summary>
static readonly string GraphResource = "https://graph.microsoft.com";
/// <summary>
/// Microsoft graph invite endpoint.
/// </summary>
static readonly string InviteEndPoint = "https://graph.microsoft.com/v1.0/invitations";
/// <summary>
/// Authentication endpoint to get token.
/// </summary>
static readonly string EstsLoginEndpoint = "https://login.microsoftonline.com";
/// <summary>
/// This is the tenantid of the tenant you want to invite users to.
/// </summary>
private static readonly string TenantID = "";
/// <summary>
/// This is the application id of the application that is registered in the above tenant.
/// The required scopes are available in the below link.
/// https://developer.microsoft.com/graph/docs/api-reference/v1.0/api/invitation_post
/// </summary>
private static readonly string TestAppClientId = "";
/// <summary>
/// Client secret of the application.
/// </summary>
private static readonly string TestAppClientSecret = @"
/// <summary>
/// This is the email address of the user you want to invite.
/// </summary>
private static readonly string InvitedUserEmailAddress = @"";
/// <summary>
/// This is the display name of the user you want to invite.
/// </summary>
private static readonly string InvitedUserDisplayName = @"";
/// <summary>
/// Main method.
/// </summary>
/// <param name="args">Optional arguments</param>
static void Main(string[] args)
{
Invitation invitation = CreateInvitation();
SendInvitation(invitation);
}
/// <summary>
/// Create the invitation object.
/// </summary>
/// <returns>Returns the invitation object.</returns>
private static Invitation CreateInvitation()
{
// Set the invitation object.
Invitation invitation = new Invitation();
invitation.InvitedUserDisplayName = InvitedUserDisplayName;
invitation.InvitedUserEmailAddress = InvitedUserEmailAddress;
invitation.InviteRedirectUrl = "https://www.microsoft.com";
invitation.SendInvitationMessage = true;
return invitation;
}
/// <summary>
/// Send the guest user invite request.
/// </summary>
/// <param name="invitation">Invitation object.</param>
private static void SendInvitation(Invitation invitation)
{
string accessToken = GetAccessToken();
/// <summary>
/// Get the HTTP client.
/// </summary>
/// <param name="accessToken">Access token</param>
/// <returns>Returns the Http Client.</returns>
private static HttpClient GetHttpClient(string accessToken)
{
// setup http client.
HttpClient httpClient = new HttpClient();
httpClient.Timeout = TimeSpan.FromSeconds(300);
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer",
accessToken);
httpClient.DefaultRequestHeaders.Add("client-request-id", Guid.NewGuid().ToString());
Console.WriteLine(
"CorrelationID for the request: {0}",
httpClient.DefaultRequestHeaders.GetValues("client-request-id").Single());
return httpClient;
}
/// <summary>
/// Get the access token for our application to talk to microsoft graph.
/// </summary>
/// <returns>Returns the access token for our application to talk to microsoft graph.</returns>
private static string GetAccessToken()
{
string accessToken = null;
// Get the access token for our application to talk to microsoft graph.
try
{
AuthenticationContext testAuthContext =
new AuthenticationContext(string.Format("{0}/{1}", EstsLoginEndpoint, TenantID));
AuthenticationResult testAuthResult = testAuthContext.AcquireTokenAsync(
GraphResource,
new ClientCredential(TestAppClientId, TestAppClientSecret)).Result;
accessToken = testAuthResult.AccessToken;
}
catch (AdalException ex)
{
Console.WriteLine("An exception was thrown while fetching the token: {0}.", ex);
throw;
}
return accessToken;
}
/// <summary>
/// Invitation class.
/// </summary>
public class Invitation
{
/// <summary>
/// Gets or sets display name.
/// </summary>
public string InvitedUserDisplayName { get; set; }
/// <summary>
/// Gets or sets display name.
/// </summary>
public string InvitedUserEmailAddress { get; set; }
/// <summary>
/// Gets or sets a value indicating whether Invitation Manager should send the email to
InvitedUser.
/// </summary>
public bool SendInvitationMessage { get; set; }
/// <summary>
/// Gets or sets invitation redirect URL
/// </summary>
public string InviteRedirectUrl { get; set; }
}
}
}
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2B collaboration invitations
Dynamic groups and B2B collaboration
Configure SaaS apps for B2B collaboration
B2B collaboration user tokens
B2B collaboration user claims mapping
Office 365 external sharing
B2B collaboration current limitations
Self-service portal for Azure AD B2B collaboration
sign-up
12/11/2017 • 1 min to read • Edit Online
Customers can do a lot with the built-in features that are exposed through our IT admin Azure portal and our
Application Access Panel for end users. But we are also aware that businesses need to customize the onboarding
workflow for B2B users to fit their organization’s needs. They can do that with our API.
In discussions with our customers, we see one common need rise up above all others. The inviting organization
may not know ahead of time who the individual external collaborators are who need access to their resources. They
wanted a way for users from partner companies to sign themselves up with a set of policies that the inviting
organization controls. This scenario is possible through our APIs, so we published a project on Github that did just
that: sample Github project.
Our Github project demonstrates how organizations can use our APIs, and provide a policy-based, self-service sign-
up capability for their trusted partners, with rules that determine the apps they can access. Partner users can get
access to resources when they need them, securely, without requiring the inviting organization to manually
onboard them. You can easily deploy the project into an Azure subscription of your choice.
As-is code
Remember that this code is made available as a sample to demonstrate usage of the Azure Active Directory B2B
invitation API. It should be customized by your dev team or a partner, and should be reviewed before being
deployed in a production scenario.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
The elements of the B2B collaboration invitation
email - Azure Active Directory
1/17/2018 • 2 min to read • Edit Online
Invitation emails are a critical component to bring partners on board as B2B collaboration users in Azure AD. You
can use them to increase the recipient's trust. you can add legitimacy and social proof to the email, to make sure
the recipient feels comfortable with selecting the Get Started button to accept the invitation. This trust is a key
means to reduce sharing friction. And you also want to make the email look great!
Body
The body contains the message that the inviter composes or is passed through the invitation API. It is a text area,
so it does not process HTML tags for security reasons.
Footer section
The footer contains the Microsoft company brand and lets the recipient know if the email was sent from an
unmonitored alias. Special cases:
The inviter doesn't have an email address in the inviting tenancy
The recipient doesn't need to redeem the invitation
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
Azure Active Directory B2B collaboration invitation
redemption
12/11/2017 • 1 min to read • Edit Online
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
Add B2B collaboration guest users without an
invitation
12/11/2017 • 1 min to read • Edit Online
You can allow a user, such as a partner representative, to add users from the partner to your organization
without needing invitations to be redeemed. All you must do is grant that user enumeration privileges in the
directory you're using for the partner org.
Grant these privileges when:
1. A user in the host organization (for example, WoodGrove) invites one user from the partner organization (for
example, Sam@litware.com) as Guest.
2. The admin in the host organization sets up policies that allow Sam to identify and add other users from the
partner organization (Litware).
3. Now Sam can add other users from Litware to the WoodGrove directory, groups, or applications without
needing invitations to be redeemed. If Sam has the appropriate enumeration privileges in Litware, it happens
automatically.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Article Index for Application Management in Azure Active Directory
Conditional access for B2B collaboration users
12/11/2017 • 3 min to read • Edit Online
Here is an example:
3. Reset the MFA method for a specific user to require the B2B collaboration user to set proof-up methods
again. Example:
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Add B2B collaboration users without an invitation
Article index for application management in Azure Active Directory
Delegate invitations for Azure Active Directory B2B
collaboration
12/11/2017 • 1 min to read • Edit Online
With Azure Active Directory (Azure AD) business-to-business (B2B) collaboration, you do not have to be a global
admin to send invitations. Instead, you can use policies and delegate invitations to users whose roles allow them
to send invitations. An important new way to delegate guest user invitations is through the Guest Inviter role.
With Azure AD B2B collaboration, a tenant admin can set the following invitation policies:
Turn off invitations
Only admins and users in the Guest Inviter role can invite
Admins, the Guest Inviter role, and members can invite
All users, including guests, can invite
By default, tenants are set to #4. (All users, including guests, can invite B2B users.)
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Dynamic groups and B2B collaboration
B2B collaboration code and PowerShell samples
Configure SaaS apps for B2B collaboration
B2B collaboration user tokens
B2B collaboration user claims mapping
Office 365 external sharing
B2B collaboration current limitations
Grant permissions to users from partner
organizations in your Azure Active Directory tenant
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory (Azure AD) B2B collaboration users are added as guest users to the directory, and guest
permissions in the directory are restricted by default. Your business may need some guest users to fill higher-
privilege roles in your organization. To support defining higher-privilege roles, guest users can be added to any
roles you desire, based on your organization's needs.
Default role
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2B collaboration invitations
B2B collaboration code and PowerShell samples
Configure SaaS apps for B2B collaboration
B2B collaboration user tokens
B2B collaboration user claims mapping
Office 365 external sharing
B2B collaboration current limitations
Auditing and reporting a B2B collaboration user
12/11/2017 • 1 min to read • Edit Online
With guest users, you have auditing capabilities similar to with member users. Here's an example of the invitation
and redemption history of invitee Sam Oogle:
You can dive into each of these events to get the details. For example, let's look at the acceptance details.
You can also export these logs from Azure AD and use the reporting tool of your choice to get customized reports.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2bB collaboration invitations
Dynamic groups and B2B collaboration
B2B collaboration code and PowerShell samples
Configure SaaS apps for B2B collaboration
B2B collaboration user tokens
B2B collaboration user claims mapping
Office 365 external sharing
B2B collaboration current limitations
Azure Active Directory B2B collaboration for hybrid
organizations
12/15/2017 • 1 min to read • Edit Online
In a hybrid organization, where you have both on-premises and cloud resources, you might want to give external
partners access to both local and cloud resources. For access to local resources, you can manage partner accounts
locally in your on-premises Active Directory environment. Partners sign in with their partner account credentials to
access your organization's resources. To give partners access to cloud resources using these same credentials, you
can now use Azure Active Directory (Azure AD) Connect to sync the partner accounts to the cloud as Azure AD B2B
users (that is, users with UserType = Guest).
Next steps
For an overview of Azure AD B2B collaboration, see What is Azure AD B2B collaboration?
For an overview of Azure AD Connect, see Integrate your on-premises directories with Azure Active Directory.
Office 365 external sharing and Azure Active
Directory B2B collaboration
12/11/2017 • 1 min to read • Edit Online
External sharing in Office 365 (OneDrive, SharePoint Online, Unified Groups, etc.) and Azure Active Directory
(Azure AD) B2B collaboration are technically the same thing. All external sharing (except OneDrive/SharePoint
Online), including guests in Office 365 Groups, already uses the Azure AD B2B collaboration invitation APIs for
sharing.
OneDrive/SharePoint Online has a separate invitation manager. Support for external sharing in
OneDrive/SharePoint Online started before Azure AD developed its support. Over time, OneDrive/SharePoint
Online external sharing has accrued several features and many millions of users who use the product's in-built
sharing pattern. However, there are some subtle differences between how OneDrive/SharePoint Online external
sharing works and how Azure AD B2B collaboration works:
OneDrive/SharePoint Online adds users to the directory after users have redeemed their invitations. So,
before redemption, you don't see the user in Azure AD portal. If another site invites a user in the
meantime, a new invitation is generated. However, when you use Azure AD B2B collaboration, users are
added immediately on invitation so that they show up everywhere.
The redemption experience in OneDrive/SharePoint Online looks different from the experience in Azure
AD B2B collaboration. After a user redeems an invitation, the experiences look alike.
Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog
boxes. OneDrive/SharePoint Online invited users also show up in Azure AD after they redeem their
invitations.
To manage external sharing in OneDrive/SharePoint Online with Azure AD B2B collaboration, set the
OneDrive/SharePoint Online external sharing setting to Only allow sharing with external users
already in the directory. Users can go to externally shared sites and pick from external collaborators that
the admin has added. The admin can add the external collaborators through the B2B collaboration
invitation APIs.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2B collaboration invitations
Dynamic groups and B2B collaboration
B2B collaboration code and PowerShell samples
Configure SaaS apps for B2B collaboration
B2B collaboration user tokens
B2B collaboration user claims mapping
B2B collaboration current limitations
Azure Active Directory B2B collaboration licensing
guidance
12/11/2017 • 4 min to read • Edit Online
You can use Azure AD B2B collaboration capabilities to invite guest users into your Azure AD tenant to allow
them to access Azure AD services and other resources in your organization. If you want to provide access to paid
Azure AD features, B2B collaboration guest users must be licensed with appropriate Azure AD licenses.
Specifically:
Azure AD Free capabilities are available for guest users without additional licensing.
If you want to provide access to paid Azure AD features to B2B users, you must have enough licenses to
support those B2B guest users.
An inviting tenant with an Azure AD paid license has B2B collaboration use rights to an additional five B2B
guest users invited to the tenant.
The customer who owns the inviting tenant must be the one to determine how many B2B collaboration users
need paid Azure AD capabilities. Depending on the paid Azure AD features you want for your guest users,
you must have enough Azure AD paid licenses to cover B2B collaboration users in the same 5:1 ratio.
A B2B collaboration guest user is added as a user from a partner company, not an employee of your
organization or an employee of a different business in your conglomerate. A B2B guest user can sign in with
external credentials or credentials owned by your organization as described in this article.
In other words, B2B licensing is set not by how the user authenticates but rather by the relationship of the user
to your organization. If these users are not partners, they are treated differently in licensing terms. They are not
considered to be a B2B collaboration user for licensing purposes even if their UserType is marked as “Guest.”
They should be licensed normally, at one license per user. These users include:
Your employees
Staff signing in using external identities
An employee of a different business in your conglomerate
Licensing examples
A customer wants to invite 100 B2B collaboration users to its Azure AD tenant. The customer assigns access
management and provisioning for all users, but 50 users also require MFA and conditional access. This
customer must purchase 10 Azure AD Basic licenses and 10 Azure AD Premium P1 licenses to cover these
B2B users correctly. If the customer plans to use Identity Protection features with B2B users, they must have
Azure AD Premium P2 licenses to cover the invited users in the same 5:1 ratio.
A customer has 10 employees who are all currently licensed with Azure AD Premium P1. They now want to
invite 60 B2B users who all require multi-factor authentication (MFA). Under the 5:1 licensing rule, the
customer must have at least 12 Azure AD Premium P1 licenses to cover all 60 B2B collaboration users.
Because they already have 10 Premium P1 licenses for their 10 employees, they have rights to invite 50 B2B
users with Premium P1 features like MFA. In this example, then, they must purchase 2 additional Premium P1
licenses to cover the remaining 10 B2B collaboration users.
NOTE
There is no way yet to assign licenses directly to the B2B users to enable these B2B collaboration user rights.
The customer who owns the inviting tenant must be the one to determine how many B2B collaboration users
need paid Azure AD capabilities. Depending on which paid Azure AD features you want for your guest users, you
must have enough Azure AD paid licenses to cover B2B collaboration users in the 5:1 ratio.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Troubleshooting Azure Active Directory B2B collaboration
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
Limitations of Azure AD B2B collaboration
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory (Azure AD) B2B collaboration is currently subject to the limitations described in this article.
Instant-on
In the B2B collaboration flows, we add users to the directory and dynamically update them during invitation
redemption, app assignment, and so on. The updates and writes ordinarily happen in one directory instance and
must be replicated across all instances. Replication is completed once all instances are updated. Sometimes when
the object is written or updated in one instance and the call to retrieve this object is to another instance,
replication latencies can occur. If that happens, refresh or retry to help. If you are writing an app using our API,
then retries with some back-off is a good, defensive practice to alleviate this issue.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2bB collaboration invitations
Dynamic groups and B2B collaboration
B2B collaboration code and PowerShell samples
Configure SaaS apps for B2B collaboration
B2B collaboration user tokens
B2B collaboration user claims mapping
Office 365 external sharing
Azure Active Directory B2B collaboration FAQs
1/9/2018 • 7 min to read • Edit Online
These frequently asked questions (FAQs) about Azure Active Directory (Azure AD) business-to-business (B2B)
collaboration are periodically updated to include new topics.
Can we customize our sign-in page so it is more intuitive for our B2B collaboration guest users?
Absolutely! See our blog post about this feature. For more information about how to customize your
organization's sign-in page, see Add company branding to sign in and Access Panel pages.
Can B2B collaboration users access SharePoint Online and OneDrive?
Yes. However, the ability to search for existing guest users in SharePoint Online by using the people picker is Off
by default. To turn on the option to search for existing guest users, set
ShowPeoplePickerSuggestionsForGuestUsers to On. You can turn this setting on either at the tenant level or
at the site collection level. You can change this setting by using the Set-SPOTenant and Set-SPOSite cmdlets.
With these cmdlets, members can search all existing guest users in the directory. Changes in the tenant scope do
not affect SharePoint Online sites that have already been provisioned.
Is the CSV upload feature still supported?
Yes. For more information about using the .csv file upload feature, see this PowerShell sample.
How can I customize my invitation emails?
You can customize almost everything about the inviter process by using the B2B invitation APIs.
Can an invited external user leave the organization after being invited?
The inviting organization administrator can delete a B2B collaboration guest user from their directory, but the
guest user cannot leave the inviting organization directory by themselves.
Can guest users reset their multi-factor authentication method?
Yes. Guest users can reset their multi-factor authentication method the same way that regular users do.
Which organization is responsible for multi-factor authentication licenses?
The inviting organization performs multi-factor authentication. The inviting organization must make sure that the
organization has enough licenses for their B2B users who are using multi-factor authentication.
What if a partner organization already has multi-factor authentication set up? Can we trust their multi-factor
authentication, and not use our own multi-factor authentication?
This feature is planned for a future release, so that then you can select specific partners to exclude from your (the
inviting organization's) multi-factor authentication.
How can I use delayed invitations?
An organization might want to add B2B collaboration users, provision them to applications as needed, and then
send invitations. You can use the B2B collaboration invitation API to customize the onboarding workflow.
Can I make a guest user a limited administrator?
Absolutely. For more information, see Adding guest users to a role.
Does Azure AD B2B collaboration allow B2B users to access the Azure portal?
Unless a user is assigned the role of limited administrator or global administrator, B2B collaboration users won't
require access to the Azure portal. However, B2B collaboration users who are assigned the role of limited
administrator or global administrator can access the portal. Also, if a guest user who is not assigned one of these
admin roles accesses the portal, the user might be able to access certain parts of the experience. The guest user
role has some permissions in the directory.
Can I block access to the Azure portal for guest users?
Yes! When you configure this policy, be careful to avoid accidentally blocking access to members and admins. To
block a guest user's access to the Azure portal, use a conditional access policy in the Windows Azure classic
deployment model API:
1. Modify the All Users group so that it contains only members.
3. Set up a conditional access policy to block guest users from accessing the portal, as shown in the
following video:
Does Azure AD B2B collaboration support multi-factor authentication and consumer email accounts?
Yes. Multi-factor authentication and consumer email accounts are both supported for Azure AD B2B
collaboration.
Do you plan to support password reset for Azure AD B2B collaboration users?
Yes. Here are the important details for self-service password reset (SSPR) for a B2B user who is invited from a
partner organization:
SSPR occurs only in the identity tenant of the B2B user.
If the identity tenant is a Microsoft account, the Microsoft account SSPR mechanism is used.
If the identity tenant is a just-in-time (JIT) or "viral" tenant, a password reset email is sent.
For other tenants, the standard SSPR process is followed for B2B users. Like member SSPR for B2B users, in
the context of the resource, tenancy is blocked.
Is password reset available for guest users in a just-in-time (JIT ) or "viral" tenant who accepted invitations with
a work or school email address, but who didn't have a pre -existing Azure AD account?
Yes. A password reset mail can be sent that allows a user to reset their password in the JIT tenancy.
Does Microsoft Dynamics CRM provide online support for Azure AD B2B collaboration?
Currently, Microsoft Dynamics CRM does not provide online support for Azure AD B2B collaboration. However,
we plan to support this in the future.
What is the lifetime of an initial password for a newly created B2B collaboration user?
Azure AD has a fixed set of character, password strength, and account lockout requirements that apply equally to
all Azure AD cloud user accounts. Cloud user accounts are accounts that are not federated with another identity
provider, such as
Microsoft account
Facebook
Active Directory Federation Services
Another cloud tenant (for B2B collaboration)
For federated accounts, password policy depends on the policy that is applied in the on-premises tenancy and
the user's Microsoft account settings.
An organization might want to have different experiences in their applications for tenant users and guest
users. Is there standard guidance for this? Is the presence of the identity provider claim the correct model to
use?
A guest user can use any identity provider to authenticate. For more information, see Properties of a B2B
collaboration user. Use the UserType property to determine user experience. The UserType claim is not
currently included in the token. Applications should use the Graph API to query the directory for the user, and to
get the UserType.
Where can I find a B2B collaboration community to share solutions and to submit ideas?
We're constantly listening to your feedback, to improve B2B collaboration. We invite you to share your user
scenarios, best practices, and what you like about Azure AD B2B collaboration. Join the discussion in the
Microsoft Tech Community.
We also invite you to submit your ideas and vote for future features at B2B Collaboration Ideas.
Can we send an invitation that is automatically redeemed, so that the user is just “ready to go”? Or does the
user always have to click through to the redemption URL?
Invitations that are sent by a user in the inviting organization who is also a member of the partner organization
do not require redemption by the B2B user.
We recommend that you invite one user from the partner organization to join the inviting organization. Add this
user to the guest inviter role in the resource organization. This user can invite other users in the partner
organization by using the sign-in UI, PowerShell scripts, or APIs. Then, B2B collaboration users from that
organization aren't required to redeem their invitations.
How does B2B collaboration work when the invited partner is using federation to add their own on-premises
authentication?
If the partner has an Azure AD tenant that is federated to the on-premises authentication infrastructure, on-
premises single sign-on (SSO) is automatically achieved. If the partner doesn't have an Azure AD tenant, an
Azure AD account is created for new users.
I thought Azure AD B2B didn't accept gmail.com and outlook.com email addresses, and that B2C was used
for those kinds of accounts?
We are removing the differences between B2B and business-to-consumer (B2C) collaboration in terms of which
identities are supported. The identity used is not a good reason to choose between using B2B or using B2C. For
information about choosing your collaboration option, see Compare B2B collaboration and B2C in Azure Active
Directory.
What applications and services support Azure B2B guest users?
All Azure AD-integrated applications support Azure B2B guest users.
Can we force multi-factor authentication for B2B guest users if our partners don't have multi-factor
authentication?
Yes. For more information, see Conditional access for B2B collaboration users.
In SharePoint, you can define an "allow" or "deny" list for external users. Can we do this in Azure?
Yes. Azure AD B2B collaboration supports allow lists and deny lists.
What licenses do we need to use Azure AD B2B?
For information about what licenses your organization needs to use Azure AD B2B, see Azure Active Directory
B2B collaboration licensing guidance.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure AD admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Troubleshooting Azure AD B2B collaboration
Azure AD B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article index for application management in Azure AD
Troubleshooting Azure Active Directory B2B
collaboration
12/11/2017 • 3 min to read • Edit Online
Here are some remedies for common problems with Azure Active Directory (Azure AD) B2B collaboration.
I’ve added an external user but do not see them in my Global Address
Book or in the people picker
In cases where external users are not populated in the list, the object might take a few minutes to replicate.
If you have recently modified these settings or assigned the Guest Inviter role to a user, there might be a 15-60
minute delay before the changes take effect.
How does ‘#’, which is not normally a valid character, sync with Azure
AD?
“#” is a reserved character in UPNs for Azure AD B2B collaboration or external users, because the invited account
user@contoso.com becomes user_contoso.com#EXT@fabrikam.onmicrosoft.com. Therefore, # in UPNs coming
from on-premises aren't allowed to sign in to the Azure portal.
I notice that the custom message does not get included with
invitation messages at times
To comply with privacy laws, our APIs do not include custom messages in the email invitation when:
The inviter doesn’t have an email address in the inviting tenant
When an appservice principal sends the invitation
If this scenario is important to you, you can suppress our API invitation email, and send it through the email
mechanism of your choice. Consult your organization’s legal counsel to make sure any email you send this way
also complies with privacy laws.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
How do Azure Active Directory admins add B2B collaboration users?
How do information workers add B2B collaboration users?
The elements of the B2B collaboration invitation email
B2B collaboration invitation redemption
Azure AD B2B collaboration licensing
Azure Active Directory B2B collaboration frequently asked questions (FAQ)
Azure Active Directory B2B collaboration API and customization
Multi-factor authentication for B2B collaboration users
Add B2B collaboration users without an invitation
Article Index for Application Management in Azure Active Directory
Properties of an Azure Active Directory B2B
collaboration user
12/11/2017 • 4 min to read • Edit Online
An Azure Active Directory (Azure AD) business-to-business (B2B) collaboration user is a user with UserType =
Guest. This guest user typically is from a partner organization and has limited privileges in the inviting directory,
by default.
Depending on the inviting organization's needs, an Azure AD B2B collaboration user can be in one of the
following account states:
State 1: Homed in an external instance of Azure AD and represented as a guest user in the inviting
organization. In this case, the B2B user signs in by using an Azure AD account that belongs to the invited
tenant. If the partner organization doesn't use Azure AD, the guest user in Azure AD is still created. The
requirements are that they redeem their invitation and Azure AD verifies their email address. This
arrangement is also called a just-in-time (JIT) tenancy or a "viral" tenancy.
State 2: Homed in a Microsoft account and represented as a guest user in the host organization. In this
case, the guest user signs in with a Microsoft account. The invited user's social identity (google.com or
similar), which is not a Microsoft account, is created as a Microsoft account during offer redemption.
State 3: Homed in the host organization's on-premises Active Directory and synced with the host
organization's Azure AD. During this release, you must use PowerShell to manually change the UserType
of such users in the cloud.
State 4: Homed in host organization's Azure AD with UserType = Guest and credentials that the host
organization manages.
Now, let's see what an Azure AD B2B collaboration user in State 1 looks like in Azure AD.
Before invitation redemption
After invitation redemption
Key properties of the Azure AD B2B collaboration user
UserType
This property indicates the relationship of the user to the host tenancy. This property can have two values:
Member: This value indicates an employee of the host organization and a user in the organization's
payroll. For example, this user expects to have access to internal-only sites. This user would not be
considered an external collaborator.
Guest: This value indicates a user who isn't considered internal to the company, such as an external
collaborator, partner, customer, or similar user. Such a user wouldn't be expected to receive a CEO's
internal memo, or receive company benefits, for example.
NOTE
The UserType has no relation to how the user signs in, the directory role of the user, and so on. This property
simply indicates the user's relationship to the host organization and allows the organization to enforce policies that
depend on this property.
Source
This property indicates how the user signs in.
Invited User: This user has been invited but has not yet redeemed an invitation.
External Active Directory: This user is homed in an external organization and authenticates by using an
Azure AD account that belongs to the other organization. This type of sign-in corresponds to State 1.
Microsoft account: This user is homed in a Microsoft account and authenticates by using a Microsoft
account. This type of sign-in corresponds to State 2.
Windows Server Active Directory: This user is signed in from on-premises Active Directory that belongs to
this organization. This type of sign-in corresponds to State 3.
Azure Active Directory: This user authenticates by using an Azure AD account that belongs to this
organization. This type of sign-in corresponds to State 4.
NOTE
Source and UserType are independent properties. A value of Source does not imply a particular value for UserType.
If you want to know what the token looks like for a B2B collaboration user, here are the bearer token details and
token content for an Azure Active Directory (Azure AD) guest and a Microsoft account guest in the resource
tenant (for tenantid 04dcc6ab-388a-4559-b527-fbec656300ea). To see the JSON Web Token (JWT) contents, use
https://jwt.io/ or http://calebb.net.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2B collaboration invitations
Dynamic groups and B2B collaboration
B2B collaboration code and PowerShell samples
Configure SaaS apps for B2B collaboration
B2B collaboration user claims mapping
Office 365 external sharing
B2B collaboration current limitations
Configure SaaS apps for B2B collaboration
12/11/2017 • 3 min to read • Edit Online
Azure Active Directory (Azure AD) B2B collaboration works with most apps that integrate with Azure AD. In this
section, we walk through instructions for configuring some popular SaaS apps for use with Azure AD B2B.
Before you look at app-specific instructions, here are some rules of thumb:
For most of the apps, user setup needs to happen manually. That is, users must be created manually in the
app as well.
For apps that support automatic setup, such as Dropbox, separate invitations are created from the apps.
Users must be sure to accept each invitation.
In the user attributes, to mitigate any issues with mangled user profile disk (UPD) in guest users, always
set User Identifier to user.mail.
Dropbox Business
To enable users to sign in using their organization account, you must manually configure Dropbox Business to
use Azure AD as a Security Assertion Markup Language (SAML) identity provider. If Dropbox Business has not
been configured to do so, it cannot prompt or otherwise allow users to sign in using Azure AD.
1. To add the Dropbox Business app into Azure AD, select Enterprise applications in the left pane, and then
click Add.
2. In the Add an application window, enter dropbox in the search box, and then select Dropbox for
Business in the results list.
3. On the Single sign-on page, select Single sign-on in the left pane, and then enter user.mail in the User
Identifier box. (It's set as UPN by default.)
4. To download the certificate to use for Dropbox configuration, select Configure DropBox, and then select
SAML Single Sign On Service URL in the list.
5. Sign in to Dropbox with the sign-on URL from the Single sign-on page.
7. In the Authentication dialog box, select More, upload the certificate and then, in the Sign in URL box,
enter the SAML single sign-on URL.
8. To configure automatic user setup in the Azure portal, select Provisioning in the left pane, select
Automatic in the Provisioning Mode box, and then select Authorize.
After guest or member users have been set up in the Dropbox app, they receive a separate invitation from
Dropbox. To use Dropbox single sign-on, invitees must accept the invitation by clicking a link in it.
Box
You can enable users to authenticate Box guest users with their Azure AD account by using federation that's
based on the SAML protocol. In this procedure, you upload metadata to Box.com.
1. Add the Box app from the enterprise apps.
2. Configure single sign-on in the following order:
a. In the Sign on URL box, ensure that the sign-on URL is set appropriately for Box in the Azure portal.
This URL is the URL of your Box.com tenant. It should follow the naming convention https://.box.com.
The Identifier does not apply to this app, but it still appears as a mandatory field.
b. In the User identifier box, enter user.mail (for SSO for guest accounts).
c. Under SAML Signing Certificate, click Create new certificate.
d. To begin configuring your Box.com tenant to use Azure AD as an identity provider, download the
metadata file and then save it to your local drive.
e. Forward the metadata file to the Box support team, which configures single sign-on for you.
3. For Azure AD automatic user setup, in the left pane, select Provisioning, and then select Authorize.
Like Dropbox invitees, Box invitees must redeem their invitation from the Box app.
Next steps
See the following articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2B collaboration invitations
Dynamic groups and B2B collaboration
B2B collaboration code and PowerShell samples
B2B collaboration user tokens
B2B collaboration user claims mapping
Office 365 external sharing
B2B collaboration current limitations
B2B collaboration user claims mapping in Azure
Active Directory
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory (Azure AD) supports customizing the claims issued in the SAML token for B2B
collaboration users. When a user authenticates to the application, Azure AD issues a SAML token to the app that
contains information (or claims) about the user that uniquely identifies them. By default, this includes the user's
user name, email address, first name, and last name. You can view or edit the claims sent in the SAML token to
the application under the Attributes tab.
There are two possible reasons why you might need to edit the claims issued in the SAML token.
1. The application has been written to require a different set of claim URIs or claim values
2. Your application requires the NameIdentifier claim to be something other than the user principal name
stored in Azure Active Directory.
For information on how to add and edit claims, check out this article on claims customization, Customizing
claims issued in the SAML token for pre-integrated apps in Azure Active Directory. For B2B collaboration users,
mapping NameID and UPN cross-tenant are prevented for security reasons.
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2bB collaboration invitations
Dynamic groups and B2B collaboration
B2B collaboration code and PowerShell samples
Configure SaaS apps for B2B collaboration
Office 365 external sharing
B2B collaboration user tokens
B2B collaboration current limitations
Compare B2B collaboration and B2C in Azure Active
Directory
12/11/2017 • 1 min to read • Edit Online
Both Azure Active Directory (Azure AD) B2B collaboration and Azure AD B2C allow you to work with external users
in Azure AD. But how do they compare?
Intended for: Organizations that want to be able to Intended for: Inviting customers of your mobile and web apps,
authenticate users from a partner organization, regardless of whether individuals, institutional or organizational customers
identity provider. into your Azure AD.
Identities supported: Employees with work or school accounts, Identities supported: Consumer users with local application
partners with work or school accounts, or any email address. accounts (any email address or user name) or any supported
Soon to support direct federation. social identity with direct federation.
Which directory the partner users are in: Partner users from Which directory the customer user entities are in: In the
the external organization are managed in the same directory application directory. Managed separately from the
as employees, but annotated specially. They can be managed organization’s employee and partner directory (if any.
the same way as employees, can be added to the same
groups, and so on
Single sign-on (SSO) to all Azure AD-connected apps is SSO to customer owned apps within the Azure AD B2C
supported. For example, you can provide access to Office 365 tenants is supported. SSO to Office 365 or to other Microsoft
or on-premises apps, and to other SaaS apps such as and non-Microsoft SaaS apps is not supported.
Salesforce or Workday.
Partner lifecycle: Managed by the host/inviting organization. Customer lifecycle: Self-serve or managed by the application.
Security policy and compliance: Managed by the host/inviting Security policy and compliance: Managed by the application.
organization.
Branding: Host/inviting organization’s brand is used. Branding: Managed by application. Typically tends to be
product branded, with the organization fading into the
background.
More info: Blog post, Documentation More info: Product page, Documentation
Next steps
Browse our other articles on Azure AD B2B collaboration:
What is Azure AD B2B collaboration?
B2B collaboration user properties
Adding a B2B collaboration user to a role
Delegate B2B collaboration invitations
Dynamic groups and B2B collaboration
Configure SaaS apps for B2B collaboration
B2B collaboration user tokens
B2B collaboration user claims mapping
Office 365 external sharing
B2B collaboration current limitations
Getting support for B2B collaboration
Getting support for B2B collaboration
12/11/2017 • 1 min to read • Edit Online
You’ve read through the documentation, you’ve done the right things, but still can’t get something to work? Open a
support ticket (requires a support plan):
1. In the Azure portal, navigate to the Help and Support blade, and select New Support Request:
Issue type: Technical
Subscription: Choose affected subscription
Service: Active Directory
Support Plan: Choose relevant support plan
Azure Active Directory (Azure AD) is a comprehensive identity and access management solution that provides a
robust set of capabilities to manage access to on-premises and cloud applications and resources including
Microsoft online services like Office 365 and a world of non-Microsoft SaaS applications. This article provides an
overview, but if you want to start using Azure AD groups right now, follow the instructions in Managing security
groups in Azure AD. If you want to see how you can use PowerShell to manage groups in Azure Active directory
you can read more in Azure Active Directory cmdlets for group management.
NOTE
To use Azure Active Directory, you need an Azure account. If you don't have an account, you can sign up for a free Azure
account.
Within Azure AD, one of the major features is the ability to manage access to resources. These resources can be
part of the directory, as in the case of permissions to manage objects through roles in the directory, or resources
that are external to the directory, such as SaaS applications, Azure services, and SharePoint sites or on-premises
resources. There are four ways a user can be assigned access rights to a resource:
1. Direct assignment
Users can be assigned directly to a resource by the owner of that resource.
2. Group membership
A group can be assigned to a resource by the resource owner, and by doing so, granting the members of
that group access to the resource. Membership of the group can then be managed by the owner of the
group. Effectively, the resource owner delegates the permission to assign users to their resource to the
owner of the group.
3. Rule-based
The resource owner can use a rule to express which users should be assigned access to a resource. The
outcome of the rule depends on the attributes used in that rule and their values for specific users, and by
doing so, the resource owner effectively delegates the right to manage access to their resource to the
authoritative source for the attributes that are used in the rule. The resource owner still manages the rule
itself and determines which attributes and values provide access to their resource.
4. External authority
The access to a resource is derived from an external source; for example, a group that is synchronized from
an authoritative source such as an on-premises directory or a SaaS app such as WorkDay. The resource
owner assigns the group to provide access to the resource, and the external source manages the members
of the group.
Watch a video that explains access management
You can watch a short video that explains more about this:
Azure AD: Introduction to dynamic membership for groups
Next steps
Now that you have understood the basics of access management, here are some additional advanced capabilities
available in Azure Active Directory for managing access to your applications and resources.
Using attributes to create advanced rules
Managing security groups in Azure AD
Setting up dedicated groups in Azure AD
Graph API reference for groups
Azure Active Directory cmdlets for configuring group settings
Create a group and add members in Azure Active
Directory
12/11/2017 • 1 min to read • Edit Online
This article explains how to create and populate a new group in Azure Active Directory. Use a group to perform
management tasks such as assigning licenses or permissions to a number of users or devices at once.
5. On the Group blade, add a name and description for the group.
6. To select members to add to the group, select Assigned in the Membership type box, and then select
Members. For more information about how to manage the membership of a group dynamically, see
Using attributes to create advanced rules for group membership.
7. On the Members blade, select one or more users or devices to add to the group and select the Select button
at the bottom of the blade to add them to the group. The User box filters the display based on matching your
entry to any part of a user or device name. No wildcard characters are accepted in that box.
8. When you finish adding members to the group, select Create on the Group blade.
Next steps
These articles provide additional information on Azure Active Directory.
See existing groups
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Azure Active Directory version 2 cmdlets for group
management
12/11/2017 • 6 min to read • Edit Online
This article contains examples of how to use PowerShell to manage your groups in Azure Active Directory (Azure
AD). It also tells you how to get set up with the Azure AD PowerShell module. First, you must download the Azure
AD PowerShell module.
To verify that the module was installed, use the following command:
Now you can start using the cmdlets in the module. For a full description of the cmdlets in the Azure AD module,
please refer to the online reference documentation for Azure Active Directory PowerShell Version 2.
PS C:\Windows\system32> Connect-AzureAD
The cmdlet prompts you for the credentials you want to use to access your directory. In this example, we are using
karen@drumkit.onmicrosoft.com to access the demonstration directory. The cmdlet returns a confirmation to show
the session was connected successfully to your directory:
Now you can start using the AzureAD cmdlets to manage groups in your directory.
Retrieve groups
To retrieve existing groups from your directory, use the Get-AzureADGroups cmdlet.
To retrieve all groups in the directory, use the cmdlet without parameters:
PS C:\Windows\system32> get-azureadgroup
The cmdlet now returns the group whose objectID matches the value of the parameter you entered:
DeletionTimeStamp :
ObjectId : e29bae11-4ac0-450c-bc37-6dae8f3da61b
ObjectType : Group
Description :
DirSyncEnabled :
DisplayName : Pacific NW Support
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 9bb4139b-60a1-434a-8c0d-7c1f8eee2df9
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
You can search for a specific group using the -filter parameter. This parameter takes an ODATA filter clause and
returns all groups that match the filter, as in the following example:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
NOTE
The Azure AD PowerShell cmdlets implement the OData query standard. For more information, see $filter in OData system
query options using the OData endpoint.
Create groups
To create a new group in your directory, use the New-AzureADGroup cmdlet. This cmdlet creates a new security
group called “Marketing":
PS C:\Windows\system32> New-AzureADGroup -Description "Marketing" -DisplayName "Marketing" -MailEnabled $false
-SecurityEnabled $true -MailNickName "Marketing"
Update groups
To update an existing group, use the Set-AzureADGroup cmdlet. In this example, we’re changing the DisplayName
property of the group “Intune Administrators.” First, we’re finding the group using the Get-AzureADGroup cmdlet
and filter using the DisplayName attribute:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
Next, we’re changing the Description property to the new value “Intune Device Administrators”:
Now if we find the group again, we see the Description property is updated to reflect the new value:
DeletionTimeStamp :
ObjectId : 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df
ObjectType : Group
Description : Intune Device Administrators
DirSyncEnabled :
DisplayName : Intune Administrators
LastDirSyncTime :
Mail :
MailEnabled : False
MailNickName : 4dd067a0-6515-4f23-968a-cc2ffc2eff5c
OnPremisesSecurityIdentifier :
ProvisioningErrors : {}
ProxyAddresses : {}
SecurityEnabled : True
Delete groups
To delete groups from your directory, use the Remove-AzureADGroup cmdlet as follows:
PS C:\Windows\system32> Remove-AzureADGroup -ObjectId b11ca53e-07cc-455d-9a89-1fe3ab24566b
The -ObjectId parameter is the ObjectID of the group to which we want to add a member, and the -RefObjectId is
the ObjectID of the user we want to add as a member to the group.
Get members
To get the existing members of a group, use the Get-AzureADGroupMember cmdlet, as in this example:
Remove members
To remove the member we previously added to the group, use the Remove-AzureADGroupMember cmdlet, as is
shown here:
Verify members
To verify the group memberships of a user, use the Select-AzureADGroupIdsUserIsMemberOf cmdlet. This cmdlet
takes as its parameters the ObjectId of the user for which to check the group memberships, and a list of groups for
which to check the memberships. The list of groups must be provided in the form of a complex variable of type
“Microsoft.Open.AzureAD.Model.GroupIdsForMembershipCheck”, so we first must create a variable with that type:
Next, we provide values for the groupIds to check in the attribute “GroupIds” of this complex variable:
Now, if we want to check the group memberships of a user with ObjectID 72cd4bbd-2594-40a2-935c-
016f3cfeeeea against the groups in $g, we should use:
PS C:\Windows\system32> Select-AzureADGroupIdsUserIsMemberOf -ObjectId 72cd4bbd-2594-40a2-935c-016f3cfeeeea -
GroupIdsForMembershipCheck $g
OdataMetadata
Value
-------------
-----
https://graph.windows.net/85b5ff1e-0402-400c-9e3c-0f9e965325d1/$metadata#Collection(Edm.String)
{31f1ff6c-d48c-4f8a-b2e1-abca7fd399df}
The value returned is a list of groups of which this user is a member. You can also apply this method to check
Contacts, Groups or Service Principals membership for a given list of groups, using Select-
AzureADGroupIdsContactIsMemberOf, Select-AzureADGroupIdsGroupIsMemberOf or Select-
AzureADGroupIdsServicePrincipalIsMemberOf
The -ObjectId parameter is the ObjectID of the group to which we want to add an owner, and the -RefObjectId is
the ObjectID of the user we want to add as an owner of the group.
To retrieve the owners of a group, use the Get-AzureADGroupOwner cmdlet:
The cmdlet returns the list of owners for the specified group:
If you want to remove an owner from a group, use the Remove-AzureADGroupOwner cmdlet:
PS C:\Windows\system32> remove-AzureADGroupOwner -ObjectId 31f1ff6c-d48c-4f8a-b2e1-abca7fd399df -OwnerId
e831b3fd-77c9-49c7-9fca-de43e109ef67
Reserved aliases
When a group is created, certain endpoints allow the end user to specify a mailNickname or alias to be used as part
of the email address of the group. Groups with the following highly privileged email aliases can only be created by
an Azure AD global administrator.
abuse
admin
administrator
hostmaster
majordomo
postmaster
root
secure
security
ssl-admin
webmaster
Next steps
You can find more Azure Active Directory PowerShell documentation at Azure Active Directory Cmdlets.
Managing access to resources with Azure Active Directory groups
Integrating your on-premises identities with Azure Active Directory
Manage group membership for users in your Azure
Active Directory tenant
12/11/2017 • 1 min to read • Edit Online
This article explains how to manage the members for a group in Azure Active Directory (Azure AD).
6. To add members to the group, on the Group - Members blade, select Add Members.
7. On the Members blade, select one or more users or devices to add to the group and select the Select button
at the bottom of the blade to add them to the group. The User box filters the display based on matching your
entry to any part of a user or device name. No wildcard characters are accepted in that box.
8. To remove members from the group, on the Group - Members blade, select a member.
9. On the membername blade, select the Remove command, and confirm your choice at the prompt.
10. When you finish changing members for the group, select Save.
Additional information
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Managing owners for a group
12/11/2017 • 1 min to read • Edit Online
Once a resource owner has assigned access to a resource to an Azure AD group, the membership of the group is
managed by the group owner. The resource owner effectively delegates the permission to assign users to the
resource to the owner of the group.
Additional information
These articles provide additional information on Azure Active Directory.
Managing access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Article Index for Application Management in Azure Active Directory
What is Azure Active Directory?
Integrating your on-premises identities with Azure Active Directory
Manage to which groups a group belongs in your
Azure Active Directory tenant
12/11/2017 • 1 min to read • Edit Online
Groups can contain other groups in Azure Active Directory. Here's how to manage those memberships.
6. To add your group as a member of another group, on the Group - Group memberships blade, select the Add
command.
7. Select a group from the Select Group blade, and then select the Select button at the bottom of the blade.
You can add your group to only one group at a time. The User box filters the display based on matching
your entry to any part of a user or device name. No wildcard characters are accepted in that box.
8. To remove your group as a member of another group, on the Group - Group memberships blade, select a
group.
9. Select the Remove command, and confirm your choice at the prompt.
10. When you finish changing group memberships for your group, select Save.
Additional information
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage members of a group
Manage dynamic rules for users in a group
Group-based licensing basics in Azure Active
Directory
12/11/2017 • 3 min to read • Edit Online
Using Microsoft paid cloud services, such as Office 365, Enterprise Mobility + Security, Dynamics CRM, and other
similar products, requires licenses. These licenses are assigned to each user who needs access to these services. To
manage licenses, administrators use one of the management portals (Office or Azure) and PowerShell cmdlets.
Azure Active Directory (Azure AD) is the underlying infrastructure that supports identity management for all
Microsoft cloud services. Azure AD stores information about license assignment states for users.
Until now, licenses could only be assigned at the individual user level, which can make large-scale management
difficult. For example, to add or remove user licenses based on organizational changes, such as users joining or
leaving the organization or a department, an administrator often must write a complex PowerShell script. This
script makes individual calls to the cloud service.
To address those challenges, Azure AD now includes group-based licensing. You can assign one or more product
licenses to a group. Azure AD ensures that the licenses are assigned to all members of the group. Any new
members who join the group are assigned the appropriate licenses. When they leave the group, those licenses are
removed. This eliminates the need for automating license management via PowerShell to reflect changes in the
organization and departmental structure on a per-user basis.
Features
Here are the main features of group-based licensing:
Licenses can be assigned to any security group in Azure AD. Security groups can be synced on-premises, by
using Azure AD Connect. You can also create security groups directly in Azure AD (also called cloud-only
groups), or automatically via the Azure AD dynamic group feature.
When a product license is assigned to a group, the administrator can disable one or more service plans in
the product. Typically, this is done when the organization is not yet ready to start using a service included in
a product. For example, the administrator might assign Office 365 to a department, but temporarily disable
the Yammer service.
All Microsoft cloud services that require user-level licensing are supported. This includes all Office 365
products, Enterprise Mobility + Security, and Dynamics CRM.
Group-based licensing is currently available only through the Azure portal. If you primarily use other
management portals for user and group management, such as the Office 365 portal, you can continue to
do so. But you should use the Azure portal to manage licenses at group level.
Azure AD automatically manages license modifications that result from group membership changes.
Typically, license modifications are effective within minutes of a membership change.
A user can be a member of multiple groups with license policies specified. A user can also have some
licenses that were directly assigned, outside of any groups. The resulting user state is a combination of all
assigned product and service licenses.
In some cases, licenses cannot be assigned to a user. For example, there might not be enough available
licenses in the tenant, or conflicting services might have been assigned at the same time. Administrators
have access to information about users for whom Azure AD could not fully process group licenses. They
can then take corrective action based on that information.
During public preview, a paid or trial subscription for Azure AD Basic or Premium editions is required in the
tenant to use group-based license management.
Next steps
To learn more about other scenarios for license management through group-based licensing, see:
Get started with licenses in Azure Active Directory
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
Assign licenses to users by group membership in
Azure Active Directory
12/11/2017 • 5 min to read • Edit Online
This article walks you through assigning product licenses to a group of users in Azure Active Directory (Azure AD)
and then verifying that they're licensed correctly.
In this example, the tenant contains a security group called HR Department. This group includes all members of
the human resources department (around 1,000 users). You want to assign Office 365 Enterprise E3 licenses to the
entire department. The Yammer Enterprise service that's included in the product must be temporarily disabled
until the department is ready to start using it. You also want to deploy Enterprise Mobility + Security licenses to
the same group of users.
NOTE
Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the administrator has to
specify the Usage location property on the user.
For group license assignment, any users without a usage location specified will inherit the location of the directory. If you
have users in multiple locations, we recommend that you always set usage location as part of your user creation flow in
Azure AD (e.g. via AAD Connect configuration) - that will ensure the result of license assignment is always correct and users
do not receive services in locations that are not allowed.
6. On the Assign license blade, click Assignment options (optional), which displays all service plans
included in the two products that we selected previously. Find Yammer Enterprise and turn it Off to
disable that service from the product license. Confirm by clicking OK at the bottom of Assignment
options.
7. To complete the assignment, on the Assign license blade, click Assign at the bottom of the blade.
8. A notification is displayed in the upper-right corner that shows the status and outcome of the process. If the
assignment to the group couldn't be completed (for example, because of pre-existing licenses in the group),
click the notification to view details of the failure.
We've now specified a license template for the HR Department group. A background process in Azure AD has been
started to process all existing members of that group. This initial operation might take some time, depending on
the current size of the group. In the next step, we'll describe how to verify that the process has finished and
determine if further attention is required to resolve problems.
NOTE
You can start the same assignment from an alternative location: Users and groups in Azure AD. Go to Azure Active
Directory > Users and groups > All groups. Then find the group, select it, and go to the Licenses tab. The Assign button
on top of the blade opens the license assignment blade.
4. Select a user to open the Licenses blade. This blade shows all licenses that are currently assigned to the
user. In this example, the user has the Office 365 Enterprise E1 license that was inherited from the Kiosk
users group. This conflicts with the E3 license that the system tried to apply from the HR Department
group. As a result, none of the licenses from that group has been assigned to the user.
5. To solve this conflict, remove the user from the Kiosk users group. After Azure AD processes the change,
the HR Department licenses are correctly assigned.
Next steps
To learn more about the feature set for license management through groups, see the following articles:
What is group-based licensing in Azure Active Directory?
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
Identify and resolve license assignment problems for
a group in Azure Active Directory
12/11/2017 • 9 min to read • Edit Online
Group-based licensing in Azure Active Directory (Azure AD) introduces the concept of users in a licensing error
state. In this article, we explain the reasons why users might end up in this state.
When you assign licenses directly to individual users, without using group-based licensing, the assignment
operation might fail. For example, when you execute the PowerShell cmdlet Set-MsolUserLicense on a user
system, the cmdlet can fail for many reasons that are related to business logic. For example, there might be an
insufficient number of licenses or a conflict between two service plans that can't be assigned at the same time. The
problem is immediately reported back to you.
When you're using group-based licensing, the same errors can occur, but they happen in the background while
the Azure AD service is assigning licenses. For this reason, the errors can't be communicated to you immediately.
Instead, they're recorded on the user object and then reported via the administrative portal. The original intent to
license the user is never lost, but it's recorded in an error state for future investigation and resolution.
2. Select the notification to open a list of all affected users. You can select each user individually to see more
details.
3. To find all groups that contain at least one error, on the Azure Active Directory blade select Licenses, and
then select Overview. An information box is displayed when groups require your attention.
4. Select the box to see a list of all groups with errors. You can select each group for more details.
The following sections give a description of each potential problem and the way to resolve it.
NOTE
When Azure AD assigns group licenses, any users without a specified usage location inherit the location of the directory. We
recommend that administrators set the correct usage location values on users before using group-based licensing to comply
with local laws and regulations.
License operation failed. Make sure that the group has necessary services before adding or removing a
dependent service. The service Microsoft Workplace Analytics requires Exchange Online (Plan 2) to be
enabled as well.
To assign this add-on license to a group, we must ensure that the group also contains the prerequisite service plan.
For example, we might update an existing group that already contains the full Office 365 E3 product, and then add
the add-on product to it.
It is also possible to create a standalone group that contains only the minimum required products to make the
add-on work. It can be used to license only the selected users for the add-on product. In this example, we have
assigned the following products to the same group:
Office 365 Enterprise E3 with only the Exchange Online (Plan 2) service plan enabled
Microsoft Workplace Analytics
From now on, any users added to this group consume one license of the E3 product and one license of the
Workplace Analytics product. At the same time, those users can be members of another group that gives them the
full E3 product, and they still consume only one license for that product.
TIP
You can create multiple groups for each prerequisite service plan. For example, if you use both Office 365 Enterprise E1 and
Office 365 Enterprise E3 for your users, you can create two groups to license Microsoft Workplace Analytics: one that uses
E1 as a prerequisite and the other that uses E3. This lets you distribute the add-on to E1 and E3 users without consuming
additional licenses.
For more information about this problem, see "Proxy address is already being used" error message in Exchange Online. The
article also includes information on how to connect to Exchange Online by using remote PowerShell.
After you resolve any proxy address problems for the affected users, make sure to force license processing on the
group to make sure that the licenses can now be applied.
Next steps
To learn more about other scenarios for license management through groups, see the following:
Assigning licenses to a group in Azure Active Directory
What is group-based licensing in Azure Active Directory?
How to migrate individual licensed users to group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
How to add licensed users to a group for licensing in
Azure Active Directory
1/17/2018 • 3 min to read • Edit Online
You may have existing licenses deployed to users in the organizations via “direct assignment”; that is, using
PowerShell scripts or other tools to assign individual user licenses. If you would like to start using group-based
licensing to manage licenses in your organization, you will need a migration plan to seamlessly replace existing
solutions with group-based licensing.
The most important thing to keep in mind is that you should avoid a situation where migrating to group-based
licensing will result in users temporarily losing their currently assigned licenses. Any process that may result in
removal of licenses should be avoided to remove the risk of users losing access to services and their data.
An example
We have an organization with 1,000 users. All users require Enterprise Mobility + Security (EMS) licenses. 200
users are in the Finance Department and require Office 365 Enterprise E3 licenses. We have a PowerShell script
running on premises adding and removing licenses from users as they come and go. We want to replace the script
with group-based licensing so licenses are managed automatically by Azure AD.
Here is what the migration process could look like:
1. Using the Azure portal assign the EMS license to the All users group in Azure AD. Assign the E3 license to
the Finance department group that contains all the required users.
2. For each group, confirm that license assignment has completed for all users. Go to the blade for each group,
select Licenses, and check the processing status at the top of the Licenses blade.
Look for “Latest license changes have been applied to all users" to confirm processing has
completed.
Look for a notification on top about any users for whom licenses may have not been successfully
assigned. Did we run out of licenses for some users? Do some users have conflicting license SKUs
that prevent them from inheriting group licenses?
3. Spot check some users to verify that they have both the direct and group licenses applied. Go to the blade
for a user, select Licenses, and examine the state of licenses.
This is the expected user state during migration:
This confirms that the user has both direct and inherited licenses. We see that both EMS and E3 are
assigned.
Select each license to show details about the enabled services. This can be used to check if the direct
and group licenses enable exactly the same service plans for the user.
4. After confirming that both direct and group licenses are equivalent, you can start removing direct licenses
from users. You can test this by removing them for individual users in the portal and then run automation
scripts to have them removed in bulk. Here is an example of the same user with the direct licenses removed
through the portal. Notice that the license state remains unchanged, but we no longer see direct
assignments.
Next steps
To learn more about other scenarios for license management through groups, read
Assigning licenses to a group in Azure Active Directory
What is group-based licensing in Azure Active Directory?
Identifying and resolving license problems for a group in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
Scenarios, limitations, and known issues using groups
to manage licensing in Azure Active Directory
12/11/2017 • 12 min to read • Edit Online
Use the following information and examples to gain a more advanced understanding of Azure Active Directory
(Azure AD) group-based licensing.
Usage location
Some Microsoft services are not available in all locations. Before a license can be assigned to a user, the
administrator has to specify the Usage location property on the user. In the Azure portal, you can specify in User
> Profile > Settings.
For group license assignment, any users without a usage location specified will inherit the location of the directory.
If you have users in multiple locations, make sure to reflect that correctly in your user objects before adding users
to groups with licenses.
NOTE
Group license assignment will never modify an existing usage location value on a user. We recommend that you always set
usage location as part of your user creation flow in Azure AD (e.g. via AAD Connect configuration) - that will ensure the
result of license assignment is always correct, and users do not receive services in locations that are not allowed.
For this example, modify one user and set their extensionAttribute1 to the value of EMS;E5_baseservices; if you
want the user to have both licenses. You can make this modification on-premises. After the change syncs with the
cloud, the user is automatically added to both groups, and licenses are assigned.
WARNING
Use caution when modifying an existing group’s membership rule. When a rule is changed, the membership of the group
will be re-evaluated and users who no longer match the new rule will be removed (users who still match the new rule will
not be affected during this process). Those users will have their licenses removed during the process which may result in loss
of service, or in some cases, loss of data.
If you have a large dynamic group you depend on for license assignment, consider validating any major changes on a
smaller test group before applying them to the main group.
3. As a result, the user still uses only one license of the E3 product. But the direct assignment enables the
Yammer Enterprise service for that user only. You can see which services are enabled by the group
membership versus the direct assignment:
4. When you use direct assignment, the following operations are allowed:
Yammer Enterprise can be turned off on the user object directly. The On/Off toggle in the illustration
was enabled for this service, as opposed to the other service toggles. Because the service is enabled
directly on the user, it can be modified.
Additional services can be enabled as well, as part of the directly assigned license.
The Remove button can be used to remove the direct license from the user. You can see that the
user now only has the inherited group license and only the original services remain enabled:
Managing new services added to products
When Microsoft adds a new service to a product, it will be enabled by default in all groups to which you have
assigned the product license. Users in your tenant who are subscribed to notifications about product changes will
receive emails ahead of time notifying them about the upcoming service additions.
As an administrator, you can review all groups affected by the change and take action, such as disabling the new
service in each group. For example, if you created groups targeting only specific services for deployment, you can
revisit those groups and make sure that any newly added services are disabled.
Here is an example of what this process may look like:
1. Originally, you assigned the Office 365 Enterprise E5 product to several groups. One of those groups, called
O365 E5 - Exchange only was designed to enable only the Exchange Online (Plan 2) service for its
members.
2. You received a notification from Microsoft that the E5 product will be extended with a new service -
Microsoft Stream. When the service becomes available in your tenant, you can do the following:
3. Go to the Azure Active Directory > Licenses > All products blade and select Office 365 Enterprise E5,
then select Licensed Groups to view a list of all groups with that product.
4. Click on the group you want to review (in this case, O365 E5 - Exchange only). This will open the Licenses
tab. Clicking on the E5 license will open a blade listing all enabled services.
NOTE
The Microsoft Stream service has been automatically added and enabled in this group, in addition to the Exchange
Online service:
5. If you want to disable the new service in this group, click the On/Off toggle next to the service and click the
Save button to confirm the change. Azure AD will now process all users in the group to apply the change;
any new users added to the group will not have the Microsoft Stream service enabled.
NOTE
Users may still have the service enabled through some other license assignment (another group they are members
of or a direct license assignment).
6. If needed, perform the same steps for other groups with this product assigned.
3. Use the AccountSkuId value for the license you are interested in with this PowerShell script. This will
produce a list of users who have this license with the information about how the license is assigned.
Use Audit logs to monitor group-based licensing activity
You can use Azure AD audit logs to see all activity related to group-based licensing, including:
who changed licenses on groups
when the system started processing a group license change, and when it finished
what license changes were made to a user as a result of a group license assignment.
NOTE
Audit logs are available on most blades in the Azure Active Directory section of the portal. Depending on where you access
them, filters may be pre-applied to only show activity relevant to the context of the blade. If you are not seeing the results
you expect, examine the filtering options or access the unfiltered audit logs under Azure Active Directory > Activity >
Audit logs.
TIP
You can also type the name of the group in the Target filter to scope the results.
3. Click an item in the list view to see the details of what has changed. Under Modified Properties both old and
new values for the license assignment are listed.
Here is an example of recent group license changes, with details:
2. Similarly, to see when groups finished processing, use the filter value Finish applying group based license
to users.
TIP
In this case, the Modified Properties field contains a summary of the results - this is useful to quickly check if
processing resulted in any errors. Sample output:
Modified Properties
...
Name : Result
Old Value : []
New Value : [Users successfully assigned licenses: 6, Users for whom license assignment failed:
0.];
3. To see the complete log for how a group was processed, including all user changes, set the following filters:
Initiated By (Actor): "Microsoft Azure AD Group-Based Licensing"
Date Range (optional): custom range for when you know a specific group started and finished
processing
This sample output shows the start of processing, all resulting user changes, and the finish of processing.
TIP
Clicking items related to Change user license will show details for license changes applied to each individual user.
Next steps
To learn more about other scenarios for license management through group-based licensing, see:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
PowerShell examples for group-based licensing in
Azure AD
1/3/2018 • 11 min to read • Edit Online
Full functionality for group-based licensing is available through the Azure portal, and currently PowerShell support
is limited. However, there are some useful tasks that can be performed using the existing MSOnline PowerShell
cmdlets. This document provides examples of what is possible.
NOTE
Before you begin running cmdlets, make sure you connect to your tenant first, by running the Connect-MsolService
cmdlet.
Output:
SkuPartNumber
-------------
ENTERPRISEPREMIUM
EMSPREMIUM
NOTE
The data is limited to product (SKU) information. It is not possible to list the service plans disabled in the license.
Output:
ObjectId DisplayName Licenses
-------- ----------- --------
7023a314-6148-4d7b-b33f-6c775572879a EMS E5 – Licensed users EMSPREMIUM
cf41f428-3b45-490b-b69f-a349c8a4c38e PowerBi - Licensed users POWER\_BI\_STANDARD
962f7189-59d9-4a29-983f-556ae56f19a5 O365 E3 - Licensed users ENTERPRISEPACK
c2652d63-9161-439b-b74e-fcd8228a7074 EMSandOffice {ENTERPRISEPREMIUM,EMSPREMIUM}
} | Format-Table
Output:
GroupName GroupId GroupLicenses TotalUserCount LicensedUserCount
LicenseErrorCount
--------- ------- ------------- -------------- ----------------- ---
--------------
Dynamics Licen... 9160c903-9f91-4597-8f79-22b6c47eafbf AAD_PREMIUM_P2 0 0
0
O365 E5 - base... 055dcca3-fb75-4398-a1b8-f8c6f4c24e65 ENTERPRISEPREMIUM 2 2
0
O365 E5 - extr... 6b14a1fe-c3a9-4786-9ee4-3a2bb54dcb8e ENTERPRISEPREMIUM 3 3
0
EMS E5 - all s... 7023a314-6148-4d7b-b33f-6c775572879a EMSPREMIUM 2 2
0
PowerBi - Lice... cf41f428-3b45-490b-b69f-a349c8a4c38e POWER_BI_STANDARD 2 2
0
O365 E3 - all ... 962f7189-59d9-4a29-983f-556ae56f19a5 ENTERPRISEPACK 2 2
0
O365 E5 - EXO 102fb8f4-bbe7-462b-83ff-2145e7cdd6ed ENTERPRISEPREMIUM 1 1
0
Access to Offi... 11151866-5419-4d93-9141-0603bbf78b42 STANDARDPACK 4 3
1
Output:
Output:
ObjectId DisplayName License Error
-------- ----------- ------------
6d325baf-22b7-46fa-a2fc-a2500613ca15 Catherine Gibson MutuallyExclusiveViolation
NOTE
This script will enumerate all users in the tenant, which might not be optimal for large tenants.
Output:
Here is another version of the script that searches only through groups that contain license errors. It may be more
optimized for scenarios where you expect to have few groups with problems.
foreach($license in $user.Licenses)
{
#we look for the specific license SKU in all licenses assigned to the user
if ($license.AccountSkuId -ieq $skuId)
{
#GroupsAssigningLicense contains a collection of IDs of objects assigning the license
#This could be a group object or a user object (contrary to what the name suggests)
#If the collection is empty, this means the license is assigned directly - this is the case for
users who have never been licensed via groups in the past
if ($license.GroupsAssigningLicense.Count -eq 0)
{
return $true
}
#If the collection contains the ID of the user object, this means the license is assigned directly
#Note: the license may also be assigned through one or more groups in addition to being assigned
directly
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
if ($assignmentSource -ieq $user.ObjectId)
{
return $true
}
}
return $false
}
}
return $false
}
#Returns TRUE if the user is inheriting the license from a group
function UserHasLicenseAssignedFromGroup
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId)
foreach($license in $user.Licenses)
{
#we look for the specific license SKU in all licenses assigned to the user
if ($license.AccountSkuId -ieq $skuId)
{
#GroupsAssigningLicense contains a collection of IDs of objects assigning the license
#This could be a group object or a user object (contrary to what the name suggests)
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
#If the collection contains at least one ID not matching the user ID this means that the
license is inherited from a group.
#Note: the license may also be assigned directly in addition to being inherited
if ($assignmentSource -ine $user.ObjectId)
{
return $true
}
}
return $false
}
}
return $false
}
This script executes those functions on each user in the tenant, using the SKU ID as input - in this example we are
interested in the license for Enterprise Mobility + Security, which in our tenant is represented with ID contoso:EMS:
#the license SKU we are interested in. use Msol-GetAccountSku to see a list of all identifiers in your tenant
$skuId = "contoso:EMS"
Output:
NOTE
It is important to first validate that the direct licenses to be removed do not enable more service functionality than the
inherited licenses. Otherwise, removing the direct license may disable access to services and data for users. Currently it is not
possible to check via PowerShell which services are enabled via inherited licenses vs direct. In the script we will specify the
minimum level of services we know are being inherited from groups and we will check against that.
#If the collection contains the ID of the user object, this means the license is assigned directly
#Note: the license may also be assigned through one or more groups in addition to being assigned
directly
foreach ($assignmentSource in $license.GroupsAssigningLicense)
{
if ($assignmentSource -ieq $user.ObjectId)
{
return $true
}
}
return $false
return $false
}
return $false
}
#Returns TRUE if the user is inheriting the license from a specific group
function UserHasLicenseAssignedFromThisGroup
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
#Returns the license object corresponding to the skuId. Returns NULL if not found
function GetUserLicense
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [Guid]$groupId)
#we look for the specific license SKU in all licenses assigned to the user
foreach($license in $user.Licenses)
{
if ($license.AccountSkuId -ieq $skuId)
{
return $license
}
}
return $null
}
#produces a list of disabled service plan names for a set of plans we want to leave enabled
function GetDisabledPlansForSKU
{
Param([string]$skuId, [string[]]$enabledPlans)
return $disabledPlans
}
function GetUnexpectedEnabledPlansForUser
{
Param([Microsoft.Online.Administration.User]$user, [string]$skuId, [string[]]$expectedDisabledPlans)
$extraPlans = @();
#minimum set of service plans we know are inherited from groups - we want to make sure that there aren't any
users who have more services enabled
#which could mean that they may lose access after we remove direct licenses
$servicePlansFromGroups = ("EXCHANGE_S_ENTERPRISE", "SHAREPOINTENTERPRISE", "OFFICESUBSCRIPTION")
}
else
{
$operationResult = "User does not inherit this license from this group. License removal was
skipped."
}
}
else
{
$operationResult = "User has no direct license to remove. Skipping."
}
#format output
New-Object Object |
Add-Member -NotePropertyName UserId -NotePropertyValue $user.ObjectId -PassThru |
Add-Member -NotePropertyName OperationResult -NotePropertyValue $operationResult -PassThru
} | Format-Table
#END: executing the script
#END: executing the script
Output:
UserId OperationResult
------ ---------------
7c7f860f-700a-462a-826c-f50633931362 Removed direct license from user.
0ddacdd5-0364-477d-9e4b-07eb6cdbc8ea User has extra plans that may be lost - license removal was skipped. Extra
plans: SHAREPOINTWAC
aadbe4da-c4b5-4d84-800a-9400f31d7371 User has no direct license to remove. Skipping.
Next steps
To learn more about the feature set for license management through groups, see the following:
What is group-based licensing in Azure Active Directory?
Assigning licenses to a group in Azure Active Directory
Identifying and resolving license problems for a group in Azure Active Directory
How to migrate individual licensed users to group-based licensing in Azure Active Directory
Azure Active Directory group-based licensing additional scenarios
Product names and service plan identifiers for
licensing
12/11/2017 • 6 min to read • Edit Online
When managing licenses in the Azure portal or the Office 365 portal, you see product names that look something
like Office 365 Enterprise E3. When you use PowerShell v1.0 cmdlets, the same product is identified using a specific
but less friendly name: ENTERPRISEPACK. When using PowerShell v2.0 cmdlets or Microsoft Graph, the same
product is identified using a GUID value: 6fd2c87f-b296-42f0-b197-1e91e994b900. The following table lists the
most commonly used Microsoft online service products and provides their various ID values:
Product Name: Used in management portals
String ID: Used by PowerShell v1.0 cmdlets when performing operations on licenses
Guid ID: GUID used by Azure AD Graph and Microsoft Graph
Service Plans Included: A list of service plans in the product that correspond to the String ID and GUID
NOTE
This information is accurate as of October 11, 2017.
NOTE
All service plans related to Azure Active Directory can now be assigned together, to the same user. This simplifies certain
license management scenarios, such as moving users from Azure AD Basic to Azure AD Premium P1.
CRMIUR c42a56bd-9e70-4ace-be17-dc8eeae369d7
CRMPLAN1 119cf168-b6cf-41fb-b82e-7fee7bae5814
CRMPLAN2 bf36ca64-95c6-4918-9275-eb9f4ce2c04f
CRMSTANDARD f9646fb2-e3b2-4309-95de-dc4833737456
DYN365_ENTERPRISE_P1 d56f3deb-50d8-465a-bedb-f079817ccac1
DYN365_ENTERPRISE_P1_IW 056a5f80-b4e0-4983-a8be-7ad254a113c9
SERVICE PLAN NAME GUID
DYN365_ENTERPRISE_SALES 2da8e897-7791-486b-b08f-cc63c8129df7
DYN365_ENTERPRISE_TEAM_MEMBERS 6a54b05e-4fab-40e7-9828-428db3b336fa
EMPLOYEE_SELF_SERVICE ba5f0cfa-d54a-4ea0-8cf4-a7e1dc4423d8
EXCHANGE_B_STANDARD 90927877-dcff-4af6-b346-2332c0b15bb7
EXCHANGE_L_STANDARD d42bdbd6-c335-4231-ab3d-c8f348d5aff5
EXCHANGE_S_ARCHIVE da040e0a-b393-4bea-bb76-928b3fa1cf5a
EXCHANGE_S_DESKLESS 4a82b400-a79f-41a4-b4e2-e94f5787b113
EXCHANGE_S_ENTERPRISE efb87545-963c-4e0d-99df-69c6916d9eb0
EXCHANGE_S_ESSENTIALS 1126bef5-da20-4f07-b45e-ad25d2581aa8
EXCHANGE_S_STANDARD 9aaf7827-d63c-4b61-89c3-182f06f82e5c
EXCHANGE_S_STANDARD_MIDMARKET fc52cc4b-ed7d-472d-bbe7-b081c23ecc56
Service: Intune
The following service plans cannot be assigned together:
INTUNE_A c1ec4a95-1f05-45b3-a911-aa3fa01094f5
INTUNE_A_VL 3e170737-c728-4eae-bbb9-3f3360f7184c
INTUNE_B 2dc63b8a-df3d-448f-b683-8655877c9360
ONEDRIVEENTERPRISE afcafa6a-d966-4462-918c-ec0b4e0fe642
SHAREPOINT_S_DEVELOPER a361d6e2-509e-4e25-a8ad-950060064ef4
SHAREPOINTDESKLESS 902b47e5-dcb2-4fdc-858b-c63a90a2bdb9
SHAREPOINTENTERPRISE 5dbe027f-2339-4123-9542-606e4d348a72
SERVICE PLAN NAME GUID
SHAREPOINTENTERPRISE_EDU 63038b2c-28d0-45f6-bc36-33062963b498
SHAREPOINTENTERPRISE_MIDMARKET 6b5b6a67-fc72-4a1f-a2b5-beecf05de761
SHAREPOINTLITE a1f3d0a8-84c0-4ae0-bae4-685917b8ab48
SHAREPOINTSTANDARD c7699d2e-19aa-44de-8edf-1736da088ca1
SHAREPOINTSTANDARD_EDU 0a4983bb-d3e5-4a09-95d8-b2d0127b3df5
MCOIMP afc06cb0-b4f4-4473-8286-d644f70d8faf
MCOSTANDARD_MIDMARKET b2669e95-76ef-4e7e-a367-002f60a39f3e
MCOSTANDARD 0feaeb32-d00e-4d66-bd5a-43b5b83db82c
MCOLITE 70710b6b-3ab4-4a38-9f6d-9f169461650a
MCOPSTN1 4ed3ff63-69d7-4fb7-b984-5aec7f605ca8
MCOPSTN2 5a10155d-f5c1-411a-a8ec-e99aae125390
Service: Yammer
The following service plans cannot be assigned together:
YAMMER_ENTERPRISE 7547a3fe-08ee-4ccb-b430-5077c5041653
YAMMER_EDU 2078e8df-cff6-4290-98cb-5408261a760a
YAMMER_MIDSIZE 41bf139a-4e60-409f-9346-a1361efc6dfb
Next steps
To learn more about the feature set for license management through groups, see the following:
PowerShell examples for group-based licensing in Azure AD
Configure expiration for Office 365 groups (preview)
1/5/2018 • 2 min to read • Edit Online
You can now manage the lifecycle of Office 365 groups by setting expiration features for them. You can set
expiration for only Office 365 groups in Azure Active Directory (Azure AD). Once you set a group to expire:
Owners of the group are notified to renew the group as the expiration nears
Any group that is not renewed is deleted
Any Office 365 group that is deleted can be restored within 30 days by the group owners or the administrator
NOTE
Setting expiration for Office 365 groups requires an Azure AD Premium license for all members of the groups to which
expiration settings are applied.
For information on how to download and install the Azure AD PowerShell cmdlets, see Azure Active Directory
PowerShell for Graph - Public Preview Release 2.0.0.137.
The group owner can then select Renew group to renew the Office 365 group, or can select Go to group to see
the members and other details about the group.
When a group expires, the group is deleted one day after the expiration date. An email notification such as this one
is sent to the Office 365 group owners informing them about the expiration and subsequent deletion of their Office
365 group.
The group can be restored by selecting Restore group or by using PowerShell cmdlets, as described in Restore a
deleted Office 365 group in Azure Active Directory.
If the group you're restoring contains documents, SharePoint sites, or other persistent objects, it might take up to
24 hours to fully restore the group and its contents.
NOTE
When you first set up expiration, any groups that are older than the expiration interval are set to 30 days until expiration.
The first renewal notification email is sent out within a day. For example, Group A was created 400 days ago, and the
expiration interval is set to 180 days. When you apply expiration settings, Group A has 30 days before it is deleted, unless
the owner renews it.
When a dynamic group is deleted and restored, it is seen as a new group and re-populated according to the rule. This
process might take up to 24 hours.
Next steps
These articles provide additional information on Azure AD groups.
See existing groups
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
View or search for your user groups in Azure Active
Directory
12/11/2017 • 1 min to read • Edit Online
This article explains how to view all groups in Azure Active Directory (Azure AD). One of the features of Azure AD
user management is that you can use groups to perform management tasks such as assigning licenses or
permissions to a number of users at once.
Next steps
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Using a group to manage access to SaaS applications
12/11/2017 • 1 min to read • Edit Online
Using Azure Active Directory (Azure AD) with an Azure AD Premium or Azure AD Basic license, you can use groups
to assign access to a SaaS application that's integrated with Azure AD. For example, if you want to assign access for
the marketing department to use five different SaaS applications, you can create a group that contains the users in
the marketing department, and then assign that group to these five SaaS applications that are needed by the
marketing department. This way you can save time by managing the membership of the marketing department in
one place. Users then are assigned to the application when they are added as members of the marketing group,
and have their assignments removed from the application when they are removed from the marketing group. This
capability can be used with hundreds of applications that you can add from within the Azure AD Application
Gallery.
IMPORTANT
You can use this feature only after you start an Azure AD Premium trial or purchase Azure AD Premium or Azure AD Basic
licenses. Nested group memberships are not supported for group-based assignment to applications at this time.
When you delete an Office 365 group in the Azure Active Directory (Azure AD), the deleted group is retained but
not visible for 30 days from the deletion date. This is so that the group and its contents can be restored if needed.
This functionality is restricted exclusively to Office 365 groups in Azure AD. It is not available for security groups
and distribution groups.
NOTE
Don't use Remove-MsolGroup because it purges the group permanently. Always use Remove-AzureADMSGroup to delete an
O365 group.
ROLE PERMISSIONS
Company Administrator, Partner Tier2 support, and InTune Can restore any deleted Office 365 group
Service Admins
User Account Administrator and Partner Tier1 support Can restore any deleted Office 365 group except those
assigned to the Company Administrator role
User Can restore any deleted Office 365 group that they owned
View the deleted Office 365 groups that are available to restore
The following cmdlets can be used to view the deleted groups to verify that the one or ones you're interested in
have not yet been permanently purged. These cmdlets are part of the Azure AD PowerShell module. More
information about this module can be found in the Azure Active Directory PowerShell Version 2 article.
1. Run the following cmdlet to display all deleted Office 365 groups in your tenant that are still available to
restore.
Get-AzureADMSDeletedGroup
2. Alternately, if you know the objectID of a specific group (and you can get it from the cmdlet in step 1), run
the following cmdlet to verify that the specific deleted group has not yet been permanently purged.
Alternatively, the following cmdlet can be run to permanently remove the deleted group.
Next steps
These articles provide additional information on Azure Active Directory groups.
See existing groups
Manage settings of a group
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Manage the settings for a group in Azure Active
Directory
12/11/2017 • 1 min to read • Edit Online
This article explains how to change the settings for a group in Azure Active Directory (Azure AD).
6. When you finish changing properties for the group, select Save.
Next steps
These articles provide additional information on Azure Active Directory.
See existing groups
Create a new group and adding members
Manage members of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Azure Active Directory cmdlets for configuring group
settings
12/11/2017 • 5 min to read • Edit Online
This article contains instructions for using Azure Active Directory (Azure AD) PowerShell cmdlets to create and
update groups. This content applies only to Office 365 groups.
IMPORTANT
Some settings require an Azure Active Directory Premium P1 license. For more information, see the Template settings table.
For more information on how to prevent non-administrator users to create security groups, set
Set-MsolCompanySettings -UsersPermissionToCreateGroupsEnabled $False as described in Set-
MSOLCompanySettings.
Office 365 Groups settings are configured using a Settings object and a SettingsTemplate object. Initially, you don't
see any Settings objects in your directory, because your directory is configured with the default settings. To change
the default settings, you must create a new settings object using a settings template. Settings templates are
defined by Microsoft. There are several different settings templates. To configure Office 365 group settings for
your directory, you use the template named "Group.Unified". To configure Office 365 group settings on a single
group, use the template named "Group.Unified.Guest". This template is used to manage guest access to an Office
365 group.
The cmdlets are part of the Azure Active Directory PowerShell V2 module. For instructions how to download and
install the module on your computer, see the article Azure Active Directory PowerShell Version 2. You can install
the version 2 release of the module from the PowerShell gallery.
PS C:> Get-AzureADDirectorySettingTemplate
2. To add a usage guideline URL, first you need to get the SettingsTemplate object that defines the usage
guideline URL value; that is, the Group.Unified template:
$Setting = $template.CreateDirectorySetting()
$setting["UsageGuidelinesUrl"] = "<https://guideline.com>"
Upon successful completion, the cmdlet returns the ID of the new settings object:
Template settings
Here are the settings defined in the Group.Unified SettingsTemplate. Unless otherwise indicated, these features
require an Azure Active Directory Premium P1 license.
SETTING DESCRIPTION
GroupCreationAllowedGroupId GUID of the security group for which the members are
Type: String allowed to create Unified Groups even when
Default: “” EnableGroupCreation == false.
SETTING DESCRIPTION
3. Read all directory settings values of a specific directory settings object, using Settings Id GUID:
This cmdlet returns the names and values in this settings object for this specific group:
Name Value
---- -----
ClassificationDescriptions
DefaultClassification
PrefixSuffixNamingRequirement
AllowGuestsToBeGroupOwner False
AllowGuestsToAccessGroups True
GuestUsageGuidelinesUrl
GroupCreationAllowedGroupId
AllowToAddGuests True
UsageGuidelinesUrl <https://guideline.com>
ClassificationList
EnableGroupCreation True
Get-AzureADDirectorySettingTemplate
Id DisplayName Description
-- ----------- -----------
62375ab9-6b52-47ed-826b-58e47e0e304b Group.Unified ...
08d542b9-071f-4e16-94b0-74abb372e3d9 Group.Unified.Guest Settings for a specific Unified Group
4bc7f740-180e-4586-adb6-38b2e9024e6b Application ...
898f1161-d651-43d1-805c-3b0b388a9fc2 Custom Policy Settings ...
5cf42378-d67d-4f36-ba46-e8b86229381d Password Rule Settings ...
$Setting["AllowToAddGuests"]=$False
5. Create the new setting for the required group in the directory:
$Setting["AllowToAddGuests"] = "false"
Additional reading
Managing access to resources with Azure Active Directory groups
Integrating your on-premises identities with Azure Active Directory
Create attribute-based rules for dynamic group
membership in Azure Active Directory
12/11/2017 • 12 min to read • Edit Online
In Azure Active Directory (Azure AD), you can create advanced rules to enable complex attribute-based dynamic
memberships for groups. This article details the attributes and syntax to create dynamic membership rules for
users or devices.
When any attributes of a user or device change, the system evaluates all dynamic group rules in a directory to
see if the change would trigger any group adds or removes. If a user or device satisfies a rule on a group, they
are added as a member of that group. If they no longer satisfy the rule, they are removed.
NOTE
You can set up a rule for dynamic membership on security groups or Office 365 groups.
This feature requires an Azure AD Premium P1 license for each user member added to at least one dynamic group. It is
not mandatory to actually assign licenses to users for them to be members in dynamic groups, but you do need to have
the minimum number of licenses in the tenant to cover all such users. For example: if you have a total of 1,000 unique
users in all dynamic groups in your tenant, you need to have at least 1,000 licenses for Azure AD Premium P1, or above,
to meet the license requirement.
You can create a dynamic group for devices or users, but you cannot create a rule that contains both user and device
objects.
At the moment, it is not possible to create a device group based on the owning user's attributes. Device membership rules
can only reference immediate attributes of device objects in the directory.
4. On the Group blade, enter a name and description for the new group. Select a Membership type of
either Dynamic User or Dynamic Device, depending on whether you want to create a rule for users or
devices, and then select Add dynamic query. You can use the rule builder to build a simple rule, or write
an advanced rule yourself. This article contains more information about available user and device
attributes as well as examples of advanced rules.
5. After creating the rule, select Add query at the bottom of the blade.
6. Select Create on the Group blade to create the group.
TIP
Group creation may fail if the advanced rule you entered was incorrect. A notification will be displayed in the upper-right
hand corner of the portal; it contains an explanation of why the rule could not be accepted by the system. Read it carefully
to understand how you need to adjust the rule to make it valid.
For the complete list of supported parameters and expression rule operators, see sections below. For the
attributes used for device rules, see Using attributes to create rules for device objects.
The total length of the body of your advanced rule cannot exceed 2048 characters.
NOTE
String and regex operations are not case sensitive. You can also perform Null checks, using null as a constant, for example,
user.department -eq null. Strings containing quotes " should be escaped using 'character, for example, user.department -
eq `"Sales".
OPERATOR SYNTAX
Equals -eq
Contains -contains
Match -match
In -in
Not In -notIn
Operator precedence
All Operators are listed below per precedence from lower to higher. Operators on same line are in equal
precedence:
-any -all
-or
-and
-not
-eq -ne -startsWith -notStartsWith -contains -notContains -match –notMatch -in -notIn
All operators can be used with or without the hyphen prefix. Parentheses are needed only when precedence does
not meet your requirements. For example:
is equivalent to:
(user.department –eq "Marketing") –and (user.country –eq "US")
user.department -In [ "50001", "50002", "50003", “50005”, “50006”, “50007”, “50008”, “50016”, “50020”,
“50024”, “50038”, “50039”, “51100” ]
Note the use of the "[" and "]" at the beginning and end of the list of values. This condition evaluates to True of
the value of user.department equals one of the values in the list.
Error: Attribute not supported. (user.invalidProperty -eq "Value") (user.department -eq "value")
Error: Operator is not supported on (user.accountEnabled -contains true) (user.accountEnabled -eq true)
attribute.
The operator used is not supported for
the property type (in this example, -
contains cannot be used on type
boolean). Use the correct operators for
the property type.
Error: Query compilation error. 1. (user.department -eq "Sales") 1. Missing operator. Use -and or -or
(user.department -eq "Marketing") two join predicates
(user.userPrincipalName -match
".*@domain.ext"), alternatively:
(user.userPrincipalName -match
"@domain.ext$")
Supported properties
The following are all the user properties that you can use in your advanced rule:
Properties of type boolean
Allowed operators
-eq
-ne
PROPERTIES ALLOWED VALUES USAGE
mail Any string value or null (SMTP address (user.mail -eq "value")
of the user)
mailNickName Any string value (mail alias of the user) (user.mailNickName -eq "value")
Multi-value properties
Allowed operators
-any (satisfied when at least one item in the collection matches the condition)
-all (satisfied when all items in the collection match the condition)
Multi-value properties are collections of objects of the same type. You can use -any and -all operators to apply a
condition to one or all of the items in the collection, respectively. For example:
assignedPlans is a multi-value property that lists all service plans assigned to the user. The below expression will
select users who have the Exchange Online (Plan 2) service plan that is also in Enabled state:
(The Guid identifier identifies the Exchange Online (Plan 2) service plan.)
NOTE
This is useful if you want to identify all users for whom an Office 365 (or other Microsoft Online Service) capability has
been enabled, for example to target them with a certain set of policies.
The following expression will select all users who have any service plan that is associated with the Intune service
(identified by service name "SCO"):
Custom Attributes are synced from on-premises Windows Server AD or from a connected SaaS application and
the the format of "user.extension_[GUID]__[Attribute]", where [GUID] is the unique identifier in AAD for the
application that created the attribute in AAD and [Attribute] is the name of the attribute as it was created. An
example of a rule that uses a custom attribute is
user.extension_c272a57b722d4eb29bfe327874ae79cb__OfficeNumber
The custom attribute name can be found in the directory by querying a user's attribute using Graph Explorer and
searching for the attribute name.
NOTE
1. For the rule to work, make sure the Manager ID property is set correctly on users in your tenant. You can check the
current value for a user on their Profile tab.
2. This rule only supports direct reports. It is currently not possible to create a group for a nested hierarchy, e.g. a group
that includes direct reports and their reports.
organizationalUnit any string value matching the name of (device.organizationalUnit -eq "US
the organizational unit set by an on- PCs")
premises Active Directory
WARNING
When changing an existing static group to a dynamic group, all existing members will be removed from the group, and
then the membership rule will be processed to add new members. If the group is used to control access to apps or
resources, the original members may lose access until the membership rule is fully processed.
It is a recommended practice to test the new membership rule beforehand to make sure that the new membership in the
group is as expected.
NOTE
To change dynamic group properties you will need to use cmdlets from the preview version of Azure AD PowerShell
Version 2. You can install the preview from here.
Here is an example of functions that switch membership management on an existing group. Note that care is
taken to correctly manipulate the GroupTypes property and preserve any values that may exist there, unrelated
to dynamic membership.
#The moniker for dynamic groups as used in the GroupTypes property of a group object
$dynamicGroupTypeString = "DynamicMembership"
function ConvertDynamicGroupToStatic
{
Param([string]$groupId)
#remove the type for dynamic groups, but keep the other type values
$groupTypes.Remove($dynamicGroupTypeString)
#modify the group properties to make it a static group: i) change GroupTypes to remove the dynamic type,
ii) pause execution of the current rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState
"Paused"
}
function ConvertStaticGroupToDynamic
{
Param([string]$groupId, [string]$dynamicMembershipRule)
#modify the group properties to make it a static group: i) change GroupTypes to add the dynamic type,
ii) start execution of the rule, iii) set the rule
Set-AzureAdMsGroup -Id $groupId -GroupTypes $groupTypes.ToArray() -MembershipRuleProcessingState "On" -
MembershipRule $dynamicMembershipRule
}
ConvertDynamicGroupToStatic "a58913b2-eee4-44f9-beb2-e381c375058f"
Next steps
These articles provide additional information on groups in Azure Active Directory.
See existing groups
Create a new group and adding members
Manage settings of a group
Manage memberships of a group
Manage dynamic rules for users in a group
Set up Azure Active Directory for self-service group
management
12/11/2017 • 3 min to read • Edit Online
Your users can create and manage their own security groups or Office 365 groups in Azure Active Directory
(Azure AD). Users can also request security group or Office 365 group memberships, and then the owner of the
group can approve or deny membership. Day-to-day control of group membership can be delegated to the
people who understand the business context for that membership. Self-service group management features are
available only for security groups and Office 365 groups, but not for mail-enabled security groups or distribution
lists.
Self-service group management currently services two essential scenarios: delegated group management and
self-service group management.
Delegated group management An example is an administrator who is managing access to a SaaS
application that the company is using. Managing these access rights is becoming cumbersome, so this
administrator asks the business owner to create a new group. The administrator assigns access for the
application to the new group, and adds to the group all people already accessing to the application. The
business owner then can add more users, and those users are automatically provisioned to the application.
The business owner doesn't need to wait for the administrator to manage access for users. If the administrator
grants the same permission to a manager in a different business group, then that person can also manage
access for their own users. Neither the business owner nor the manager can view or manage each other’s
users. The administrator can still see all users who have access to the application and block access rights if
needed.
Self-service group management An example of this scenario is two users who both have SharePoint Online
sites that they set up independently. They want to give each other’s teams access to their sites. To accomplish
this, they can create one group in Azure AD, and in SharePoint Online each of them selects that group to
provide access to their sites. When someone wants access, they request it from the Access Panel, and after
approval they get access to both SharePoint Online sites automatically. Later, one of them decides that all
people accessing the site should also get access to a particular SaaS application. The administrator of the SaaS
application can add access rights for the application to the SharePoint Online site. From then on, any requests
that get approved gives access to the two SharePoint Online sites and also to this SaaS application.
Next steps
These articles provide additional information on Azure Active Directory.
Manage access to resources with Azure Active Directory groups
Azure Active Directory cmdlets for configuring group settings
Article Index for Application Management in Azure Active Directory
What is Azure Active Directory?
Integrate your on-premises identities with Azure Active Directory
Troubleshooting dynamic memberships for groups
12/11/2017 • 1 min to read • Edit Online
With Azure Active Directory reporting, you can gain insights into how your environment is doing.
The provided data enables you to:
Determine how your apps and services are utilized by your users
Detect potential risks affecting the health of your environment
Troubleshoot issues preventing your users from getting their work done
The reporting architecture relies on two main pillars:
Security reports
Activity reports
Security reports
The security reports in Azure Active Directory help you to protect your organization's identities.
There are two types of security reports in Azure Active Directory:
Users flagged for risk - From the users flagged for risk security report, you get an overview of user
accounts that might have been compromised.
Risky sign-ins - With the risky sign-in security report, you get an indicator for sign-in attempts that might
have been performed by someone who is not the legitimate owner of a user account.
What Azure AD license do you need to access a security report?
All editions of Azure Active Directory provide you with users flagged for risk and risky sign-ins reports.
However, the level of report granularity varies between the editions:
In the Azure Active Directory Free and Basic editions, you already get a list of users flagged for risk and
risky sign-ins.
The Azure Active Directory Premium 1 edition extends this model by also enabling you to examine some
of the underlying risk events that have been detected for each report.
The Azure Active Directory Premium 2 edition provides you with the most detailed information about
the underlying risk events and it also enables you to configure security policies that automatically respond
to configured risk levels.
Activity reports
There are two types of activity reports in Azure Active Directory:
Audit logs - The audit logs activity report provides you with access to the history of every task performed
in your tenant.
Sign-ins - With the sign-ins activity report, you can determine, who has performed the tasks reported by
the audit logs report.
The audit logs report provides you with records of system activities for compliance. Amongst others, the
provided data enables you to address common scenarios such as:
Someone in my tenant got access to an admin group. Who gave them access?
I want to know the list of users signing into a specific app since I recently onboarded the app and want to
know if it’s doing well
I want to know how many password resets are happening in my tenant
What Azure AD license do you need to access the audit logs report?
The audit logs report is available for features for which you have licenses. If you have a license for a specific
feature, you also have access to the audit log information for it.
For more details, see Comparing generally available features of the Free, Basic, and Premium editions in
Azure Active Directory features and capabilities.
The sign-ins activity report enables to to find answers to questions such as:
What is the sign-in pattern of a user?
How many users have users signed in over a week?
What’s the status of these sign-ins?
What Azure AD license do you need to access the sign-ins activity report?
To access the sign-ins activity report, your tenant must have an Azure AD Premium license associated with it.
Programmatic access
In addition to the user interface, Azure Active Directory reporting also provides you with programmatic access to
the reporting data. The data of these reports can be very useful to your applications, such as SIEM systems, audit,
and business intelligence tools. The Azure AD reporting APIs provide programmatic access to the data through a
set of REST-based APIs. You can call these APIs from a variety of programming languages and tools.
Next steps
If you want to know more about the various report types in Azure Active Directory, see:
Users flagged for risk report
Risky sign-ins report
Audit logs report
Sign-ins logs report
If you want to know more about accessing the the reporting data using the reporting API, see:
Getting started with the Azure Active Directory reporting API
Sign-in activity reports in the Azure Active Directory
portal
1/16/2018 • 4 min to read • Edit Online
With Azure Active Directory (Azure AD) reporting in the Azure portal, you can get the information you need to
determine how your environment is doing.
The reporting architecture in Azure Active Directory consists of the following components:
Activity
Sign-in activities – Information about the usage of managed applications and user sign-in activities
Audit logs - System activity information about users and group management, your managed
applications and directory activities.
Security
Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by
someone who is not the legitimate owner of a user account. For more details, see Risky sign-ins.
Users flagged for risk - A risky user is an indicator for a user account that might have been
compromised. For more details, see Users flagged for risk.
This topic gives you an overview of the sign-in activities.
Pre-requisite
Who can access the data?
Users in the Security Admin or Security Reader role
Global Admins
Any user (non-admins) can access their own sign-ins
What Azure AD license do you need to access sign-in activity?
Your tenant must have an Azure AD Premium license associated with it to see the all up sign-in activity report
Signs-in activities
With the information provided by the user sign-in report, you find answers to questions such as:
What is the sign-in pattern of a user?
How many users have signed in over a week?
What’s the status of these sign-ins?
Your first entry point to all sign-in activities data is Sign-ins in the Activity section of Azure Active.
An audit log has a default list view that shows:
the related user
the application the user has signed-in to
the sign-in status
the sign-in time
You can customize the list view by clicking Columns in the toolbar.
This enables you to display additional fields or remove fields that are already displayed.
By clicking an item in the list view, you get all available details about it.
The time interval filter enables to you to define a timeframe for the returned data.
Possible values are:
1 month
7 days
24 hours
Custom
When you select a custom timeframe, you can configure a start time and an end time.
The user filter enables you to specify the name or the user principal name (UPN) of the user you care about.
The application filter enables you to specify the name of the application you care about.
The client filter enables you to specify information about the device you care about.
The sign-in status filter enables you to select one of the following filter:
All
Success
Failure
The user sign-in graph shows weekly aggregations of sign ins for all users in a given time period. The default for
the time period is 30 days.
When you click on a day in the sign-in graph, you get a detailed list of the sign-in activities for this day.
Each row in the sign-in activities list gives you the detailed information about the selected sign-in such as:
Who has signed in?
What was the related UPN?
What application was the target of the sign-in?
What is the IP address of the sign-in?
What was the status of the sign-in?
The Sign-ins option gives you a complete overview of all user sign-ins.
Usage of managed applications
With an application-centric view of your sign-in data, you can answer questions such as:
Who is using my applications?
What are the top 3 applications in your organization?
I have recently rolled out an application. How is it doing?
Your entry point to this data is the top 3 applications in your organization within the last 30 days report in the
Overview section under Enterprise applications.
The app usage graph weekly aggregations of sign ins for your top 3 applications in a given time period. The
default for the time period is 30 days.
If you want to, you can set the focus on a specific application.
When you click on a day in the app usage graph, you get a detailed list of the sign-in activities.
The Sign-ins option gives you a complete overview of all sign-in events to your applications.
Next steps
If you want to know more about sign-in activity error codes, see the Sign-in activity report error codes in the Azure
Active Directory portal.
Audit activity reports in the Azure Active Directory
portal
1/16/2018 • 3 min to read • Edit Online
With reporting in Azure Active Directory (Azure AD), you can get the information you need to determine how your
environment is doing.
The reporting architecture in Azure AD consists of the following components:
Activity
Sign-in activities – Information about the usage of managed applications and user sign-in activities
Audit logs - System activity information about users and group management, your managed
applications and directory activities.
Security
Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by
someone who is not the legitimate owner of a user account. For more details, see Risky sign-ins.
Users flagged for risk - A risky user is an indicator for a user account that might have been
compromised. For more details, see Users flagged for risk.
This topic gives you an overview of the audit activities.
Audit logs
The audit logs in Azure Active Directory provide records of system activities for compliance.
Your first entry point to all auditing data is Audit logs in the Activity section of Azure Active Directory.
An audit log has a default list view that shows:
the date and time of the occurrence
the initiator / actor (who) of an activity
the activity (what)
the target
You can customize the list view by clicking Columns in the toolbar.
This enables you to display additional fields or remove fields that are already displayed.
By clicking an item in the list view, you get all available details about it.
The date range filter enables to you to define a timeframe for the returned data.
Possible values are:
1 month
7 days
24 hours
Custom
When you select a custom timeframe, you can configure a start time and an end time.
The initiated by filter enables you to define an actor's name or its universal principal name (UPN).
The category filter enables you to select one of the following filter:
All
Core category
Core directory
Self-service password management
Self-service group management
Account provisioning- Automated password rollover
Invited users
MIM service
Identity Protection
B2C
The activity resource type filter enables you to select one of the following filters:
All
Group
Directory
User
Application
Policy
Device
Other
When you select Group as activity resource type, you get an additional filter category that enables you to also
provide a Source:
Azure AD
O365
The activity filter is based on the category and Activity resource type selection you make. You can select a specific
activity you want to see or choose all.
You can get the list of all Audit Activities using the Graph API
https://graph.windows.net/$tenantdomain/activities/auditActivityTypes?api-version=beta, where $tenantdomain =
your domain name or refer to the article audit report events.
Audit logs shortcuts
In addition to Azure Active Directory, the Azure portal provides you with two additional entry points to audit
data:
Users and groups
Enterprise applications
Users and groups audit logs
With user and group-based audit reports, you can get answers to questions such as:
What types of updates have been applied the users?
How many users were changed?
How many passwords were changed?
What has an administrator done in a directory?
What are the groups that have been added?
Are there groups with membership changes?
Have the owners of group been changed?
What licenses have been assigned to a group or a user?
If you just want to review auditing data that is related to users and groups, you can find a filtered view under
Audit logs in the Activity section of the Users and Groups. This entry point has Users and groups as
preselected Activity Resource Type.
You can filter this view further down to just groups or just users.
Next steps
For an overview of reporting, see the Azure Active Directory reporting.
Users flagged for risk security report in the Azure
Active Directory portal
12/11/2017 • 2 min to read • Edit Online
With the security reports in the Azure Active Directory (Azure AD), you can gain insights into the probability of
compromised user accounts in your environment.
Azure Active Directory detects suspicious actions that are related to your user accounts. For each detected action, a
record called risk event is created. For more information, see Azure Active Directory risk events.
The detected risk events are used to calculate:
Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by
someone who is not the legitimate owner of a user account. For more information, see Risky sign-ins.
Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
For more information, see Users flagged for risk.
In the Azure portal, you can find the security reports on the Azure Active Directory blade in the Security section.
Selecting a user opens the related user data blade. For users that are at risk, you can review the user’s sign-in
history and reset the password if necessary.
With the security reports in Azure Active Directory (Azure AD) you can gain insights into the probability of
compromised user accounts in your environment.
Azure AD detects suspicious actions that are related to your user accounts. For each detected action, a record
called risk event is created. For more details, see Azure Active Directory risk events.
The detected risk events are used to calculate:
Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by
someone who is not the legitimate owner of a user account. For more details, see Risky sign-ins.
Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
For more details, see Users flagged for risk.
In the Azure portal, you can find the security reports on the Azure Active Directory blade in the Security section.
When you select a user, you get a detailed report view for this user that enables you to:
Open the All sign-ins view
Reset the user's password
Dismiss all events
Investigate reported risk events for the user.
To investigate a risk event, select one from the list.
This opens the Details blade for this risk event. On the Details blade, you have the option to either manually close
a risk event or reactivate a manually closed risk event.
Next steps
For more information about Azure Active Directory Identity Protection, see Azure Active Directory Identity
Protection.
Azure Active Directory risk events
1/6/2018 • 8 min to read • Edit Online
The vast majority of security breaches take place when attackers gain access to an environment by stealing a user’s
identity. Discovering compromised identities is no easy task. Azure Active Directory uses adaptive machine
learning algorithms and heuristics to detect suspicious actions that are related to your user accounts. Each
detected suspicious action is stored in a record called risk event.
Currently, Azure Active Directory detects six types of risk events:
Users with leaked credentials
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
Sign-ins from unfamiliar locations
The insight you get for a detected risk event is tied to your Azure AD subscription. With the Azure AD Premium P2
edition, you get the most detailed information about all underlying detections. With the Azure AD Premium P1
edition, detections that are not covered by your license appear as the risk event Sign-in with additional risk
detected.
This topic gives you a detailed overview of what risk events are and how you can use them to protect your Azure
AD identities.
Detection type
The detection type property is an indicator (Real-time or Offline) for the detection timeframe of a risk event.
Currently, most risk events are detected offline in a post-processing operation after the risk event has occurred.
The following table lists the amount of time it takes for a detection type to show up in a related report:
Real-time 5 to 10 minutes
DETECTION TYPE REPORTING LATENCY
Offline 2 to 4 hours
For the risk event types Azure Active Directory detects, the detection types are:
Risk level
The risk level property of a risk event is an indicator (High, Medium, or Low) for the severity and the confidence of
a risk event. This property helps you to prioritize the actions you must take.
The severity of the risk event represents the strength of the signal as a predictor of identity compromise.
The confidence is an indicator for the possibility of false positives.
For example,
High: High confidence and high severity risk event. These events are strong indicators that the user’s
identity has been compromised, and any user accounts impacted should be remediated immediately.
Medium: High severity, but lower confidence risk event, or vice versa. These events are potentially risky,
and any user accounts impacted should be remediated.
Low: Low confidence and low severity risk event. This event may not require an immediate action, but when
combined with other risk events, may provide a strong indication that the identity is compromised.
Leaked credentials
Leaked credentials risk events are classified as a High, because they provide a clear indication that the user name
and password are available to an attacker.
Sign-ins from anonymous IP addresses
The risk level for this risk event type is Medium because an anonymous IP address is not a strong indication of an
account compromise.
We recommend that you immediately contact the user to verify if they were using anonymous IP addresses.
Impossible travel to atypical locations
Impossible travel is usually a good indicator that a hacker was able to successfully sign-in. However, false-positives
may occur when a user is traveling using a new device or using a VPN that is typically not used by other users in
the organization. Another source of false-positives is applications that incorrectly pass server IPs as client IPs,
which may give the appearance of sign-ins taking place from the data center where that application’s back-end is
hosted (often these are Microsoft datacenters, which may give the appearance of sign-ins taking place from
Microsoft owned IP addresses). As a result of these false-positives, the risk level for this risk event is Medium.
TIP
You can reduce the amount of reported false-positives for this risk event type by configuring named locations.
Next steps
Risk events are the foundation for protecting your Azure AD's identities. Azure AD can currently detect six risk
events:
Where can you find the risk events that have been detected in your environment? There are two places where you
review reported risk events:
Azure AD reporting - Risk events are part of Azure AD's security reports. For more details, see the users at
risk security report and the risky sign-ins security report.
Azure AD Identity Protection - Risk events are also part of Azure Active Directory Identity Protection's
reporting capabilities.
While the detection of risk events already represents an important aspect of protecting your identities, you also
have the option to either manually address them or even implement automated responses by configuring
conditional access policies. For more details, see of Azure Active Directory Identity Protection's.
Azure Active Directory reporting FAQ
12/11/2017 • 5 min to read • Edit Online
This article includes answers to frequently asked questions about Azure Active Directory (Azure AD) reporting. For
more information, see Azure Active Directory reporting.
Q: I am using the https://graph.windows.net/<tenant-name>/reports/ endpoint APIs to pull Azure AD
audit and integrated application usage reports into our reporting systems programmatically. What
should I switch to?
A: Look up our API reference documentation to see how you can use the new APIs to access activity reports. This
endpoint has two reports (Audit and Sign-ins) which provide all the data you got in the old API endpoint. This new
endpoint also has a sign-ins report with the Azure AD Premium license that you can use to get app usage, device
usage, and user sign-in information.
Q: What is the data retention for activity logs (Audit and Sign-ins) in the Azure portal?
A: We provide 7 days of data for our free customers, or you can access data for up to 30 days by purchasing an
Azure AD Premium 1 or Premium 2 license. For more information on report retention, see Azure Active Directory
report retention policies.
Q: How long does it take until I can see the Activity data after I have completed my task?
A: Audit activity logs have a latency ranging from 15 minutes to an hour. Sign-in activity logs can take from 15
minutes to up to 2 hours for some records.
Q: Do I need to be a global admin to see the activity sign-ins to the Azure portal or to get data through
the API?
A: No. You must be a Security Reader, a Security Admin, or a Global Admin to get reporting data in the Azure
portal or through the API.
Q: Can I get Office 365 activity log information through the Azure portal?
A: Even though Office 365 activity and Azure AD activity logs share a lot of the directory resources, if you want a
full view of the Office 365 activity logs, you should go to the Office 365 Admin Center to get Office 365 Activity log
information.
Q: Which APIs do I use to get information about Office 365 Activity logs?
A: Use the Office 365 Management APIs to access the Office 365 Activity logs through an API.
Q: How many records I can download from Azure portal?
A: You can download up to 120K records from the Azure portal. The records are sorted by most recent and by
default, you get the most recent 120K records.
Q: How soon should I see activities data after getting a premium license?
A: If you already have activities data as a free license, then you can see the same data. If you don’t have any data,
then it will take one or two days.
Q: There is a risk event in Identity Protection but I’m not seeing corresponding sign-in in the all sign-ins.
Is this expected?
A: Yes, Identity Protection evaluates risk for all authentication flows whether if be interactive or non-interactive.
However, all sign-ins only report shows only the interactive sign-ins.
Q: How can I download the “Users flagged for risk” report in Azure portal?
A: The option to download Users flagged for risk report will be added soon.
Q: How do I know why a sign-in or a user was flagged risky in the Azure portal?
A: Premium edition customers can learn more about the underlying risk events by clicking on the user in “Users
flagged for risk” or by clicking on the “Risky sign-ins”. Free and Basic edition customers get to see the at-risk users
and sign-ins without the underlying risk event information.
Q: How are IP addresses calculated in the sign-ins and risky sign-ins report?
A: IP addresses are issued in such a way that there is no definitive connection between an IP address and where the
computer with that address is physically located. This is complicated by factors such as mobile providers and VPNs
issuing IP addresses from central pools often very far from where the client device is actually used. Given the
above, converting IP address to a physical location is a best effort based on traces, registry data, reverse look ups
and other information.
Q: What does the risk event "Sign-in with additional risk detected" signify?
A: To give you an insight into all the risky sign-ins in your environment we show the risk event "Sign-in with
additional risk detected" for sign-ins considered risky because of detections exclusive to Azure AD Identity
Protection subscribers.
Named locations in Azure Active Directory
12/11/2017 • 1 min to read • Edit Online
With named locations, you can label trusted IP address ranges in your organization. Azure Active Directory uses
named locations in the context of:
The detection of risk events to reduce the number of reported false positives.
Location-based conditional access.
This article explains, how you can configure named locations in your environment.
Entry points
You can access the named location configuration page in the Security section of the Azure Active Directory page
by clicking:
Conditional access:
In the Manage section, click Named locations.
Risky sign-ins:
In the toolbar on the top, click Add known IP address ranges.
Configuration example
To configure a named location:
1. Sign in to the Azure portal as global administrator.
2. In the left pane, click Azure Active Directory.
3. On the Azure Active Directory page, in the Security section, click Conditional access.
4. On the Conditional Access page, in the Manage section, click Named locations.
Limitations: You can define a maximum of 60 named locations, with one IP range assigned to each of them. If you
have just one named location configured, you can define up to 500 IP ranges for it.
Next steps
To learn more about:
Risk events, see Azure Active Directory risk events.
Conditional access, see Conditional access in Azure Active Directory.
Risky sign-ins reports, see Risky sign-ins report in the Azure Active Directory portal.
Find activity reports in the Azure portal
12/11/2017 • 3 min to read • Edit Online
In this article, we describe how to find Azure Active Directory user activity reports in the Azure portal.
What's new
Reports in the Azure classic portal were separated into categories:
Security reports
Activity reports
Integrated app reports
Activity and integrated app reports
For context-based reporting in the Azure portal, existing reports are merged into a single view. A single, underlying
API provides the data to the view.
To see this view, on the Azure Active Directory blade, under ACTIVITY, select Audit logs.
The Sign-ins view includes all user sign-ins. You can use this information to get application usage information. You
also can view application usage information in the Enterprise applications overview, in the MANAGE section.
Access a specific report
Although the Azure portal offers a single view, you also can look at specific reports.
Audit logs
In response to customer feedback, in the Azure portal, you can use advanced filtering to access the data you want.
One filter you can use is an activity category, which lists the different types of activity logs in Azure AD. To narrow
results to what you are looking for, you can select a category.
For example, if you are interested only in activities related to self-service password resets, you can choose the Self-
service Password Management category. The categories you see are based on the resource you are working in.
Sign-ins from IP addresses with suspicious activity Sign-ins from IP addresses with suspicious activity
The following Azure AD anomalous activity security reports are not included as risk events in the Azure portal:
Sign-ins after multiple failures
Sign-ins from multiple geographies
These reports are still available in the Azure classic portal, but they will be deprecated at some time in the future.
For more information, see Azure Active Directory risk events.
Detected risk events
In the Azure portal, you can access reports about detected risk events on the Azure Active Directory blade, under
SECURITY. Detected risk events are tracked in the following reports:
Users at Risk
Risky Sign-ins
Activity reports in the Azure classic portal vs. the Azure portal
The table in this section lists existing reports in the Azure classic portal. It also describes how you can get the same
information in the Azure portal.
To view all auditing data, on the Azure Active Directory blade, under ACTIVITY, go to Audit logs.
AZURE CLASSIC PORTAL TO FIND IN THE AZURE PORTAL
Password reset registration activity For Activity Category, select Self-service Password
Management.
Account provisioning activity For Activity Category, select Account User Provisioning.
Password rollover status For Activity Category, select Automatic App Password
Rollover.
Account provisioning errors For Activity Category, select Account User Provisioning.
Office365 Group Name Changes For Activity Category, select Self-service Password
Management. For Activity Resource Type, select Group.
For Activity Source, select O365 groups.
To view the Application Usage report, on the Azure Active Directory blade, under MANAGE, select Enterprise
Applications, and then select Sign-ins.
Next steps
For an overview of reporting, see the Azure Active Directory reporting.
How to use the Azure Active Directory Power BI
Content Pack
12/11/2017 • 4 min to read • Edit Online
Understanding how your users adopt and use Azure Active Directory features is critical for you as an IT admin. It
allows you to plan your IT infrastructure and communication to increase usage and to get the most out of AAD
features. Power BI Content Pack for Azure Active Directory gives you the ability to further analyze your data to
understand how you can use this data to gather richer insights into what’s going on with their Azure Active
Directory for the various capabilities you heavily rely on. With the integration of Azure Active Directory APIs into
Power BI, you can easily download the pre-built content packs and gain insights to all the activities within your
Azure Active Directory using rich visualization experience Power BI offers. You can create your own dashboard and
share it easily with anyone in your organization.
This topic provides you with step-by-step instructions on how to install and use the content pack in your
environment.
Installation
To install the Power BI Content Pack:
1. Log into Power BI with your Power BI Account (this is the same account as your O365 or Azure AD Account).
2. At the bottom of the left navigation pane, select Get Data.
TIP
A quick way to get the Tenant ID for your Office 365 / Azure AD tenant is to sign in to the Azure AD portal, drill down
to the directory, and copy the Directory ID from the Properties page.
6. Click Sign-in.
7. Enter your username and password, and then click Sign in.
Include additional fields: You can add a field to the report or remove it by selecting the visual to which you want
to add/remove the field. In the example below, I am adding “sign-in status” field to the table view.
Pin visualizations to your dashboard: You can customize your dashboard and include your own visualizations to
the report and pin it to the dashboard. In the example below, I added a new filter called “Sign-in Status” and
included it in the report. I also changed the visualization from bar chart to a line chart and can pin this new visual to
the dashboard.
Sharing your dashboard: Once you have created the content you want, you can share the dashboard with the
users in your organization. Please remember that once you share the report, they can see the fields you have
selected in the report.
As soon as the new version of the content pack is working, you can remove the old version if needed by deleting
the underlying reports and datasets associated with that content pack.
Next steps
For an overview of reporting, see the Azure Active Directory reporting.
Azure Active Directory report retention policies
12/15/2017 • 1 min to read • Edit Online
This topic provides you with answers to the most common questions in conjunction with the data retention for the
different activity reports in Azure Active Directory.
Q: How can you get the collection of activity data started?
A:
Azure AD Free The first time you open the Azure Active Directory blade or
use the reporting APIs
Security Signals
With reporting in the Azure Active Directory, you get all the information you need to determine how your
environment is doing. The amount of time it takes for reporting data to show up in the Azure portal is also known
as latency.
This topic lists the latency information for the all reporting categories in the Azure portal.
Activity reports
There are two areas of activity reporting:
Sign-in activities – Information about the usage of managed applications and user sign-in activities
Audit logs - System activity information about users and group management, your managed applications and
directory activities
The following table lists the latency information for activity reports.
Security reports
There are two areas of security reporting:
Risky sign-ins - A risky sign-in is an indicator for a sign-in attempt that might have been performed by
someone who is not the legitimate owner of a user account.
Users flagged for risk - A risky user is an indicator for a user account that might have been compromised.
The following table lists the latency information for security reports.
Risk events
Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect suspicious actions that
are related to your user accounts. Each detected suspicious action is stored in a record called risk event.
The following table lists the latency information for risk events.
Next steps
If you want to know more about the activity reports in the Azure portal, see:
Sign-in activity reports in the Azure Active Directory portal
Audit activity reports in the Azure Active Directory portal
If you want to know more about the security reports in the Azure portal, see:
Users at risk security report in the Azure Active Directory portal
Risky sign-ins report in the Azure Active Directory portal
If you want to know more about risk events, see Azure Active Directory risk events.
Azure Active Directory Reporting Notifications
1/4/2018 • 1 min to read • Edit Online
What's next
Curious about what security, audit, and activity reports are available? Check out Azure AD Security, Audit, and
Activity Reports
Getting started with Azure Active Directory Premium
Add company branding to your Sign In and Access Panel pages
Sign-in activity report error codes in the Azure Active
Directory portal
12/11/2017 • 3 min to read • Edit Online
With the information provided by the user sign-ins report, you find answers to questions such as:
Who has signed-in using Azure Active Directory?
Which apps were signed into?
Which sign-ins were failures and if so why?
This topic lists the error codes and the related descriptions.
In your sign-ins report, you can display all failed sign-ins by selecting Failure as Sign-in status.
Clicking an item in the displayed list, opens the Activity Details: Sign-ins blade. This view provides you with all
the details that Azure Active Directory tracks about sign-ins, including the sign-in error code and a failure
reason.
As an alternative to using the Azure portal to access the sign-ins data, you can also use the reporting API.
The following section provides you with a complete overview of all possible errors and the related descriptions.
Error codes
ERROR DESCRIPTION
50001 The service principal named X was not found in the tenant
named Y. This can happen if the application has not been
installed by the administrator of the tenant. Or Resource
principal was not found in the directory or is invalid.
50053 Account is locked because user tried to sign in too many times
with an incorrect user ID or password.
65005 The application required resource access list does not contain
applications discoverable by the resource or The client
application has requested access to resource which was not
specified in its required resource access list or Graph service
returned bad request or resource not found.
70001 The application named X was not found in the tenant named
Y. This can happen if the application has not been installed by
the administrator of the tenant or consented to by any user in
the tenant. You might have sent your authentication request
to the wrong tenant.
81010 Seamless SSO failed because the user's Kerberos ticket has
expired or is invalid.
90093 Graph returned with forbidden error code for the request.
Next steps
For more details, see the Sign-in activity reports in the Azure Active Directory portal.
Reference for multi-factor authentication reporting in
the Azure portal
1/16/2018 • 2 min to read • Edit Online
With Azure Active Directory (Azure AD) reporting in the Azure portal, you can get the information you need to
determine how your environment is doing.
The sign-in activity reports provide you with information about the usage of managed applications and user sign-in
activities, which includes information about the multi-factor authentication (MFA) usage.
The MFA data gives you insights into how MFA is working in your organization. It enables you to answer questions
like:
Was the sign-in challenged with MFA?
How did the user complete MFA?
Why was the user unable to complete MFA?
By aggregating the all sign-in data, you can have a better understanding of the MFA experience within your
organization. The data helps you to answer questions like:
How many users are challenged for MFA?
How many users are unable to complete the MFA challenge?
What are the common MFA issues end users are running into?
This data is available through the Azure portal and the reporting API.
Data structure
The sign-in activity reports for MFA give you access to the following information:
MFA required: Whether MFA is required for the sign-in or not. MFA can be required due to per-user MFA,
conditional access or other reasons. Possible values are Yes or No .
MFA authentication method: The authentication method the user used to complete MFA. Possible values are:
Text message
Mobile app notification
Phone call (Authentication phone)
Mobile app verification code
Phone call (Office phone)
Phone call (Alternate authentication phone)
MFA authentication detail: Scrubbed version of the phone number, for example: +X XXXXXXXX64.
MFA Result: More information on whether MFA was satisfied or denied:
If MFA was satisfied, this column provides more information about how MFA was satisfied.
If MFA was denied, this column would provide the reason for denial. Possible values are Satisfied or
Denied .
The following section lists possible string values for the MFA result field.
Status strings
This section lists the possible values for MFA result status string.
Satisfied status strings
Azure Multi-Factor Authentication
completed in the cloud
has expired due to the policies configured on tenant
registration prompted
satisfied by claim in the token
satisfied by claim in the token
satisfied by claim in the token
satisfied by claim in the token
satisfied by claim provided by external provider
satisfied by strong authentication
skipped as flow exercised was Windows broker logon flow
skipped as flow exercised was Windows broker logon flow
skipped due to app password
skipped due to location
skipped due to registered device
skipped due to remembered device
successfully completed
Redirected to external provider for multi-factor authentication
Denied status strings
Azure Multi-Factor Authentication denied;
authentication in-progress
duplicate authentication attempt
entered incorrect code too many times
invalid authentication
invalid mobile app verification code
misconfiguration
phone call went to voicemail
phone number has an invalid format
service error
unable to reach the user’s phone
unable to send the mobile app notification to the device
unable to send the mobile app notification
user declined the authentication
user did not respond to mobile app notification
user does not have any verification methods registered
user entered incorrect code
user entered incorrect PIN
user hung up the phone call without succeeding the authentication
user is blocked
user never entered the verification code
user not found
verification code already used once
Next steps
For more information, see Azure Active Directory reporting.
I can’t find some actions that I performed in the
Azure Active Directory activity log
1/16/2018 • 1 min to read • Edit Online
Symptoms
I performed some actions in the Azure portal and expected to see the audit logs for those actions in the
Activity logs > Audit Logs blade, but I can’t find them.
Cause
Actions don’t appear immediately in the Activity Audit log. It can take anywhere from 15 minutes to an hour to see
the audit logs in the portal from the time the operation is performed.
Resolution
Wait for 15 minutes to an hour and see if the actions appear in the log. If you still don’t see them, please raise a
support ticket with us and we will look into it.
Next steps
See the Azure Active Directory reporting FAQ.
I can’t find any data in the Azure Active Directory
activity logs I have downloaded
1/16/2018 • 1 min to read • Edit Online
Symptoms
I downloaded the activity logs (audit or sign-ins) and I don’t see all the records for the time I chose. Why?
Cause
When you download activity logs in the Azure portal, we limit the scale to 120K records, sorted by most recent.
Resolution
You can leverage Azure AD Reporting APIs to fetch up to a million records at any given point. Our recommended
approach is to run a script on a scheduled basis that calls the reporting APIs to fetch records in an incremental
fashion over a period of time (e.g., daily or weekly).
Next steps
See the Azure Active Directory reporting FAQ.
Troubleshooting Azure Active Directory Activity logs
content pack errors
1/16/2018 • 1 min to read • Edit Online
When working with the Power BI Content Pack for Azure Active Directory Preview, it is possible that you run into
the following errors:
Refresh failed
Failed to update data source credentials
Importing of data is taking too long
This topic provides you with information about the possible causes and how to fix these errors.
Refresh failed
How this error is surfaced: Email from Power BI or failed status in the refresh history.
Refresh failure errors can be caused when the credentials of In Power BI, locate the dataset corresponding to the Azure
the users connecting to the content pack have been reset but Active Directory Activity logs dashboard (Azure Active
not updated in the connection settings of the of the content Directory Activity logs), choose schedule refresh, and then
pack. enter your Azure AD credentials.
A refresh can fail due to data issues in the underlying content File a support ticket. For more details, see How to get support
pack. for Azure Active Directory.
The connecting user is neither a global admin nor a security Use an account that is either a global admin or a security
reader or a security admin. reader or a security admin to access the content packs.
Your tenant is not a Premium tenant or doesn't have at least File a support ticket. For more details, see How to get support
one user with Premium license File. for Azure Active Directory.
Depending on the size of your tenant, this step could take Just be patient. If the message does not change to showing
anywhere from a few mins to 30 minutes. your dashboard within an hour, please file a support ticket. For
more details, see How to get support for Azure Active
Directory.
Next steps
To install the Power BI Content Pack for Azure Active Directory Preview, click here.
Getting started with the Azure Active Directory
reporting API
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory provides you with a variety of reports. The data of these reports can be very useful to your
applications, such as SIEM systems, audit, and business intelligence tools. The Azure AD reporting APIs provide
programmatic access to the data through a set of REST-based APIs. You can call these APIs from a variety of
programming languages and tools.
This article provides you with the information you need to get started with the Azure AD reporting APIs. In the next
section, you find more details about using the audit and sign-in APIs.
For frequently asked questions,read our FAQ. For issues, please file a support ticket
Learning map
1. Prepare - Before you can test your API samples, you need to complete the prerequisites to access the Azure AD
reporting API.
2. Explore - Get a first impression of the reporting APIs:
Using the samples for the audit API
Using the samples for the sign-in activity report API
3. Customize - Create your own solution:
Using the audit API reference
Using the sign-in activity report API reference
Next Steps
If you are curious to see all available Azure AD Graph API endpoints, use this link:
https://graph.windows.net/tenant-name/activities/$metadata?api-version=beta.
Azure Active Directory audit API reference
1/16/2018 • 4 min to read • Edit Online
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access audit data using code or related tools. The
scope of this topic is to provide you with reference information about the audit API.
See:
Audit logs for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
For:
Frequently asked questions, read our FAQ
Issues, please file a support ticket
Prerequisites
In order to access this report through the Reporting API, you must have:
An Azure Active Directory Free or better edition
Completed the prerequisites to access the Azure AD reporting API.
API Endpoint
You can access this API using the following URI:
https://graph.windows.net/contoso.com/activities/audit?api-version=beta
There is no limit on the number of records returned by the Azure AD audit API (using OData pagination). For
retention limits on reporting data, check out Reporting Retention Policies.
This call returns the data in batches. Each batch has a maximum of 1000 records.
To get the next batch of records, use the Next link. Get the skiptoken information from the first set of returned
records. The skip token will be at the end of the result set.
https://graph.windows.net/contoso.com/activities/audit?api-version=beta&%24skiptoken=-1339686058
Supported filters
You can narrow down the number of records that are returned by an API call in form of a filter.
For sign-in API related data, the following filters are supported:
$top=<number of records to be returned> - to limit the number of returned records. This is an expensive
operation. You should not use this filter if you want to return thousands of objects.
$filter=<your filter statement> - to specify, on the basis of supported filter fields, the type of records you
care about
activityDate
Supported operators: eq, ge, le, gt, lt
Example:
Notes:
datetime should be in UTC format
category
Supported values:
CATEGORY VALUE
Supported operators: eq
Example:
$filter=category eq 'SSPR'
activityStatus
Supported values:
Success 0
Failure -1
Supported operators: eq
Example:
$filter=activityStatus eq -1
activityType
Supported operators: eq
Example:
$filter=activityType eq 'User'
Notes:
case-sensitive
activity
Supported operators: eq, contains, startsWith
Example:
Notes:
case-sensitive
actor/name
Supported operators: eq, contains, startsWith
Example:
Notes:
case-insensitive
actor/objectId
Supported operators: eq
Example:
$filter=actor/objectId eq 'e8096343-86a2-4384-b43a-ebfdb17600ba'
target/name
Supported operators: eq, contains, startsWith
Example:
Notes:
Case-insensitive
target/upn
Supported operators: eq, startsWith
Example:
$filter=targets/any(t:
startswith(t/Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.TargetResourceUserEntity/
userPrincipalName,'abc'))
Notes:
Case-insensitive
You need to add the full namespace when querying
Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.TargetResourceUserEntity
target/objectId
Supported operators: eq
Example:
actor/upn
Supported operators: eq, startsWith
Example:
$filter=startswith(actor/Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.ActorUserEnti
ty/userPrincipalName,'abc')
Notes:
Case-insensitive
You need to add the full namespace when querying
Microsoft.ActiveDirectory.DataService.PublicApi.Model.Reporting.AuditLog.ActorUserEntity
Next Steps
Do you want to see examples for filtered system activities? Check out the Azure Active Directory audit API
samples.
Do you want to know more about the Azure AD reporting API? See Getting started with the Azure Active
Directory Reporting API.
Azure Active Directory sign-in activity report API
reference
1/16/2018 • 3 min to read • Edit Online
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access sign-in activity report data using code or
related tools. The scope of this topic is to provide you with reference information about the sign-in activity report
API.
See:
Sign-in activities for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
Connect-MsolService
$servicePrincipal = Get-MsolServicePrincipal -AppPrincipalId "<app client id>"
$role = Get-MsolRole | ? Name -eq "Security Reader"
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId
$servicePrincipal.ObjectId
Prerequisites
To access this report through the reporting API, you must have:
An Azure Active Directory Premium P1 or P2 edition
Completed the prerequisites to access the Azure AD reporting API.
API Endpoint
You can access this API using the following base URI:
https://graph.windows.net/contoso.com/activities/signinEvents?api-version=beta
Due to the volume of data, this API has a limit of one million returned records.
This call returns the data in batches. Each batch has a maximum of 1000 records.
To get the next batch of records, use the Next link. Get the skiptoken information from the first set of returned
records. The skip token will be at the end of the result set.
https://graph.windows.net/$tenantdomain/activities/signinEvents?api-version=beta&%24skiptoken=-1339686058
Supported filters
You can narrow down the number of records that are returned by an API call in form of a filter.
For sign-in API related data, the following filters are supported:
$top=<number of records to be returned> - to limit the number of returned records. This is an expensive
operation. You should not use this filter if you want to return thousands of objects.
$filter=<your filter statement> - to specify, on the basis of supported filter fields, the type of records you
care about
NOTE
When using Graph Explorer, you the need to use the correct case for each letter is your filter fields.
To narrow down the scope of the returned data, you can build combinations of the supported filters and filter fields.
For example, the following statement returns the top 10 records between July 1st 2016 and July 6th 2016:
https://graph.windows.net/contoso.com/activities/signinEvents?api-
version=beta&$top=10&$filter=signinDateTime+ge+2016-07-01T17:05:21Z+and+signinDateTime+le+2016-07-07T00:00:00Z
signinDateTime
Supported operators: eq, ge, le, gt, lt
Example:
Using a specific date
$filter=signinDateTime+eq+2016-04-25T23:59:00Z
Using a date range
$filter=signinDateTime+ge+2016-07-01T17:05:21Z+and+signinDateTime+le+2016-07-07T17:05:21Z
Notes:
The datetime parameter should be in the UTC format
userId
Supported operators: eq
Example:
$filter=userId+eq+’00000000-0000-0000-0000-000000000000’
Notes:
The value of userId is a string value
userPrincipalName
Supported operators: eq
Example:
$filter=userPrincipalName+eq+'audrey.oliver@wingtiptoysonline.com'
Notes:
The value of userPrincipalName is a string value
appId
Supported operators: eq
Example:
$filter=appId+eq+’00000000-0000-0000-0000-000000000000’
Notes:
The value of appId is a string value
appDisplayName
Supported operators: eq
Example:
$filter=appDisplayName+eq+'Azure+Portal'
Notes:
The value of appDisplayName is a string value
loginStatus
Supported operators: eq
Example:
$filter=loginStatus+eq+'1'
Notes:
There are two options for the loginStatus: 0 - success, 1 - failure
Next steps
Do you want to see examples for filtered sign-in activities? Check out the Azure Active Directory sign-in activity
report API samples.
Do you want to know more about the Azure AD reporting API? See Getting started with the Azure Active
Directory Reporting API.
Prerequisites to access the Azure AD reporting API
12/11/2017 • 3 min to read • Edit Online
The Azure AD reporting APIs provide you with programmatic access to the data through a set of REST-based APIs.
You can call these APIs from a variety of programming languages and tools.
The reporting API uses OAuth to authorize access to the web APIs.
To get access to the reporting data through the API, you need to have one of the following roles assigned:
Security Reader
Security Admin
Global Admin
To prepare your access to the reporting API, you must:
1. Register an application
2. Grant permissions
3. Gather configuration settings
For questions, issues or feedback, please file a support ticket.
IMPORTANT
Applications running under credentials with "admin" privileges like this can be very powerful, so please be sure to keep the
application's ID/secret credentials secure.
3. On the App registrations blade, in the toolbar on the top, click New application registration.
Grant permissions
The objective of this step is to grant your application Read directory data permissions to the Windows Azure
Active Directory API.
4. On the Required permissions blade, in the API list, click Windows Azure Active Directory.
5. On the Enable Access blade, select Read directory data.
2. On the App registrations blade, in the apps list, click Reporting API application.
3. On the Reporting API application blade, at the Application ID, click Click to copy.
Next Steps
Would you like to access the data from the Azure AD reporting API in a programmatic manner? Check out
Getting started with the Azure Active Directory Reporting API.
If you would like to find out more about Azure Active Directory reporting, see the Azure Active Directory
Reporting Guide.
Azure Active Directory reporting audit API samples
12/11/2017 • 3 min to read • Edit Online
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access audit data using code or related tools. The
scope of this topic is to provide you with sample code for the audit API.
See:
Audit logs for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
For questions, issues or feedback, please contact AAD Reporting Help.
Prerequisites
Before you can use the samples in this topic, you need to complete the prerequisites to access the Azure AD
reporting API.
Known issue
App Auth will not work if your tenant is in the EU region. Please use User Auth for accessing the Audit API as a
workaround until we fix the issue.
PowerShell script
# This script will require registration of a Web Application in Azure Active Directory (see
https://azure.microsoft.com/documentation/articles/active-directory-reporting-api-getting-started/)
# Constants
$ClientID = "your-client-application-id-here" # Insert your application's Client ID, a Globally
Unique ID (registered by Global Admin)
$ClientSecret = "your-client-application-secret-here" # Insert your application's Client Key/Secret string
$loginURL = "https://login.microsoftonline.com" # AAD Instance; for example
https://login.microsoftonline.com
$tenantdomain = "your-tenant-domain.onmicrosoft.com" # AAD Tenant; for example, contoso.onmicrosoft.com
$resource = "https://graph.windows.net" # Azure AD Graph API resource URI
$7daysago = "{0:s}" -f (get-date).AddDays(-7) + "Z" # Use 'AddMinutes(-5)' to decrement minutes, for
example
Write-Output "Searching for events starting $7daysago"
# Create HTTP header, get an OAuth2 access token based on client id, secret and tenant domain
$body =
@{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body
$body
# Parse audit report items, save output to file(s): auditX.json, where X = 0 thru n for number of nextLink
pages
if ($oauth.access_token -ne $null) {
$i=0
$headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
$url = 'https://graph.windows.net/' + $tenantdomain + '/activities/audit?api-
version=beta&$filter=activityDate gt ' + $7daysago
Bash script
#!/bin/bash
URL="https://graph.windows.net/$TENANT_DOMAIN/activities/audit?api-
version=beta&$filter=activityDate%20gt%20$YESTERDAY"
Python script
# Author: Michael McLaughlin (michmcla@microsoft.com)
# Date: January 20, 2016
# This requires the Python Requests module: http://docs.python-requests.org
import requests
import datetime
import sys
client_id = 'your-application-client-id-here'
client_secret = 'your-application-client-secret-here'
login_url = 'https://login.microsoftonline.com/'
tenant_domain = 'your-directory-name-here.onmicrosoft.com'
access_token = token_response.json().get('access_token')
token_type = token_response.json().get('token_type')
if response.status_code is 200:
print response.content
else:
print 'ERROR: API request failed'
Next steps
Would you like to customize the samples in this topic? Check out the Azure Active Directory audit API reference.
If you want to see a complete overview of using the Azure Active Directory reporting API, see Getting started
with the Azure Active Directory reporting API.
If you would like to find out more about Azure Active Directory reporting, see the Azure Active Directory
Reporting Guide.
Azure Active Directory sign-in activity report API
samples
1/16/2018 • 1 min to read • Edit Online
This topic is part of a collection of topics about the Azure Active Directory reporting API.
Azure AD reporting provides you with an API that enables you to access sign-in activity data using code or related
tools.
The scope of this topic is to provide you with sample code for the sign-in activity API.
See:
Audit logs for more conceptual information
Getting started with the Azure Active Directory Reporting API for more information about the reporting API.
Prerequisites
Before you can use the samples in this topic, you need to complete the prerequisites to access the Azure AD
reporting API.
PowerShell script
# This script will require the Web Application and permissions setup in Azure Active Directory
$ClientID = "<clientId>" # Should be a ~35 character string insert your info here
$ClientSecret = "<clientSecret>" # Should be a ~44 character string insert your info here
$loginURL = "https://login.microsoftonline.com/"
$tenantdomain = "<tenantDomain>"
$ daterange # For example, contoso.onmicrosoft.com
Write-Output $7daysago
# Get an Oauth 2 access token based on client id, secret and tenant domain
$body =
@{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$url = "https://graph.windows.net/$tenantdomain/activities/signinEvents?api-
version=beta&`$filter=signinDateTime ge $7daysago"
$i=0
Do{
Write-Output "Fetching data using Uri: $url"
$myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url)
Write-Output "Save the output to a file SigninActivities$i.json"
Write-Output "---------------------------------------------"
$myReport.Content | Out-File -FilePath SigninActivities$i.json -Force
$url = ($myReport.Content | ConvertFrom-Json).'@odata.nextLink'
$i = $i+1
} while($url -ne $null)
} else {
Next Steps
Would you like to customize the samples in this topic? Check out the Azure Active Directory sign-in activity API
reference.
If you want to see a complete overview of using the Azure Active Directory reporting API, see Getting started
with the Azure Active Directory reporting API.
If you would like to find out more about Azure Active Directory reporting, see the Azure Active Directory
Reporting Guide.
Get data using the Azure AD Reporting API with
certificates
12/7/2017 • 1 min to read • Edit Online
This article discusses how to use the Azure AD Reporting API with certificate credentials to get data from directories
without user intervention.
NOTE
You need to provide the application Object ID that you captured earlier, as well as the certificate object (get this using the
Cert: drive).
Get an access token
To get an access token, use the Get-AzureADGraphAPIAccessTokenFromCert cmdlet from AzureADUtils.
NOTE
You need to use the Application ID instead of the Object ID that you used in the last section.
You are now ready to export to a CSV and save to a SIEM system. You can also wrap your script in a scheduled task
to get Azure AD data from your tenant periodically without having to store application keys in the source code.
Next steps
The fundamentals of Azure identity management
Azure AD self-service password reset for the IT
professional
1/11/2018 • 2 min to read • Edit Online
With Azure Active Directory (Azure AD) self-service password reset (SSPR), users can reset their passwords on their
own when and where they need to. At the same time, administrators can control how a user's password gets reset.
Users no longer need to call a help desk just to reset their password. Azure AD SSPR includes:
Self-service password change: The user knows their password but wants to change it to something new.
Self-service password reset: The user is unable to sign in and wants to reset their password by using one or
more of the following validated authentication methods:
Send a text message to a validated mobile phone.
Make a phone call to a validated mobile or office phone.
Send an email to a validated secondary email account.
Answer their security questions.
Self-service account unlock: The user is unable to sign in with their password and has been locked out. The
user wants to unlock their account without administrator intervention by using their authentication methods.
Next steps
Are you ready to get started with SSPR? Set up Azure AD self-service password reset.
Plan a successful SSPR deployment to your users by using the guidance found in our rollout guide.
Reset or change your password.
Register for self-service password reset.
Reset your work or school password
1/11/2018 • 6 min to read • Edit Online
If you forgot your password, never received one from your company support, have been locked out of your
account, or want to change it, we can help. If you know your password and just need to change it, continue to
the Change my password section.
NOTE
If you're trying to get back in to your personal account like Xbox, hotmail.com, or outlook.com, try the suggestions in the
When you can't sign in to your Microsoft account article.
2. Enter your work or school User ID, prove you aren't a robot by entering the characters you see on the
screen, and then select Next.
NOTE
If your IT staff has not enabled this functionality, a "Contact your administrator" link appears so your IT staff can
help via email or a web portal of their own.
If you need to unlock your account, at this point select the option I know my password, but still can't sign in.
3. Depending on how your IT staff has configured SSPR you should see one or more of the following
authentication methods. Either you or your IT staff should have populated some of this information by
following the steps in the Register for self-service password reset article.
Email my alternate email
Text my mobile phone
Call my mobile phone
Call my office phone
Answer my security questions
Choose an option, provide the correct responses, and then select Next.
4. Your IT staff might need more verification, and you might have to repeat step 3 with a different choice.
5. On the Choose a new password page, enter a new password, confirm your password, and then select
Finish. Your work or school password might have certain requirements that you need to adhere to. We
suggest that choose a password that's 8 to 16 characters long and includes uppercase and lowercase
characters, a number, and a special character.
6. When you see the message Your password has been reset, you can sign in with your new password.
You should now be able to access your account. If you can't access your account, you should contact your
organization's IT staff for further help.
You might receive a confirmation email that comes from an account like "Microsoft on behalf of <your
organization>." If you get an email like this one and you did not use self-service password reset to regain access
to your account, contact your organization's IT staff.
Change my password
If you know your password already and want to change it, use the following steps.
Change your password from the Office 365 portal
Use this method if you normally access your applications through the Office portal:
1. Sign in to your Office 365 account with your existing password.
2. Select your profile on the upper-right side, and then select View account.
3. Select Security & privacy > Password.
4. Enter your old password, set and confirm your new password, and then select Submit.
Change your password from the Azure Access Panel
Use this method if you normally access your applications from the Azure Access Panel (MyApps):
1. Sign in to the Azure Access Panel with your existing password.
2. Select your profile on the upper-right side, and then select Profile.
3. Select Change password.
4. Enter your old password, set and confirm your new password, and then select Submit.
I see an error when I try to change my Unfortunately, your password contains Choose a password that is more
password. a word, phrase, or pattern that makes difficult to guess.
your password easily guessable. Please
try again with a different password.
I get a "Please contact your Please contact your administrator. You're seeing this message because
administrator" page after entering my your IT staff manages your password
user ID We've detected that your user account in your on-premises environment. You
password is not managed by can't reset your password from the
Microsoft. As a result, we are unable to "Can't access your account" link.
automatically reset your password.
To reset your password, contact your
You need to contact your IT staff for IT staff directly for help, and let them
further assistance. know you want to reset your
password so they can enable this
feature for you.
ERROR CASE WHAT ERROR DO YOU SEE? SOLUTION
I get a "Your account is not enabled Your account is not enabled for You're seeing this message because
for password reset" error after password reset. your IT staff has not enabled password
entering my user ID reset for your organization from the
We're sorry, but your IT staff has not "Can't access your account" link, or
set up your account to use this service. hasn't licensed you to use the feature.
I get a "We could not verify your We could not verify your account. You're seeing this message because
account" error after entering my user you're enabled for password reset, but
ID If you'd like, we can contact an you have not registered to use the
administrator in your organization to service. To register for password reset,
reset your password for you. go to http://aka.ms/ssprsetup after
you have regained access to your
account.
Next steps
How to register to use self-service password reset
Password reset registration page
Password reset portal
Can't sign in to your Microsoft account
A multi-tiered approach to Azure AD password
security
12/11/2017 • 2 min to read • Edit Online
This article discusses some best practices you can follow as a user or as an administrator to protect your Azure
Active Directory (Azure AD) or Microsoft Account.
NOTE
Are you here because you're having problems signing in? If so, here's how you can change and reset your own
password.
Azure AD administrators can reset user passwords using the guidance in the article Reset the password for a user in Azure
Active Directory.
Password requirements
Azure AD incorporates the following common approaches to securing passwords:
Password length requirements
Password complexity requirements
Regular and periodic password expiration
For information about password reset in Azure Active Directory, see the topic Azure AD self-service password reset
for the IT professional.
For other Microsoft accounts, their screen looks similar to the one that follows:
For information about password reset in Azure Active Directory, see the topic Azure AD self-service password reset
for the IT professional.
NOTE
If you are an Azure AD administrator, you may want to use Windows Hello to avoid having your users create traditional
passwords altogether.
Next steps
How to update your own password
The fundamentals of Azure identity management
Report on password reset activity
Register for self-service password reset
1/17/2018 • 3 min to read • Edit Online
IMPORTANT
Are you here because you can't sign in? If so, see Reset your work or school password.
As an end user, you can reset your password or unlock your account by yourself if you use Azure Active
Directory (Azure AD) self-service password reset (SSPR). Before you can use this functionality, you have to
register your authentication methods or confirm the predefined authentication methods that your administrator
has populated.
I get a "please contact your Please contact your administrator. You're seeing this message because
administrator" page after entering my your IT staff manages your password in
user ID We've detected that your user account your on-premises environment and
password is not managed by does not allow you to reset your
Microsoft. As a result, we are unable to password from the Can't access your
automatically reset your password. account link.
Contact your IT staff for any further To reset your password, contact your
assistance. IT staff directly for help. Let them know
you want to reset your password so
they can enable this feature for you.
ERROR CASE WHAT ERROR DO YOU SEE? SOLUTION
I get a "your account is not enabled for Your account is not enabled for You're seeing this message because
password reset" error after entering password reset. your IT staff has not enabled password
my user ID reset for your organization from the
We're sorry, but your IT staff has not Can't access your account link or
set up your account for use with this hasn't licensed you to use the feature.
service.
To reset your password, select the
If you'd like, we can contact an contact an administrator link. An
administrator in your organization to email will be sent to your company's IT
reset your password for you. staff. The email lets them know you
want to reset your password, so they
can enable this feature for you.
I get a "we could not verify your We could not verify your account. You're seeing this message because
account" error after entering my user you're enabled for password reset, but
ID If you'd like, we can contact an you haven't registered to use the
administrator in your organization to service. To register for password reset,
reset your password for you. go to the password reset registration
page after you have regained access to
your account.
Next steps
Change your password by using self-service password reset
Password reset registration page
Password reset portal
When you can't sign in to your Microsoft account
Self-service password reset in Azure AD deep dive
1/17/2018 • 13 min to read • Edit Online
How does self-service password reset (SSPR) work? What does that option mean in the interface? Continue
reading to find out more about Azure Active Directory (Azure AD) SSPR.
Authentication methods
If SSPR is enabled, you must select at least one of the following options for the authentication methods.
Sometimes you hear these options referred to as "gates." We highly recommend that you choose at least two
authentication methods so that your users have more flexibility.
Email
Mobile phone
Office phone
Security questions
What fields are used in the directory for the authentication data?
Office phone: Corresponds to the office phone.
Users are unable to set this field themselves. It must be defined by an administrator.
Mobile phone: Corresponds to either the authentication phone (not publicly visible) or the mobile phone
(publicly visible).
The service looks for the authentication phone first, and then falls back to the mobile phone if the
authentication phone is not present.
Alternate email address: Corresponds to either the authentication email (not publicly visible) or the alternate
email.
The service looks for the authentication email first, and then fails back to the alternate email.
By default, only the cloud attributes office phone and mobile phone are synchronized to your cloud directory from
your on-premises directory for authentication data.
Users can only reset their password if they have data present in the authentication methods that the administrator
has enabled and requires.
If users don't want their mobile phone number to be visible in the directory, but they still want to use it for
password reset, administrators should not populate it in the directory. Users should then populate their
Authentication Phone attribute via the password reset registration portal. Administrators can see this
information in the user's profile, but it's not published elsewhere.
The number of authentication methods required
This option determines the minimum number of the available authentication methods or gates a user must go
through to reset or unlock their password. It can be set to either one or two.
Users can choose to supply more authentication methods if the administrator enables that authentication method.
If a user does not have the minimum required methods registered, they see an error page that directs them to
request that an administrator reset their password.
Change authentication methods
If you start with a policy that has only one required authentication method for reset or unlock registered and you
change that to two methods, what happens?
If you change the types of authentication methods that a user can use, you might inadvertently stop users from
being able to use SSPR if they don't have the minimum amount of data available.
Example:
1. The original policy is configured with two authentication methods required. It uses only the office phone
number and the security questions.
2. The administrator changes the policy to no longer use the security questions, but allows the use of a mobile
phone and an alternate email.
3. Users without the mobile phone and alternate email fields populated can't reset their passwords.
How secure are my security questions?
If you use security questions, we recommend using them in conjunction with another method. Security questions
can be less secure than other methods because some people might know the answers to another user's
questions.
NOTE
Security questions are stored privately and securely on a user object in the directory and can only be answered by users
during registration. There is no way for an administrator to read or modify a user's questions or answers.
Registration
Require users to register when they sign in
To enable this option, a user who is enabled for password reset has to complete the password reset registration if
they sign in to applications by using Azure AD. This includes the following:
Office 365
Azure portal
Access Panel
Federated applications
Custom applications by using Azure AD
When requiring registration is disabled, users can still manually register their contact information. They can either
visit http://aka.ms/ssprsetup or select the Register for password reset link under the Profile tab in the Access
Panel.
NOTE
Users can dismiss the password reset registration portal by selecting cancel or by closing the window. But they are
prompted to register each time they sign in until they complete their registration.
This doesn't break the user's connection if they are already signed in.
Set the number of days before users are asked to reconfirm their authentication information
This option determines the period of time between setting and reconfirming authentication information and is
available only if you enable the Require users to register when signing in option.
Valid values are 0 to 730 days, with "0" meaning users are never asked to reconfirm their authentication
information.
Notifications
Notify users on password resets
If this option is set to Yes, then the user who is resetting their password receives an email notifying them that
their password has been changed. The email is sent via the SSPR portal to their primary and alternate email
addresses that are on file in Azure AD. No one else is notified of this reset event.
Notify all admins when other admins reset their passwords
If this option is set to Yes, then all administrators receive an email to their primary email address on file in Azure
AD. The email notifies them that another administrator has changed their password by using SSPR.
Example: There are four administrators in an environment. Administrator A resets their password by using SSPR.
Administrators B, C, and D receive an email that alerts them of the password reset.
On-premises integration
If you install, configure, and enable Azure AD Connect, you have the following additional options for on-premises
integrations. If these options are grayed out, then writeback has not been properly configured. For more
information, see Configuring password writeback.
This page provides you a quick status of the on-premises writeback client one of the following messages are
displayed based on the current configuration:
Your On-premises writeback client is up and running.
Azure AD is online and is connected to your on-premises writeback client. However, it looks like the installed
version of Azure AD Connect is out-of-date. Consider Upgrading Azure AD Connect to ensure that you have
the latest connectivity features and important bug fixes.
Unfortunately, we can’t check your on-premises writeback client status because the installed version of Azure
AD Connect is out-of-date. Upgrade Azure AD Connect to be able to check your connection status.
Unfortunately, it looks like we can't connect to your on-premises writeback client right now. Troubleshoot
Azure AD Connect to restore the connection.
Unfortunately, we can't connect to your on-premises writeback client because password writeback has not
been properly configured. Configure password writeback to restore the connection.
Unfortunately, it looks like we can't connect to your on-premises writeback client right now. This may be due
to temporary issues on our end. If the problem persists, Troubleshoot Azure AD Connect to restore the
connection.
Write back passwords to your on-premises directory
This control determines whether password writeback is enabled for this directory. If writeback is on, it indicates
the status of the on-premises writeback service. This is useful if you want to temporarily disable password
writeback without having to reconfigure Azure AD Connect.
If the switch is set to Yes, then writeback is enabled, and federated and password hash synchronized users are
able to reset their passwords.
If the switch is set to No, then writeback is disabled, and federated and password hash synchronized users are
not able to reset their passwords.
Allow users to unlock accounts without resetting their password
This control designates whether users who visit the password reset portal should be given the option to unlock
their on-premises Active Directory accounts without having to reset their password. By default, Azure AD unlocks
accounts when it performs a password reset. You use this setting to separate those two operations.
If set to Yes, then users are given the option to reset their password and unlock the account, or to unlock their
account without having to reset the password.
If set to No, then users are only be able to perform a combined password reset and account unlock operation.
NOTE
Microsoft accounts that have been granted guest access to your Azure AD tenant, such as those from Hotmail.com,
Outlook.com, or other personal email addresses, are not able to use Azure AD SSPR. They need to reset their password by
using the information found in the When you can't sign in to your Microsoft account article.
Next steps
The following articles provide additional information regarding password reset through Azure AD:
How do I complete a successful rollout of SSPR?
Reset or change your password
Register for self-service password reset
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
How to successfully roll out self-service password
reset
1/17/2018 • 4 min to read • Edit Online
To ensure a smooth rollout of the Azure Active directory (Azure AD) self-service password reset (SSPR)
functionality, most customers complete the following steps:
1. Enable password reset in your directory.
2. Configure on-premises Active Directory permissions for password writeback.
3. Configure password writeback to write passwords from Azure AD back to your on-premises directory.
4. Assign and verify the required licenses.
5. Determine if you want to do a gradual rollout. If you want to roll out SSPR gradually, you can limit access to a
group of users so you can pilot the program with a specific group. To roll out to a specific group, set the Self
Service Password Reset Enabled switch to Selected and select the security group you want to be able use
password reset.
6. Populate the authentication data needed for your users to register, such as their office phone, mobile phone,
and alternate email address.
7. Customize the Azure AD sign-in experience to include your company branding.
8. Teach your users how to use SSPR. Send them instructions to show them how to register and how to reset
their passwords.
9. Determine when you want to enforce registration. You can choose to enforce registration at any point. You
can also require users to reconfirm their authentication information after a certain period of time.
10. Use the reporting capability. Over time, you can review the users registration and usage with the reporting
capability that Azure AD provides.
11. Enable password reset. When you're ready, enable password reset for all users by setting the Self Service
Password Reset Enabled switch to All.
NOTE
Changing this option from a selected group to everyone does not invalidate existing authentication data that a
user has registered as part of a test group. Users who are configured and have valid authentication data registered
continue to function.
12. Enable Windows 10 users to reset their password at the login screen.
IMPORTANT
Test SSPR with a user, rather than an administrator, as Microsoft enforces strong authentication requirements for
Azure administrator accounts. For more information regarding the administrator password policy, see our
password policy article.
Email-based rollout
Many customers find that the easiest way to get users to use SSPR is with an email campaign that includes
simple-to-use instructions. We have created three simple emails that you can use as templates to help in your
rollout:
Coming soon: An email template that you use in the weeks or days before the rollout to let users know they
need to do something.
Available now: An email template that you use the day of the program launch to drive users to register and
confirm their authentication data. If users register now, they have SSPR available when they need it.
Sign-up reminder: An email template for a few days to a few weeks after deployment to remind users to
register and confirm their authentication data.
Next steps
Reset or change your password
Register for self-service password reset
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
Azure AD password reset from the login screen
1/11/2018 • 3 min to read • Edit Online
You have already deployed Azure AD self-service password reset (SSPR) but your users still call the helpdesk when
they forget their passwords. They call the helpdesk because they can't get to a web browser to access SSPR.
With the new Windows 10 Fall Creators Update, users with Azure AD joined devices can see a “Reset password”
link on their login screen. When they click this link, they are brought to the same self-service password reset (SSPR)
experience they are familiar with.
To enable users to reset their Azure AD password from the Windows 10 login screen, the following requirements
need to be met:
Windows 10, version 1709, or newer client that is Azure AD joined.
Azure AD self-service password reset must be enabled.
Configure and deploy the setting to enable the Reset password link via one of the following methods:
Intune device configuration profile
Registry key
3. Configure Settings
Add the following OMA-URI Setting to enable the Reset password link
Provide a meaningful name to explain what the setting is doing
Optionally provide a meaningful description of the setting
OMA-URI set to ./Vendor/MSFT/Policy/Config/Authentication/AllowAadPasswordReset
Data type set to Integer
Value set to 1
Click OK
Click OK
4. Click Create
Assign a device configuration policy in Intune
Create a group to apply device configuration policy to
1. Log in to the Azure portal and click on Azure Active Directory.
2. Browse to Users and groups > All groups > New group
3. Provide a name for the group and under Membership type choose Assigned
Under Members, choose the Azure AD joined Windows 10 devices that you want to apply the policy to.
Click Select
4. Click Create
More information on creating groups can be found in the article Manage access to resources with Azure Active
Directory groups.
Assign device configuration policy to device group
1. Log in to the Azure portal and click on Intune.
2. Find the device configuration profile created previously by going to Device configuration > Profiles > Click
on the profile created earlier
3. Assign the profile to a group of devices
Click on Assignments > under Include > Select groups to include
Select the group created previously and click Select
Click on Save
You have now created and assigned a device configuration policy to enable the Reset password link on the logon
screen using Intune.
When users attempt to log in, they now see a Reset password link that opens the self-service password reset
experience at the logon screen. This functionality allows users to reset their password without having to use
another device to access a web browser.
Your users will find guidance for using this feature in Reset your work or school password
Common issues
When testing this functionality using Hyper-V, the "Reset password" link does not appear.
Go to the VM you are using to test click on View and then uncheck Enhanced session.
When testing this functionality using Remote Desktop, the "Reset password" link does not appear
Password reset is not currently supported from a Remote Desktop.
Next steps
The following links provide additional information regarding password reset using Azure AD
How do I deploy SSPR?
How do I enable PIN reset from the login screen?
More information about MDM authentication policies
Password policies and restrictions in Azure Active
Directory
1/17/2018 • 5 min to read • Edit Online
This article describes the password policies and complexity requirements associated with user accounts stored in
your Azure Active Directory (Azure AD) tenant.
Characters not allowed Any "@" character that's not separating the username
from the domain.</li> <li>Can't contain a period
character "." immediately preceding the "@" symbol
Length constraints The total length must not exceed 113 characters
There can be up to 64 characters before the "@"
symbol</li><li>There can be up to 48 characters
after the "@" symbol
PROPERTY REQUIREMENTS
Password change history The last password can't be used again when the user changes
a password.
Password reset history The last password can be used again when the user resets a
forgotten password.
NOTE
Only passwords for user accounts that are not synchronized through directory synchronization can be configured to not
expire. For more information about directory synchronization, see Connect AD with Azure AD.
WARNING
Passwords set to -PasswordNeverExpires $true still age based on the pwdLastSet attribute. If you set the user
passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if
you change the expiration to -PasswordNeverExpires $false , all passwords that have a pwdLastSet older than
90 days require the user to change them the next time they sign in. This change can affect a large number of users.
Next steps
The following articles provide additional information about password reset through Azure AD:
How do I complete a successful rollout of SSPR?
Reset or change your password.
Register for self-service password reset.
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
Customize the Azure AD functionality for self-service
password reset
1/17/2018 • 4 min to read • Edit Online
IT professionals who want to deploy self-service password reset (SSPR) in Azure Active directory (Azure AD) can
customize the experience to match their users' needs.
The contact email is sent to the following recipients in the following order:
1. If the password administrator role is assigned, administrators with this role are notified.
2. If no password administrators are assigned, then administrators with the user administrator role are notified.
3. If neither of the previous roles are assigned, then the global administrators are notified.
In all cases, a maximum of 100 recipients are notified.
To find out more about the different administrator roles and how to assign them, see Assigning administrator roles
in Azure Active Directory.
Disable "Contact your administrator" emails
If your organization does not want to notify administrators about password reset requests, you can enable the
following configuration:
Enable self-service password reset for all end users. This option is under Password Reset > Properties.
If you don't want users to reset their own passwords, you can scope access to an empty group. We don't
recommend this option.
Customize the helpdesk link to provide a web URL or mailto: address that users can use to get assistance. This
option is under Password Reset > Customization > Custom helpdesk email or URL.
Customize the sign-in page and access panel look and feel
You can customize the sign-in page. You can add a logo that appears along with the image that fits your company
branding.
The graphics you choose are shown in the following circumstances:
After a user enters their username
If the user accesses the customized URL:
By passing the whr parameter to the password reset page, like "https://login.microsoftonline.com/?
whr=contoso.com"
By passing the username parameter to the password reset page, like "https://login.microsoftonline.com/?
username=admin@contoso.com"
Graphics details
Use the following settings to change the visual characteristics of the sign-in page. Go to Azure Active Directory >
Company branding > Edit company branding:
The sign-in page image should be a .png or .jpg file, 1420 x 1200 pixels, and no larger than 500 KB. For the best
results, we recommend that you keep it around 200 KB.
The sign-in page background color is used on high-latency connections and must be in RGB hexadecimal
format.
The banner image should be a .png or .jpg file, 60 x 280 pixels, and be no larger than 10 KB.
The square logo (normal and dark theme) should be a .png or .jpg file, 240 x 240 (resizable) pixels, and no larger
than 10 KB.
Sign-in text options
Use the following settings to add text to the sign-in page that's relevant to your organization. Go to Azure Active
Directory > Company branding > Edit company branding:
User name hint: Replaces the example text of someone@example.com with something more appropriate for
your users. We recommended that you leave the default hint when you support internal and external users.
Sign-in page text: Can be a maximum of 256 characters in length. This text appears anywhere your users
sign in online and in the Azure AD Workplace Join experience on Windows 10. Use this text for the terms of
use, instructions, and tips for your users.
IMPORTANT
Anyone can see your sign-in page, so don't provide any sensitive information here.
Next steps
How do I complete a successful rollout of SSPR?
Reset or change your password
Register for self-service password reset
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
Deploy password reset without requiring end-user
registration
1/11/2018 • 3 min to read • Edit Online
To deploy Azure Active Directory (Azure AD) self-service password reset (SSPR), authentication data needs to be
present. Some organizations have their users enter their authentication data themselves. But many organizations
prefer to synchronize with data that already exists in Active Directory. The synced data is made available to Azure
AD and SSPR without requiring user interaction if you:
Properly format the data in your on-premises directory.
Configure Azure AD Connect by using the express settings.
To work properly, phone numbers must be in the format +CountryCode PhoneNumber, for example, +1
4255551234.
NOTE
Password reset does not support phone extensions. Even in the +1 4255551234X12345 format, extensions are removed
before the call is placed.
Fields populated
If you use the default settings in Azure AD Connect, the following mappings are made:
Connect-MsolService
Connect-MsolService
Connect-MsolService
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select
PhoneNumber
Get-MsolUser -UserPrincipalName user@domain.com | select -Expand StrongAuthenticationUserDetails | select
Email
Get-Module AzureADPreview
Install-Module AzureADPreview
Connect-AzureAD
Connect-AzureAD
Next steps
How do I complete a successful rollout of SSPR?
Reset or change your password
Register for self-service password reset
Do you have a licensing question?
What authentication methods are available to users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
Reporting options for Azure AD password
management
1/17/2018 • 10 min to read • Edit Online
After deployment, many organizations want to know how or if self-service password reset (SSPR) is really being
used. The reporting feature that Azure Active Directory (Azure AD) provides helps you answer questions by using
prebuilt reports. If you're appropriately licensed, you can also create custom queries.
The following questions can be answered by the reports that exist in the Azure portal:
NOTE
You must be a global administrator, and you must opt-in for this data to be gathered on behalf of your organization. To
opt in, you must visit the Reporting tab or the audit logs at least once. Until then, data is not collected for your
organization.
IMPORTANT
Currently, the Azure AD Reports and Events API retrieves up to 75,000 individual events of the SsprActivityEvent and
SsprRegistrationActivityEvent types. The API spans the last 30 days.
If you need to retrieve or store data beyond this window, we suggest persisting it in an external database by using the API
to query the deltas that result. We recommend that you begin to retrieve this data when you start using SSPR in your
organization. Persist it externally, and then continue to track the deltas from that point forward.
Next steps
How do I complete a successful rollout of SSPR?
Reset or change your password.
Register for self-service password reset.
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
Reset the password for a user in Azure Active
Directory
12/11/2017 • 1 min to read • Edit Online
Administrators may need to reset a user's password in cases where they forgot, were locked out, or other
scenarios. The steps that follow guide you through resetting a user's password.
NOTE
This temporary password does not have an expiration time so it will be valid until they log in and are then are forced
to change it.
Next steps
Add a user
Assign administrator roles to a user
Manage user profiles
Delete a user in Azure AD
Licensing requirements for Azure AD self-service
password reset
1/17/2018 • 1 min to read • Edit Online
In order for Azure Active Directory (Azure AD) password reset to function, you must have at least one license
assigned in your organization. We don't enforce per-user licensing on the password reset experience. To
maintain compliance with your Microsoft licensing agreement, you need to assign licenses to any users that use
premium features.
Cloud-only users: Office 365 any paid SKU, or Azure AD Basic
Cloud or on-premises users: Azure AD Premium P1 or P2, Enterprise Mobility + Security (EMS), or Microsoft
365
WARNING
Standalone Office 365 licensing plans don't support password writeback and require that you have one of the preceding
plans for this functionality to work.
Additional licensing information, including costs, can be found on the following pages:
Azure Active Directory pricing site
Azure Active Directory features and capabilities
Enterprise Mobility + Security
Microsoft 365 Enterprise
Next steps
How do I complete a successful rollout of SSPR?
Reset or change your password
Register for self-service password reset
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
Password writeback overview
1/11/2018 • 12 min to read • Edit Online
With password writeback, you can configure Azure Active Directory (Azure AD) to write passwords back to your
on-premises Active Directory. Password writeback removes the need to set up and manage a complicated on-
premises self-service password reset (SSPR) solution, and it provides a convenient cloud-based way for your
users to reset their on-premises passwords wherever they are. Password writeback is a component of Azure
Active Directory Connect that can be enabled and used by current subscribers of Premium Azure Active
Directory editions.
Password writeback provides the following features:
Provides zero-delay feedback: Password writeback is a synchronous operation. Your users are notified
immediately if their password did not meet the policy or could not be reset or changed for any reason.
Supports password resets for users that use Active Directory Federation Services (AD FS) or other
federation technologies: With password writeback, as long as the federated user accounts are
synchronized into your Azure AD tenant, they are able to manage their on-premises Active Directory
passwords from the cloud.
Supports password resets for users that use password hash sync: When the password reset service
detects that a synchronized user account is enabled for password hash sync, we reset both this account’s on-
premises and cloud password simultaneously.
Supports password changes from the access panel and Office 365: When federated or password
synchronized users come to change their expired or non-expired passwords, we write those passwords back
to your local Active Directory environment.
Supports passwords writeback when an admin resets them from the Azure portal: Whenever an
admin resets a user’s password in the Azure portal, if that user is federated or password synchronized, we’ll
set the password the admin selects in local Active Directory as well. This functionality is currently not
supported in the Office admin portal.
Enforces your on-premises Active Directory password policies: When a user resets their password, we
make sure that it meets your on-premises Active Directory policy before we commit it to that directory. This
review includes checking the history, complexity, age, password filters, and any other password restrictions
that you have defined in local Active Directory.
Doesn’t require any inbound firewall rules: Password writeback uses an Azure Service Bus relay as an
underlying communication channel. You don't have to open any inbound ports on your firewall for this
feature to work.
Is not supported for user accounts that exist within protected groups in on-premises Active
Directory: For more information about protected groups, see Protected accounts and groups in Active
Directory.
When the call comes in from the cloud, the synchronization engine uses the cloudAnchor
attribute to look up the Azure Active Directory connector space object. It then follows the link back
to the MV object, and then follows the link back to the Active Directory object. Because there can be
multiple Active Directory objects (multi-forest) for the same user, the sync engine relies on the
Microsoft.InfromADUserAccountEnabled.xxx link to pick the correct one.
NOTE
As a result of this logic, for password writeback to work Azure AD Connect must be able to communicate
with the primary domain controller (PDC) emulator. If you need to enable this manually, you can connect
Azure AD Connect to the PDC emulator. Right-click the properties of the Active Directory synchronization
connector, then select configure directory partitions. From there, look for the domain controller
connection settings section and select the box titled only use preferred domain controllers. Even if
the preferred domain controller is not a PDC emulator, Azure AD Connect attempts to connect to the PDC
for password writeback.
8. After the user account is found, we attempt to reset the password directly in the appropriate Active
Directory forest.
9. If the password set operation is successful, we tell the user their password has been changed.
NOTE
If the user's password is synchronized to Azure AD by using password synchronization, there is a chance that the
on-premises password policy is weaker than the cloud password policy. In this case, we still enforce whatever the
on-premises policy is, and instead use password hash synchronization to synchronize the hash of that password.
This policy ensures that your on-premises policy is enforced in the cloud, no matter if you use password
synchronization or federation to provide single sign-on.
10. If the password set operation fails, we return an error to the user and let them try again. The operation
might fail because:
The service was down.
The password they selected did not meet the organization's policies.
We might not find the user in local Active Directory.
We have a specific message for many of these cases and tell the user what they can do to resolve the
problem.
Configure password writeback
We recommend that you use the auto-update feature of Azure AD Connect if you want to use password
writeback.
DirSync and Azure AD Sync are no longer supported as a way to enable password writeback. For more
information to help with your transition, see Upgrade from DirSync and Azure AD Sync.
The following steps assume you have already configured Azure AD Connect in your environment by using the
Express or Custom settings.
1. To configure and enable password writeback, sign in to your Azure AD Connect server and start the Azure
AD Connect configuration wizard.
2. On the Welcome page, select Configure.
3. On the Additional tasks page, select Customize synchronization options, and then select Next.
4. On the Connect to Azure AD page, enter a global administrator credential, and then select Next.
5. On the Connect directories and Domain/OU filtering pages, select Next.
6. On the Optional features page, select the box next to Password writeback and select Next.
7. On the Ready to configure page, select Configure and wait for the process to finish.
8. When you see the configuration finish, select Exit.
For common troubleshooting tasks related to password writeback, see the section Troubleshoot password
writeback in our troubleshooting article.
IMPORTANT
If you neglect to assign these permissions, then, even though writeback appears to be configured correctly, users will
encounter errors when they attempt to manage their on-premises passwords from the cloud.
NOTE
It might take up to an hour or more for these permissions to replicate to all the objects in your directory.
To set up the appropriate permissions for password writeback to occur, complete the following steps:
1. Open Active Directory Users and Computers with an account that has the appropriate domain administration
permissions.
2. From the View menu, make sure Advanced features is turned on.
3. In the left panel, right-click the object that represents the root of the domain and select Properties >
Security > Advanced.
4. From the Permissions tab, select Add.
5. Pick the account that permissions are being applied to (from the Azure AD Connect setup).
6. In the Applies to drop-down list, select Descendent user objects.
7. Under Permissions, select the boxes for the following:
Reset password
Change password
Write lockoutTime
Write pwdLastSet
8. Select Apply/OK to apply the changes and exit any open dialog boxes.
Next steps
How do I complete a successful rollout of SSPR?
Reset or change your password.
Register for self-service password reset.
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What are the policy options with SSPR?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
I have a question that was not covered somewhere else
Troubleshoot self-service password reset
1/17/2018 • 35 min to read • Edit Online
Are you having a problem with Azure Active Directory (Azure AD) self-service password reset (SSPR)? The
information that follows can help you to get things working again.
TenantSSPRFlagDisabled = 9 We’re sorry, you can't reset your SSPR_0009: We've detected that
password at this time because your password reset has not been enabled
administrator has disabled password by your administrator. Please contact
reset for your organization. There is no your admin and ask them to enable
further action you can take to resolve password reset for your organization.
this situation. Please contact your
admin and ask them to enable this
feature. To learn more, see Help, I
forgot my Azure AD password.
WritebackNotEnabled = 10 We’re sorry, you can't reset your SSPR_0010: We've detected that
password at this time because your password writeback has not been
administrator has not enabled a enabled. Please contact your admin
necessary service for your organization. and ask them to enable password
There is no further action you can take writeback.
to resolve this situation. Please contact
your admin and ask them to check
your organization’s configuration. To
learn more about this necessary
service, see Configuring password
writeback.
SsprNotEnabledInUserPolicy = 11 We’re sorry, you can't reset your SSPR_0011: Your organization has not
password at this time because your defined a password reset policy. Please
administrator has not configured contact your admin and ask them to
password reset for your organization. define a password reset policy.
There is no further action you can take
to resolve this situation. Contact your
admin and ask them to configure
password reset. To learn more about
password reset configuration, see
Quick start: Azure AD self-service
password reset.
UserNotLicensed = 12 We’re sorry, you can't reset your SSPR_0012: Your organization does
password at this time because required not have the required licenses
licenses are missing from your necessary to perform password reset.
organization. There is no further action Please contact your admin and ask
you can take to resolve this situation. them to review the license
Please contact your admin and ask assignments.
them to check your license assignment.
To learn more about licensing, see
Licensing requirements for Azure AD
self-service password reset.
ERROR DETAILS TECHNICAL DETAILS
UserNotMemberOfScopedAccessGrou We’re sorry, you can't reset your SSPR_0012: You are not a member of a
p = 13 password at this time because your group enabled for password reset.
administrator has not configured your Contact your admin and request to be
account to use password reset. There is added to the group.
no further action you can take to
resolve this situation. Please contact
your admin and ask them to configure
your account for password reset. To
learn more about account
configuration for password reset, see
Roll out password reset for users.
UserNotProperlyConfigured = 14 We’re sorry, you can't reset your SSPR_0014: Additional security info is
password at this time because needed to reset your password. To
necessary information is missing from proceed, contact your admin and ask
your account. There is no further them to reset your password. After you
action you can take to resolve this have access to your account, you can
situation. Please contact you admin register additional security info at
and ask them to reset your password https://aka.ms/ssprsetup. Your admin
for you. After you have access to your can add additional security info to your
account again, you need to register the account by following the steps in Set
necessary information. To register and read authentication data for
information, follow the steps in the password reset.
Register for self-service password reset
article.
OnPremisesAdminActionRequired = 29 We’re sorry, we can't reset your SSPR_0029: We are unable to reset
password at this time because of a your password due to an error in your
problem with your organization’s on-premises configuration. Please
password reset configuration. There is contact your admin and ask them to
no further action you can take to investigate.
resolve this situation. Please contact
your admin and ask them to
investigate. To learn more about the
potential problem, see Troubleshoot
password writeback.
OnPremisesConnectivityError = 30 We’re sorry, we can't reset your SSPR_0030: We can't reset your
password at this time because of password due to a poor connection
connectivity issues to your with your on-premises environment.
organization. There is no action to take Contact your admin and ask them to
right now, but the problem might be investigate.
resolved if you try again later. If the
problem persists, please contact your
admin and ask them to investigate. To
learn more about connectivity issues,
see Troubleshoot password writeback
connectivity.
I don't see the Password reset section under Azure AD in This can happen if you don't have an Azure AD Premium or
the Azure portal. Basic license assigned to the administrator performing the
operation.
I don't see a particular configuration option. Many elements of the UI are hidden until they are needed.
Try enabling all the options you want to see.
I don't see the On-premises integration tab. This option only becomes visible if you have downloaded
Azure AD Connect and have configured password writeback.
For more information, see Getting started with Azure AD
Connect by using the express settings.
I don’t see any password management activity types in the This can happen if you don't have an Azure AD Premium or
Self-Service Password Management audit event category. Basic license assigned to the administrator performing the
operation.
User registrations show multiple times. Currently, when a user registers, we log each individual piece
of data that's registered as a separate event.
The directory is not enabled for password reset. Your Switch the Self-service password reset enabled flag to
administrator has not enabled you to use this feature. Selected or All and then select Save.
The user does not have an Azure AD Premium or Basic This can happen if you don't have an Azure AD Premium or
license assigned. Your administrator has not enabled you Basic license assigned to the administrator performing the
to use this feature. operation.
There is an error processing the request. This can be caused by many issues, but generally this error is
caused by either a service outage or a configuration issue. If
you see this error and it affects your business, contact
Microsoft support for additional assistance.
Troubleshoot the password reset portal
ERROR SOLUTION
The directory is not enabled for password reset. Switch the Self-service password reset enabled flag to
Selected or All and then select Save.
The user does not have an Azure AD Premium or Basic This can happen if you don't have an Azure AD Premium or
license assigned. Basic license assigned to the administrator performing the
operation.
The directory is enabled for password reset, but the user has Before proceeding, ensure that user has properly formed
missing or malformed authentication information. contact data on file in the directory. For more information,
see Data used by Azure AD self-service password reset.
The directory is enabled for password reset, but the user has Before proceeding, ensure that the user has at least two
only one piece of contact data on file when the policy is set properly configured contact methods. An example is having
to require two verification methods. both a mobile phone number and an office phone number.
The directory is enabled for password reset and the user is This can be the result of a temporary service error or if there
properly configured, but the user is unable to be contacted. is incorrect contact data that we can't properly detect.
The user never receives the password reset SMS or phone This can be the result of a malformed phone number in the
call. directory. Make sure the phone number is in the format
“+ccc xxxyyyzzzzXeeee”.
The user never receives the password reset email. The most common cause for this problem is that the
message is rejected by a spam filter. Check your spam, junk,
or deleted items folder for the email.
I have set a password reset policy, but when an admin Microsoft manages and controls the administrator password
account uses password reset, that policy isn't applied. reset policy to ensure the highest level of security.
ERROR SOLUTION
The user is prevented from attempting a password reset too We implement an automatic throttling mechanism to block
many times in a day. users from attempting to reset their passwords too many
times in a short period of time. Throttling occurs when:
The user attempts to validate a phone number 5
times in one hour.
The user attempts to use the security questions gate
5 times in one hour.
The user attempts to reset a password for the same
user account 5 times in one hour.
To fix this problem, instruct the user to wait 24 hours after
the last attempt. The user can then reset their password.
The user sees an error when validating their phone number. This error occurs when the phone number entered does not
match the phone number on file. Make sure the user is
entering the complete phone number, including the area and
country code, when they attempt to use a phone-based
method for password reset.
There is an error processing the request. This can be caused by many issues, but generally this error is
caused by either a service outage or a configuration issue. If
you see this error and it affects your business, contact
Microsoft support for additional assistance.
The password reset service does not start on-premises. Error When password writeback is enabled, the sync engine calls
6800 appears in the Azure AD Connect machine’s application the writeback library to perform the configuration
event log. (onboarding) by communicating to the cloud onboarding
service. Any errors encountered during onboarding or while
After onboarding, federated or password-hash-synchronized starting the Windows Communication Foundation (WCF)
users can't reset their passwords. endpoint for password writeback results in errors in the
event log in your Azure AD Connect machine.
When a user attempts to reset a password or unlock an Find the Active Directory account for Azure AD Connect and
account with password writeback enabled, the operation fails. reset the password so that it contains no more than 127
characters. Then open the Synchronization Service from
In addition, you see an event in the Azure AD Connect event the Start menu. Browse to Connectors and find the Active
log that contains: “Synchronization Engine returned an error Directory Connector. Select it and then select Properties.
hr=800700CE, message=The filename or extension is too Browse to the Credentials page and enter the new
long” after the unlock operation occurs. password. Select OK to close the page.
ERROR SOLUTION
At the last step of the Azure AD Connect installation process, This error occurs in the following two cases:
you see an error indicating that password writeback couldn't You have specified an incorrect password for the
be configured. global administrator account specified at the
beginning of the Azure AD Connect installation
The Azure AD Connect application event log contains error process.
32009 with the text “Error getting auth token.” You have attempted to use a federated user for the
global administrator account specified at the
beginning of the Azure AD Connect installation
process.
To fix this problem, ensure that you're not using a federated
account for the global administrator you specified at the
beginning of the installation process. Also ensure that the
password specified is correct.
The Azure AD Connect machine event log contains error Your on-premises environment isn't able to connect to the
32002 that is thrown by running PasswordResetService. Azure Service Bus endpoint in the cloud. This error is
normally caused by a firewall rule blocking an outbound
The error reads: “Error Connecting to ServiceBus. The token connection to a particular port or web address. See
provider was unable to provide a security token.” Connectivity prerequisites for more info. After you have
updated these rules, reboot the Azure AD Connect machine
and password writeback should start working again.
After working for some time, federated or password-hash- In some rare cases, the password writeback service can fail to
synchronized users can't reset their passwords. restart when Azure AD Connect has restarted. In these cases,
first, check whether password writeback appears to be
enabled on-premises. You can check by using either the
Azure AD Connect wizard or PowerShell (See the previous
HowTos section). If the feature appears to be enabled, try
enabling or disabling the feature again either through the UI
or PowerShell. If this doesn’t work, try a complete uninstall
and reinstall of Azure AD Connect.
Federated or password-hash-synchronized users who If you see these errors in your event log, confirm that the
attempt to reset their passwords see an error after Active Directory Management Agent (ADMA) account that
attempting to submit their password. The error indicates that was specified in the wizard at the time of configuration has
there was a service problem. the necessary permissions for password writeback.
In addition to this problem, during password reset Note that after this permission is given, it can take up to one
operations, you might see an error that the management hour for the permissions to trickle down via the sdprop
agent was denied access in your on-premises event logs. background task on the domain controller (DC).
Federated or password-hash-synchronized users who This error usually indicates that the sync engine is unable to
attempt to reset their passwords, see an error after they find either the user object in the Azure AD connector space
submit their password. The error indicates that there was a or the linked metaverse (MV) or Azure AD connector space
service problem. object.
In addition to this problem, during password reset To troubleshoot this problem, make sure that the user is
operations, you might see an error in your event logs from indeed synchronized from on-premises to Azure AD via the
the Azure AD Connect service indicating an “Object could current instance of Azure AD Connect and inspect the state
not be found” error. of the objects in the connector spaces and MV. Confirm that
the Active Directory Certificate Services (AD CS) object is
connected to the MV object via the
“Microsoft.InfromADUserAccountEnabled.xxx” rule.
Federated or password-hash-synchronized users who This indicates that the sync engine detected that the MV
attempt to reset their passwords see an error after they object is connected to more than one AD CS object via
submit their password. The error indicates that there was a “Microsoft.InfromADUserAccountEnabled.xxx”. This means
service problem. that the user has an enabled account in more than one
forest. Note that this scenario isn't supported for password
In addition to this problem, during password reset writeback.
operations, you might see an error in your event logs from
the Azure AD Connect service that indicates that there is a
“Multiple matches found” error.
Password operations fail with a configuration error. The This error occurs if the Azure AD Connect configuration is
application event log contains Azure AD Connect error 6329 changed to add a new Active Directory forest (or to remove
with the text "0x8023061f (The operation failed because and re-add an existing forest) after the password writeback
password synchronization is not enabled on this feature has already been enabled. Password operations for
Management Agent)". users in these recently added forests fail. To fix the problem,
disable and then re-enable the password writeback feature
after the forest configuration changes have been completed.
6329 BAIL: MMS(4924) 0x80230619: “A This event occurs when the password
restriction prevents the password from writeback service attempts to set a
being changed to the current one password on your local directory that
specified.” does not meet the password age,
history, complexity, or filtering
requirements of the domain.
HR 8023042 Synchronization Engine returned an This error occurs when the same user
error hr=80230402, message=An ID is enabled in multiple domains. An
attempt to get an object failed because example is if you're syncing account
there are duplicated entries with the and resource forests and have the
same anchor. same user ID present and enabled in
each forest.
WARNING
If you have customized the out-of-the-box sync rules, back them up before proceeding with upgrade and then manually
redeploy them after you're finished.
1. Download the latest version of Azure AD Connect from the Microsoft Download Center.
2. Because you have already installed Azure AD Connect, you need to perform an in-place upgrade to update
your Azure AD Connect installation to the latest version.
3. Execute the downloaded package and follow the on-screen instructions to update your Azure AD Connect
machine.
The previous steps should re-establish your connection with our cloud service and resolve any interruptions you
might be experiencing.
If installing the latest version of the Azure AD Connect server does not resolve your problem, we recommend
that you try disabling and then re-enabling password writeback as a final step after you install the latest release.
3. In the pop-up window, select Connect to Active Directory Forest and make note of the User name
property. This property is the AD DS account used by Azure AD Connect to perform directory
synchronization. For Azure AD Connect to perform password writeback, the AD DS account must have
reset password permission.
4. Sign in to an on-premises domain controller and start the Active Directory Users and Computers
application.
5. Select View and make sure the Advanced Features option is enabled.
6. Look for the Active Directory user account you want to verify. Right-click the account name and select
Properties.
7. In the pop-up window, go to the Security tab and select Advanced.
8. In the Advanced Security Settings for Administrator pop-up window, go to the Effective Access tab.
9. Select Select a user, select the AD DS account used by Azure AD Connect (see step 3), and then select
View effective access.
10. Scroll down and look for Reset password. If the entry has a check mark, the AD DS account has
permission to reset the password of the selected Active Directory user account.
Azure AD forums
If you have a general question about Azure AD and self-service password reset, you can ask the community for
assistance on the Azure AD forums. Members of the community include engineers, product managers, MVPs,
and fellow IT professionals.
If you're on a page without a support code at the bottom, select F12 and search for the SID and CID
and send those two results to the support engineer.
Date, time, and time zone: Include the precise date and time with the time zone that the error occurred.
User ID: Who was the user who saw the error? An example is user@contoso.com.
Is this a federated user?
Is this a password-hash-synchronized user?
Is this a cloud-only user?
Licensing: Does the user have an Azure AD Premium or Azure AD Basic license assigned?
Application event log: If you're using password writeback and the error is in your on-premises
infrastructure, include a zipped copy of your application event log from the Azure AD Connect server.
Next steps
The following articles provide additional information about password reset through Azure AD:
How do I complete a successful rollout of SSPR?
Reset or change your password
Register for self-service password reset
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I have a question that was not covered somewhere else
Password management frequently asked questions
1/17/2018 • 11 min to read • Edit Online
The following are some frequently asked questions (FAQ) for all things related to password reset.
If you have a general question about Azure Active Directory (Azure AD) and self-service password reset (SSPR)
that's not answered here, you can ask the community for assistance on the Azure AD forum. Members of the
community include engineers, product managers, MVPs, and fellow IT professionals.
This FAQ is split into the following sections:
Questions about password reset registration
Questions about password reset
Questions about password change
Questions about password management reports
Questions about password writeback
A: Yes. As long as password reset is enabled and they are licensed, users can go to the password reset
registration portal (http://aka.ms/ssprsetup) to register their authentication information. Users can
also register through the Access Panel (http://myapps.microsoft.com). To register through the Access
Panel, they need to select their profile picture, select Profile, and then select the Register for
password reset option.
Q: If I enable password reset for a group and then decide to enable it for everyone are my users
required re-register?
A: No. Users who have populated authentication data are not required to re-register.
A: Yes, you can do so with Azure AD Connect, PowerShell, the Azure portal, or the Office 365 Admin
center. For more information, see Data used by Azure AD self-service password reset.
Q: Can my users register data in such a way that other users can't see this data?
A: Yes. When users register data by using the password reset registration portal, the data is saved into
private authentication fields that are visible only to global administrators and the user.
A: No. If you define enough authentication information on their behalf, users don't have to register.
Password reset works as long as you have properly formatted the data stored in the appropriate
fields in the directory.
Q: How does the registration portal determine which options to show my users?
A: The password reset registration portal shows only the options that you have enabled for your
users. These options are found under the User Password Reset Policy section of your directory’s
Configure tab. For example, if you don't enable security questions, then users are not able to register
for that option.
A: A user is considered registered for SSPR when they have registered at least the Number of
methods required to reset a password that you have set in the Azure portal.
Password reset
Q: Do you prevent users from multiple attempts to reset a password in a short period of time?
A: Yes, there are security features built into password reset to protect it from misuse.
Users can try only five password reset attempts within a 24 hour period before they're locked out for
24 hours.
Users can try to validate a phone number, send a SMS, or validate security questions and answers
only five times within an hour before they're locked out for 24 hours.
Users can send an email a maximum of 10 times within a 10 minute period before they're locked out
for 24 hours.
The counters are reset once a user resets their password.
Q: How long should I wait to receive an email, SMS, or phone call from password reset?
A: Emails, SMS messages, and phone calls should arrive in under a minute. The normal case is 5 to 20
seconds. If you don't receive the notification in this time frame:
Check your junk folder.
Check that the number or email being contacted is the one you expect.
Check that the authentication data in the directory is correctly formatted, for example, +1
4255551234 or user@contoso.com.
A: The password reset UI, SMS messages, and voice calls are localized in the same languages that are
supported in Office 365.
Q: What parts of the password reset experience get branded when I set the organizational
branding items in my directory’s configure tab?
A: The password reset portal shows your organization's logo and allows you to configure the
"Contact your administrator" link to point to a custom email or URL. Any email that's sent by
password reset includes your organization’s logo, colors, and name in the body of the email, and is
customized from the settings for that particular name.
Q: Do you support unlocking local Active Directory accounts when users reset their passwords?
A: Yes. When a user resets their password, if password writeback has been deployed through Azure
AD Connect, that user’s account is automatically unlocked when they reset their password.
Q: How can I integrate password reset directly into my user’s desktop sign-in experience?
A: If you're an Azure AD Premium customer, you can install Microsoft Identity Manager at no
additional cost and deploy the on-premises password reset solution.
Q: How many questions can I configure for the security questions authentication option?
Q: Can a user register the same security question more than once?
A: No. After a user registers a particular question, they can't register for that question a second time.
Q: Is it possible to set a minimum limit of security questions for registration and reset?
A: Yes, one limit can be set for registration and another for reset. Three to five security questions can
be required for registration, and three to five questions can be required for reset.
Q: I configured my policy to require users to use security questions for reset, but the Azure
administrators seem to be configured differently.
A: This is the expected behavior. Microsoft enforces a strong default two-gate password reset policy
for any Azure administrator role. This prevents administrators from using security questions. You can
find more information about this policy in the Password policies and restrictions in Azure Active
Directory article.
Q: If a user has registered more than the maximum number of questions required to reset, how
are the security questions selected during reset?
A: N number of security questions are selected at random out of the total number of questions a user
has registered for, where N is the amount that is set for the Number of questions required to reset
option. For example, if a user has registered five security questions, but only three are required to
reset a password, three of the five questions are randomly selected and are presented at reset. To
prevent question hammering, if the user gets the answers to the questions wrong the selection
process starts over.
Q: How long are the email and SMS one-time passcodes valid?
A: The session lifetime for password reset is 15 minutes. From the start of the password reset
operation, the user has 15 minutes to reset their password. The email and SMS one-time passcode
are invalid after this time period expires.
A: Yes, if you use a group to enable SSPR, you can remove an individual user from the group that
allows users to reset their password.
Password change
Q: Where should my users go to change their passwords?
A: Users can change their passwords anywhere they see their profile picture or icon, like in the upper-
right corner of their Office 365 portal or Access Panel experiences. Users can change their passwords
from the Access Panel Profile page. Users can also be asked to change their passwords automatically
at the Azure AD sign-in page if their passwords have expired. Finally, users can browse to the Azure
AD password change portal directly if they want to change their passwords.
Q: Can my users be notified in the Office portal when their on-premises password expires?
A: Yes, this is possible today if you use Active Directory Federation Services (AD FS). If you use AD FS,
follow the instructions in the Sending password policy claims with AD FS article. If you use password
hash synchronization, this is not possible today. We don't sync password policies from on-premises
directories, so it's not possible for us to post expiration notifications to cloud experiences. In either
case, it's also possible to notify users whose passwords are about to expire through PowerShell.
A: For cloud-only users, password changes can't be blocked. For on-premises users, you can set the
User cannot change password option to selected. The selected users can't change their password.
Password management reports
Q: How long does it take for data to show up on the password management reports?
A: Data should appear on the password management reports in 5 to 10 minutes. In some instances, it
might take up to an hour to appear.
A: To filter the password management reports, select the small magnifying glass to the extreme right
of the column labels, near the top of the report. If you want to do richer filtering, you can download
the report to Excel and create a pivot table.
Q: What is the maximum number of events that are stored in the password management
reports?
A: Up to 75,000 password reset or password reset registration events are stored in the password
management reports, spanning back as far as 30 days. We are working to expand this number to
include more events.
A: The password management reports show operations that occurred within the last 30 days. For
now, if you need to archive this data, you can download the reports periodically and save them in a
separate location.
Q: Is there a maximum number of rows that can appear on the password management reports?
A: Yes. A maximum of 75,000 rows can appear on either of the password management reports,
whether they are shown in the UI or are downloaded.
A: Yes. To learn how you can access the password reset reporting data stream, see Learn how to
access password reset reporting events programmatically.
Password writeback
Q: How does password writeback work behind the scenes?
A: See the article How password writeback works for an explanation of what happens when you
enable password writeback and how data flows through the system back into your on-premises
environment.
Q: How long does password writeback take to work? Is there a synchronization delay like there
is with password hash sync?
A: If your on-premises ID is disabled, your cloud ID and access will also be disabled at the next sync
interval through Azure AD Connect. By default, this sync is every 30 minutes.
A: Yes, SSPR relies on and abides by the on-premises Active Directory password policy. This policy
includes the typical Active Directory domain password policy, as well as any defined, fine-grained
password policies that are targeted to a user.
A: Password writeback works for federated and password hash synchronized users.
A: Yes. Password writeback enforces password age, history, complexity, filters, and any other
restriction you might put in place on passwords in your local domain.
A: Yes, password writeback is secure. To read more about the four layers of security implemented by
the password writeback service, check out the Password writeback security model section in the
Password writeback overview article.
Next steps
How do I complete a successful rollout of SSPR?
Reset or change your password
Register for self-service password reset
Do you have a licensing question?
What data is used by SSPR and what data should you populate for your users?
What authentication methods are available to users?
What are the policy options with SSPR?
What is password writeback and why do I care about it?
How do I report on activity in SSPR?
What are all of the options in SSPR and what do they mean?
I think something is broken. How do I troubleshoot SSPR?
Introduction to device management in Azure Active
Directory
12/11/2017 • 6 min to read • Edit Online
In a mobile-first, cloud-first world, Azure Active Directory (Azure AD) enables single sign-on to devices, apps, and
services from anywhere. With the proliferation of devices - including Bring Your Own Device (BYOD), IT
professionals are faced with two opposing goals:
Empower the end users to be productive wherever and whenever
Protect the corporate assets at any time
Through devices, your users are getting access to your corporate assets. To protect your corporate assets, as an IT
administrator, you want to have control over these devices. This enables you to make sure that your users are
accessing your resources from devices that meet your standards for security and compliance.
Device management is also the foundation for device-based conditional access. With device-based conditional
access, you can ensure that access to resources in your environment is only possible with trusted devices.
This topic explains how device management in Azure Active Directory works.
These goals are accomplished by providing your users with a self-service experience for getting work-owned
devices under the control of Azure AD.
Azure AD Join is intended for organizations that are cloud-first / cloud-only. These are typically small- and
medium-sized businesses that do not have an on-premises Windows Server Active Directory infrastructure.
Implementing Azure AD joined devices provides you with the following benefits:
Single-Sign-On (SSO) to your Azure managed SaaS apps and services. Your users don’t see additional
authentication prompts when accessing work resources. The SSO functionality is even when they are not
connected to the domain network available.
Enterprise compliant roaming of user settings across joined devices. Users don’t need to connect a
Microsoft account (for example, Hotmail) to see settings across devices.
Access to Windows Store for Business using AD account. Your users can choose from an inventory of
applications pre-selected by the organization.
Windows Hello support for secure and convenient access to work resources.
Restriction of access to apps from only devices that meet compliance policy.
While Azure AD join is primarily intended for organizations that do not have an on-premises Windows Server
Active Directory infrastructure, you can certainly also use it in scenarios where:
You can’t use an on-premises domain join, for example, if you need to get mobile devices such as tablets
and phones under control.
Your users primarily need to access Office 365 or other SaaS apps integrated with Azure AD.
You want to manage a group of users in Azure AD instead of in Active Directory. This can apply, for
example, to seasonal workers, contractors, or students.
You want to provide joining capabilities to workers in remote branch offices with limited on-premises
infrastructure.
You can configure Azure AD joined devices for Windows 10 devices.
Summary
With device management in Azure AD, you can:
Simplify the process of bringing devices under the control of Azure AD
Provide your users with an easy to use access to your organization’s cloud-based resources
As a rule of a thumb, you should use:
Azure AD registered devices:
For personal devices
To manually register devices with Azure AD
Azure AD joined devices:
For devices that are owned by your organization
For devices that are not joined to an on-premises AD
To manually register devices with Azure AD
To change the local state of a device
Hybrid Azure AD joined devices for devices that are joined to an on-premises AD
For devices that are owned by your organization
For devices that are joined to an on-premises AD
To automatically register devices with Azure AD
To change the local state of a device
Next steps
To get an overview of how to manage device in the Azure portal, see managing devices using the Azure
portal
To learn more about device-based conditional access, see configure Azure Active Directory device-based
conditional access policies.
To setup:
Azure Active Directory registered Windows 10 devices, see how to configure Azure Active Directory
registered Windows 10 devices
Azure Active Directory joined devices, see how to configure Azure Active Directory joined devices
Hybrid Azure AD joined devices, see how to configure hybrid Azure Active Directory joined devices.
Managing devices using the Azure portal
12/11/2017 • 5 min to read • Edit Online
With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your
resources from devices that meet your standards for security and compliance.
This topic:
Assumes that you are familiar with the introduction to device management in Azure Active Directory
Provides you with information about managing your devices using the Azure portal
Manage devices
The Azure portal provides you with a central place to manage your devices. You can get to this place by either
using a direct link or by following these manual steps:
1. Sing-in to the Azure portal as administrator.
2. On the left navbar, click Active Directory.
Users may join devices to Azure AD - This setting enables you to select the users who can join devices to
Azure AD. The default is All.
Additional local administrators on Azure AD joined devices - You can select the users that are
granted local administrator rights on a device. Users added here are added to the Device Administrators
role in Azure AD. Global administrators in Azure AD and device owners are granted local administrator
rights by default. This option is a premium edition capability available through products such as Azure AD
Premium or the Enterprise Mobility Suite (EMS).
Users may register their devices with Azure AD - You need to configure this setting to allow devices to
be registered with Azure AD. If you select None, devices are not allowed to register when they are not
Azure AD joined or hybrid Azure AD joined. Enrollment with Microsoft Intune or Mobile Device
Management (MDM) for Office 365 requires registration. If you have configured either of these services,
ALL is selected and NONE is not available..
Require Multi-Factor Auth to join devices - You can choose whether users are required to provide a
second authentication factor to join their device to Azure AD. The default is No. We recommend requiring
multi-factor authentication when registering a device. Before you enable multi-factor authentication for this
service, you must ensure that multi-factor authentication is configured for the users that register their
devices. For more information on different Azure multi-factor authentication services, see getting started
with Azure multi-factor authentication.
Maximum number of devices - This setting enables you to select the maximum number of devices that a
user can have in Azure AD. If a user reaches this quota, they are not be able to add additional devices until
one or more of the existing devices are removed. The device quote is counted for all devices that are either
Azure AD joined or Azure AD registered today. The default value is 20.
Users may sync settings and app data across devices - By default, this setting is set to NONE. Selecting
specific users or groups or ALL allows the user’s settings and app data to sync across their Windows 10
devices. Learn more on how sync works in Windows 10. This option is a premium capability available
through products such as Azure AD Premium or the Enterprise Mobility Suite (EMS).
Locate devices
You have two options to locate registered and joined devices:
All devices in the Manage section of the Devices page
Remarks:
You need to be a global administrator in Azure AD to enable / disable a device.
Disabling a device prevents a device from accessing your Azure AD resources.
Delete an Azure AD device
To delete a device, you have two options:
The tasks menu ("...") on the All devices page
Remarks:
You need to be a global administrator in Azure AD to delete a device.
Deleting a device:
Prevents a device from accessing your Azure AD resources.
Removes all details that are attached to the device, for example, BitLocker keys for Windows devices.
Represents a non-recoverable activity and is not recommended unless it is required.
If a device is managed by another management authority (for example, Microsoft Intune), please make sure that
the device has been wiped / retired before deleting the device in Azure AD.
View or copy device ID
You can use a device ID to verify the device ID details on the device or using PowerShell during troubleshooting.
To access the copy option, click the device.
Audit logs
Device activities are available through the activity logs. This includes activities triggered by the device registration
service and by users:
Device creation and adding owners / users on the device
Changes to device settings
Device operations such as deleting or updating a device
Your entry point to the auditing data is Audit logs in the Activity section of the Devices page.
You can customize the list view by clicking Columns in the toolbar.
To narrow down the reported data to a level that works for you, you can filter the audit data using the following
fields:
Category
Activity resource type
Activity
Date range
Target
Initiated By (Actor)
In addition to the filters, you can search for specific entries.
Next steps
Introduction to device management in Azure Active Directory
Usage scenarios and deployment considerations for
Azure AD Join
12/11/2017 • 3 min to read • Edit Online
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Authenticating identities without passwords through Microsoft Passport
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Azure Active Directory device management FAQ
1/16/2018 • 4 min to read • Edit Online
Q: I registered the device recently. Why can’t I see the device under my user info in the Azure portal?
A: Windows 10 devices that are domain-joined with automatic device registration do not show up under the USER
info. You need to use PowerShell to see all devices.
Only the following devices are listed under the USER info:
All personal devices that are not enterprise joined
All non-Windows 10 / Windows Server 2016
All non-Windows devices
Q: Why can I not see all the devices registered in Azure Active Directory in the Azure portal?
A: Currently, there is no way to see all registered devices in the Azure portal. You can use Azure PowerShell to find
all devices. For more details, see the Get-MsolDevice cmdlet.
Q: How do I know what the device registration state of the client is?
A: The device registration state depends on:
What the device is
How it was registered
Any details related to it.
Q: Why is a device I have deleted in the Azure portal or using Windows PowerShell still listed as
registered?
A: This is by design. The device will not have access to resources in the cloud. If you want to remove the device and
register again, a manual action must be to be taken on the device.
For Windows 10 and Windows Server 2016 that are on-premises AD domain-joined:
1. Open the command prompt as an administrator.
2. Type dsregcmd.exe /debug /leave
3. Sign out and sign in to trigger the scheduled task that registers the device again.
For other Windows platforms that are on-premises AD domain-joined:
1. Open the command prompt as an administrator.
2. Type "%programFiles%\Microsoft Workplace Join\autoworkplace.exe /l" .
3. Type "%programFiles%\Microsoft Workplace Join\autoworkplace.exe /j" .
Q: Why can a user still access resources from a device I have disabled in the Azure portal?
A: It can take up to an hour for a revoke to be applied.
NOTE
For lost devices, we recommend wiping the device to ensure that users cannot access the device. For more details, see Enroll
devices for management in Intune.
Q: I see the device record under the USER info in the Azure portal and can see the state as registered on
the client. Am I setup correctly for using conditional access?
A: The device record (deviceID) and state on the Azure portal must match the client and meet any evaluation
criteria for conditional access. For more details, see Get started with Azure Active Directory Device Registration.
Q: Why do I get a "username or password is incorrect" message for a device I have just joined to Azure
AD?
A: Common reasons for this scenario are:
Your user credentials are no longer valid.
Your computer is unable to communicate with Azure Active Directory. Check for any network connectivity
issues.
The Azure AD Join pre-requisites were not met. Please ensure that you have followed the steps for Extending
cloud capabilities to Windows 10 devices through Azure Active Directory Join.
Federated logins requires your federation server to support a WS-Trust active endpoint.
Q: Why do I see the “Oops… an error occurred!" dialog when I try do join my PC?
A: This is a result of setting up Azure Active Directory enrollment with Intune. For more details, see Set up Windows
device management.
Q: Why did my attempt to join a PC fail although I didn't get any error information?
A: A likely cause is that the user is logged in to the device using the built-in administrator account. Please create a
different local account before using Azure Active Directory Join to complete the setup.
Q: Where can I find instructions for the setup of automatic device registration?
A: For detailed instructions, see How to configure automatic registration of Windows domain-joined devices with
Azure Active Directory
Q: Where can I find troubleshooting information about the automatic device registration?
A: For troubleshooting information, see:
Troubleshooting auto-registration of domain joined computers to Azure AD – Windows 10 and Windows
Server 2016
Troubleshooting auto-registration of domain joined computers to Azure AD for Windows down-level clients
Set up Azure Active Directory registered Windows 10
devices
1/16/2018 • 2 min to read • Edit Online
With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your
resources from devices that meet your standards for security and compliance. For more details, see Introduction to
device management in Azure Active Directory.
If you want to enable the Bring Your Own Device (BYOD) scenario, you can accomplish this by configuring Azure
AD registered devices. In Azure AD, you can configure Azure AD registered devices for Windows 10, iOS, Android
and macOS. This topic provides you with the related steps for Windows 10 devices.
Registering a device
This section provides you with the steps to register your Windows 10 device to your Azure AD. If you have
successfully registered your device to Azure AD, your Access work or school dialog indicates this with a Work or
school account entry.
To register your Windows 10 device:
1. In the Start menu, click Settings.
2. Click Accounts.
6. On the Enter password dialog, enter your password, and then click Next.
Verification
To verify whether a device is joined to an Azure AD, you can review the Access work or school dialog on your
device.
Alternatively, you can also review device settings on the Azure AD portal.
Next steps
For more details, see the introduction to device management in Azure Active Directory
For more details about managing devices in the Azure AD portal, see the managing devices using the Azure
portal .
Set up Azure Active Directory joined devices
1/16/2018 • 2 min to read • Edit Online
With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your
resources from devices that meet your standards for security and compliance. For more information, see
Introduction to device management in Azure Active Directory.
If you want to bring work-owned Windows 10 devices under the control of Azure AD, you can accomplish this by
configuring Azure AD joined devices. This topic provides you with the related steps.
Prerequisites
To join a Windows 10 device, the device registration service must be configured to enable you to register devices.
In addition to having permission to joining devices in your Azure AD tenant, you must have fewer devices
registered than the configured maximum. For more information, see configure device settings.
Joining a device
This section provides you with the steps to join your Windows 10 device to your Azure AD. If you have successfully
joined your device to Azure AD, your Access work or school dialog indicates this with a Connected to <your
Azure AD> entry.
To join your Windows 10 device:
1. In the Start menu, click Settings.
2. Click Accounts.
5. On the Setup a work or school account dialog, click Join this device to Azure Active Directory.
6. On the Let's get you signed in dialog, enter your account name (for example, someone@example.com),
and then click Next.
7. On the Enter password dialog, enter your password, and then click Sign in.
Verification
To verify whether a device is joined to an Azure AD, you can review the Access work or school dialog on your
device.
Next steps
For more information, see:
The introduction to device management in Azure Active Directory
Managing devices using the Azure portal
How to configure hybrid Azure Active Directory
joined devices
1/16/2018 • 17 min to read • Edit Online
With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your
resources from devices that meet your standards for security and compliance. For more details, see Introduction to
device management in Azure Active Directory.
If you have an on-premises Active Directory environment and you want to join your domain-joined devices to
Azure AD, you can accomplish this by configuring hybrid Azure AD joined devices. The topic provides you with the
related steps.
Prerequisites
Before you start enabling hybrid Azure AD joined devices in your organization, you need to make sure that you are
running an up-to-date version of Azure AD connect.
Azure AD Connect:
Keeps the association between the computer account in your on-premises Active Directory (AD) and the device
object in Azure AD.
Enables other device related features like Windows Hello for Business.
Make sure that the following URLs are accessible from computers inside your organization network for registration
of computers to Azure AD:
https://enterpriseregistration.windows.net
https://login.microsoftonline.com
https://device.login.microsoftonline.com
If your organizations requires access to the Internet via an outbound proxy, must implement Web Proxy Auto-
Discovery (WPAD) to enable Windows 10 computers to register to Azure AD.
Configuration steps
You can configure hybrid Azure AD joined devices for various types of Windows device platforms. This topic
includes the required steps for all typical configuration scenarios.
Use the following table to get an overview of the steps that are required for your scenario:
In your forest, the SCP object for the auto-registration of domain-joined devices is located at:
CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,[Your Configuration
Naming Context]
Depending on how you have deployed Azure AD Connect, the SCP object may have already been configured. You
can verify the existence of the object and retrieve the discovery values using the following Windows PowerShell
script:
$scp.Keywords;
The $scp.Keywords output shows the Azure AD tenant information, for example:
azureADName:microsoft.com
azureADId:72f988bf-86f1-41af-91ab-2d7cd011db47
If the service connection point does not exist, you can create it by running the
Initialize-ADSyncDomainJoinedComputerSync cmdlet on your Azure AD Connect server. Enterprise admin credential
is required to run this cmdlet.
The cmdlet:
Creates the service connection point in the Active Directory forest Azure AD Connect is connected to.
Requires you to specify the AdConnectorAccount parameter. This is the account that is configured as Active
Directory connector account in Azure AD connect.
The following script shows an example for using the cmdlet. In this script, $aadAdminCred = Get-Credential requires
you to type a user name. You need to provide the user name in the user principal name (UPN) format (
user@example.com ).
$aadAdminCred = Get-Credential;
$deSCP.CommitChanges()
NOTE
When using AD FS, either adfs/services/trust/13/windowstransport or adfs/services/trust/2005/windowstransport
must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the
proxy. You can see what end-points are enabled through the AD FS management console under Service > Endpoints.
If you don’t have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they
support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX).
The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS
will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to
associate the newly created device object with the computer account on-premises.
http://schemas.microsoft.com/ws/2012/01/accounttype
http://schemas.microsoft.com/identity/claims/onpremobjectguid
http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid
If you have more than one verified domain name, you need to provide the following claim for computers:
http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid
If you are already issuing an ImmutableID claim (e.g., alternate login ID) you need to provide one corresponding
claim for computers:
http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID
Issue issuerID for computer when multiple verified domain names in Azure AD
http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid - This claim must contain the Uniform Resource
Identifier (URI) of any of the verified domain names that connect with the on-premises federation service (AD FS or
3rd party) issuing the token. In AD FS, you can add issuance transform rules that look like the ones below in that
specific order after the ones above. Please note that one rule to explicitly issue the rule for users is necessary. In the
rules below, a first rule identifying user vs. computer authentication is added.
@RuleName = "Issue account type with the value User when its not a computer"
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ"
]
)
=> add(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User"
);
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN"
]
&&
c2:[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User"
]
=> issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace(
c1.Value,
".+@(?<domain>.+)",
"http://${domain}/adfs/services/trust/"
)
);
Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set)
http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID - This claim must contain a valid value for
computers. In AD FS, you can create an issuance transform rule as follows:
$multipleVerifiedDomainNames = $false
$immutableIDAlreadyIssuedforUsers = $false
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
$rule4 = ''
if ($multipleVerifiedDomainNames -eq $true) {
$rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS(
[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ"
]
)
=> add(
Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User"
);
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN"
]
&&
c2:[
Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User"
]
=> issue(
Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace(
c1.Value,
".+@(?<domain>.+)",
"http://${domain}/adfs/services/trust/"
)
);
$rule5 = ''
if ($immutableIDAlreadyIssuedforUsers -eq $true) {
$rule5 = '@RuleName = "Issue ImmutableID for computers"
c1:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
&&
c2:[
Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
store = "Active Directory",
types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
query = ";objectguid;{0}",
param = c2.Value
);'
}
Remarks
This script appends the rules to the existing rules. Do not run the script twice because the set of rules would
be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding
conditions) before running the script again.
If you have multiple verified domain names (as shown in the Azure AD portal or via the Get-MsolDomains
cmdlet), set the value of $multipleVerifiedDomainNames in the script to $true. Also make sure that you
remove any existing issuerid claim that might have been created by Azure AD Connect or via other means.
Here is an example for this rule:
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value =
regexreplace(c.Value, ".+@(?<domain>.+)", "http://${domain}/adfs/services/trust/"));
If you have already issued an ImmutableID claim for user accounts, set the value of
$immutableIDAlreadyIssuedforUsers in the script to $true.
eyJQcm9wZXJ0aWVzIjpbeyJLZXkiOiJhY3IiLCJWYWx1ZSI6IndpYW9ybXVsdGlhdXRobiJ9XX0
When such a request comes, the on-premises federation service must authenticate the user using Integrated
Windows Authentication and upon success, it must issue the following two claims:
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows
http://schemas.microsoft.com/claims/wiaormultiauthn
In AD FS, you must add an issuance transform rule that passes-through the authentication method.
To add this rule:
1. In the AD FS management console, go to AD FS > Trust Relationships > Relying Party Trusts .
2. Right-click the Microsoft Office 365 Identity Platform relying party trust object, and then select Edit Claim
Rules.
3. On the Issuance Transform Rules tab, select Add Rule.
4. In the Claim rule template list, select Send Claims Using a Custom Rule.
5. Select Next.
6. In the Claim rule name box, type Auth Method Claim Rule.
7. In the Claim rule box, type the following rule:
c:[Type == "http://schemas.microsoft.com/claims/authnmethodsreferences"] => issue(claim = c);
8. On your federation server, type the PowerShell command below after replacing <RPObjectName> with
the relying party object name for your Azure AD relying party trust object. This object usually is named
Microsoft Office 365 Identity Platform.
Set-AdfsRelyingPartyTrust -TargetName <RPObjectName> -AllowedAuthenticationClassReferences
wiaormultiauthn
Add the Azure AD device authentication end-point to the Local Intranet zones
To avoid certificate prompts when users in register devices authenticate to Azure AD you can push a policy to your
domain-joined devices to add the following URL to the Local Intranet zone in Internet Explorer:
https://device.login.microsoftonline.com
NOTE
This Group Policy template has been renamed from earlier versions of the Group Policy Management console. If you
are using an earlier version of the console, go to
Computer Configuration > Policies > Administrative Templates > Windows Components > Workplace Join >
Automatically workplace join client computers
.
Next steps
Introduction to device management in Azure Active Directory
Setting up on-premises conditional access by using
Azure Active Directory device registration
1/17/2018 • 10 min to read • Edit Online
When you require users to workplace-join their personal devices to the Azure Active Directory (Azure AD) device
registration service, their devices can be marked as known to your organization. Following is a step-by-step guide
for enabling conditional access to on-premises applications by using Active Directory Federation Services (AD FS) in
Windows Server 2012 R2.
NOTE
An Office 365 license or Azure AD Premium license is required when using devices that are registered in Azure Active
Directory device registration service conditional access policies. These include policies that are enforced by AD FS in on-
premises resources.
For more information about the conditional access scenarios for on-premises resources, see Join to workplace from any device
for SSO and seamless second-factor authentication across company applications.
These capabilities are available to customers who purchase an Azure Active Directory Premium license.
Supported devices
Windows 7 domain-joined devices
Windows 8.1 personal and domain-joined devices
iOS 6 and later for the Safari browser
Android 4.0 or later, Samsung GS3 or later phones, Samsung Galaxy Note 2 or later tablets
Scenario prerequisites
Subscription to Office 365 or Azure Active Directory Premium
An Azure Active Directory tenant
Windows Server Active Directory (Windows Server 2008 or later)
Updated schema in Windows Server 2012 R2
License for Azure Active Directory Premium
Windows Server 2012 R2 Federation Services, configured for SSO to Azure AD
Windows Server 2012 R2 Web Application Proxy
Microsoft Azure Active Directory Connect (Azure AD Connect) (Download Azure AD Connect)
Verified domain
Scenario assumptions
This scenario assumes that you have a hybrid environment consisting of an Azure AD tenant and an on-premises
Active Directory. These tenants should be connected with Azure AD Connect, with a verified domain, and with AD FS
for SSO. Use the following checklist to help you configure your environment according to the requirements.
TASK REFERENCE
Enable device registration in your Azure Active Directory Enable Azure Active Directory device registration
tenant to allow devices to join the workplace. By default, Azure
Multi-Factor Authentication is not enabled for the service.
However, we recommend that you use Multi-Factor
Authentication when you register a device. Before enabling
Multi-Factor Authentication in Active Directory registration
service, ensure that AD FS is configured for a Multi-Factor
Authentication provider.
Devices discover your Azure Active Directory device Configure Azure Active Directory device registration discovery
registration service by looking for well-known DNS records.
Configure your company DNS so that devices can discover
your Azure Active Directory device registration service.
Deploy Active Directory Domain Services with the Windows Upgrade your Active Directory Domain Services schema
Server 2012 R2 schema extensions. You do not need to
upgrade any of your domain controllers to Windows Server
2012 R2. The schema upgrade is the only requirement.
Devices discover your Azure Active Directory device Prepare your Active Directory support devices
registration service by looking for well-known DNS records.
Configure your company DNS so that devices can discover
your Azure Active Directory device registration service.
Part 3: Enable device writeback in Azure AD
TASK REFERENCE
Complete part two of "Enabling device writeback in Azure AD Enabling device writeback in Azure AD Connect
Connect." After you finish it, return to this guide.
Part 5: Verification
The deployment is now complete, and you can try out some scenarios. Use the following links to experiment with
the service and become familiar with its features.
TASK REFERENCE
Join some devices to your workplace by using Azure Active Join devices to your workplace using Azure Active Directory
Directory device registration service. You can join iOS, device registration service
Windows, and Android devices.
View and enable or disable registered devices by using the Azure Active Directory device registration service overview
administrator portal. In this task, you view some registered
devices by using the administrator portal.
Verify that device objects are written back from Azure Active Verify registered devices are written back to Active Directory
Directory to Windows Server Active Directory.
Now that users can register their devices, you can create Create an application access policy and custom access-denied
application access polices in AD FS that allow only registered message
devices. In this task, you create an application access rule and
a custom access-denied message.
1. Sign in to your domain controller with an account that has both enterprise administrator and schema
administrator rights.
2. Copy the [media]\support\adprep directory and subdirectories to one of your Active Directory domain
controllers (where [media] is the path to the Windows Server 2012 R2 installation media).
3. From a command prompt, go to the adprep directory and run adprep.exe /forestprep. Follow the onscreen
instructions to complete the schema upgrade.
https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/"yourdomainname"
In this case, yourdomainname is the domain name that you configured with Azure Active Directory. For example, if
your domain name is contoso.com, the URL is as follows:
https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/contoso.com
There are many different ways to communicate this URL to your users. For example, one method we recommend is
publishing this URL in a custom application access-denied message in AD FS. This information is covered in the
upcoming section Create an application access policy and custom access-denied message.
Join a Windows 8.1 device by using Azure Active Directory device registration
1. On your Windows 8.1 device, select PC Settings > Network > Workplace.
2. Enter your user name in UPN format; for example, dan@contoso.com.
3. Select Join.
4. When prompted, sign in with your credentials. The device is now joined.
Join a Windows 7 device by using Azure Active Directory device registration
To register Windows 7 domain-joined devices, you need to deploy the device registration software package.
For instructions about how to use the package, see Windows Installer packages for non-Windows 10 computers.
CN=RegisteredDevices,defaultNamingContext
NOTE
This section assumes that you have already configured a Relying Party Trust for your application in AD FS.
1. Open the AD FS MMC tool, and then select AD FS > Trust Relationships > Relying Party Trusts.
2. Locate the application to which this new access rule applies. Right-click the application, and then select Edit
Claim Rules.
3. Select the Issuance Authorization Rules tab, and then select Add Rule.
4. From the Claim rule template drop-down list, select Permit or Deny Users Based on an Incoming Claim.
Then select Next.
5. In the Claim rule name field, type Permit access from registered devices.
6. From the Incoming claim type drop-down list, select Is Registered User.
7. In the Incoming claim value field, type true.
8. Select the Permit access to users with this incoming claim radio button.
9. Select Finish, and then select Apply.
10. Remove any rules that are more permissive than the rule you created. For example, remove the default rule
Permit Access to all Users.
Your application is now configured to allow access only when the user is coming from a device that they registered
and joined to the workplace. For more advanced access polices, see Manage Risk with Additional Multi-Factor
Authentication for Sensitive Applications.
Next, you configure a custom error message for your application. The error message lets users know that they must
join their device to the workplace before they can access the application. You can create a custom application
access-denied message by using custom HTML and PowerShell.
On your federation server, open a PowerShell command window, and then type the following command. Replace
portions of the command with items that are specific to your system:
You must register your device before you can access this application.
If you are using an iOS device, select this link to join your device:
a href='https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/yourdomain.com
With device management in Azure Active Directory (Azure AD), you can ensure that your users are accessing your
resources from devices that meet your standards for security and compliance. For more details, see the introduction
to device management in Azure Active Directory.
With Windows 10, You can join a new device to Azure AD during the first-run experience (FRX).
This enables you to distribute shrink-wrapped devices to your employees or students.
If you have either Windows 10 Professional or Windows 10 Enterprise installed on a device, the experience defaults
to the setup process for company-owned devices.
In the Windows out-of-box experience, joining an on-premises Active Directory (AD) domain is not supported. If
you plan to join a computer to an AD domain, during setup, you should select the link Set up Windows with a
local account. You can then join the domain from the settings on your computer.
Joining a device
To join a Windows 10 device to Azure AD during FRX:
1. When you turn on your new device and start the setup process, you should see the Getting Ready message.
Follow the prompts to set up your device.
2. Start by customizing your region and language. Then accept the Microsoft Software License Terms.
3. Select the network you want to use for connecting to the Internet.
4. Click This device belongs to my organization.
5. Enter the credentials that were provided to you by your organization, and then click Sign in.
6. You device locates a matching tenant in Azure AD. If you are in a federated domain, you are redirected to
your on-premises Secure Token Service (STS) server, for example, Active Directory Federation Services (AD
FS).
7. If you are a user in a non-federated domain, enter your credentials directly on the Azure AD-hosted page.
8. You are prompted for a multi-factor authentication challenge.
9. Azure AD checks whether an enrollment in mobile device management is required.
10. Windows registers the device in the organization’s directory in Azure AD and enrolls it in mobile device
management, if applicable.
11. If you are:
A managed user, Windows takes you to the desktop through the automatic sign-in process.
A federated user, you are directed to the Windows sign-in screen to enter your credentials.
Verification
To verify whether a device is joined to your Azure AD, review the Access work or school dialog on your Windows
device. The dialog should indicate that you are connected to your Azure AD directory.
Next steps
For more details, see the introduction to device management in Azure Active Directory.
For more details about managing devices in the Azure AD portal, see managing devices using the Azure
portal.
Troubleshooting hybrid Azure Active Directory joined
Windows 10 and Windows Server 2016 devices
12/11/2017 • 2 min to read • Edit Online
AzureAdJoined: YES
EnterpriseJoined: NO
DeviceId: 5820fbe9-60c8-43b0-bb11-44aee233e4e7
Thumbprint: B753A6679CE720451921302CA873794D94C6204A
KeyContainerId: bae6a60b-1d2f-4d2a-a298-33385f6d05e9
KeyProvider: Microsoft Platform Crypto Provider
TpmProtected: YES
KeySignTest: : MUST Run elevated to test.
Idp: login.windows.net
TenantId: 72b988bf-86f1-41af-91ab-2d7cd011db47
TenantName: Contoso
AuthCodeUrl: https://login.microsoftonline.com/msitsupp.microsoft.com/oauth2/authorize
AccessTokenUrl: https://login.microsoftonline.com/msitsupp.microsoft.com/oauth2/token
MdmUrl: https://enrollment.manage-beta.microsoft.com/EnrollmentServer/Discovery.svc
MdmTouUrl: https://portal.manage-beta.microsoft.com/TermsOfUse.aspx
dmComplianceUrl: https://portal.manage-beta.microsoft.com/?portalAction=Compliance
SettingsUrl:
eyJVcmlzIjpbImh0dHBzOi8va2FpbGFuaS5vbmUubWljcm9zb2Z0LmNvbS8iLCJodHRwczovL2thaWxhbmkxLm9uZS5taWNyb3NvZnQuY29tLyJ
dfQ==
JoinSrvVersion: 1.0
JoinSrvUrl: https://enterpriseregistration.windows.net/EnrollmentServer/device/
JoinSrvId: urn:ms-drs:enterpriseregistration.windows.net
KeySrvVersion: 1.0
KeySrvUrl: https://enterpriseregistration.windows.net/EnrollmentServer/key/
KeySrvId: urn:ms-drs:enterpriseregistration.windows.net
DomainJoined: YES
DomainName: CONTOSO
+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+
NgcSet: YES
NgcKeyId: {C7A9AEDC-780E-4FDA-B200-1AE15561A46B}
WorkplaceJoined: NO
WamDefaultSet: YES
WamDefaultAuthority: organizations
WamDefaultId: https://login.microsoft.com
WamDefaultGUID: {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)
AzureAdPrt: YES
DomainJoined : YES
This field indicates whether the device is joined to an on-premises Active Directory or not. If the value is NO, the
device cannot perform a hybrid Azure AD join.
WorkplaceJoined : NO
This field indicates whether the device is registered with Azure AD as a personal device (marked as Workplace
Joined). This value should be NO for a domain-joined computer that is also hybrid Azure AD joined. If the value is
YES, a work or school account was added prior to the completion of the hybrid Azure AD join. In this case, the
account is ignored when using the Anniversary Update version of Windows 10 (1607).
Next steps
For questions, see the device management FAQ
Troubleshooting hybrid Azure Active Directory joined
down-level devices
12/11/2017 • 2 min to read • Edit Online
This command displays a dialog box that provides you with more details about the join status.
Step 2: Evaluate the hybrid Azure AD join status
If the hybrid Azure AD join was not successful, the dialog box provides you with details about the issue that has
occurred.
The most common issues are:
A misconfigured AD FS or Azure AD
Next steps
For questions, see the device management FAQ
Managing Applications with Azure Active Directory
1/16/2018 • 6 min to read • Edit Online
Beyond the actual workflow or content, businesses have two basic requirements for all applications:
1. To increase productivity, applications should be easy to discover and access
2. To enable security and governance, the organization needs control and oversight on who can and actually is
accessing each application
In the world of cloud applications this can best be achieved using identity to control “WHO is allowed to do WHAT”.
In computing terminology:
Who is known as identity - the management of users and groups
What is known as access management – the management of access to protected resources
Both components together are known as Identity and Access Management (IAM), which is defined by the Gartner
group as “the security discipline that enables the right individuals to access the right resources at the right times for
the right reasons”.
Okay, so what’s the problem? If IAM is not managed in one place with an integrated solution:
Identity administrators have to individually create and update user accounts in all applications separately, a
redundant and time consuming activity.
Users have to memorize multiple credentials to access the applications they need to work with. As a result, users
tend to write down their passwords or use other password management solutions which introduces other data
security risks.
Redundant, time consuming activities reduce the amount of time users and administrators are working on
business activities that increase your business’s bottom line.
So, what generally prevents organizations from adopting integrated IAM solutions?
Most technical solutions are based on software platforms that need to be deployed and adapted by each
organization for their own applications.
Cloud applications are often adopted at a higher rate than IT organization can integrate with existing IAM
solutions.
Security and monitoring tooling require additional customization and integration to achieve comprehensive E2E
scenarios.
Access detection
In modern enterprises, IT departments are often not aware of all the cloud applications that are being used. In
conjunction with Cloud App Discovery, Azure AD provides you with a solution to detect these applications.
Account management
Traditionally, managing accounts in the various applications is a manual process performed by IT or support
personal in the organization. Azure AD fully automated account management across all service provider integrated
applications and those applications pre-integrated by Microsoft supporting automated user provisioning or SAML
JIT.
Access management
Using Azure AD you can manage access to applications using individual or rule driven assignments. You can also
delegate access management to the right people in the organization ensuring the best oversight and reducing the
burden on helpdesk.
On-premises applications
The built in application proxy enables you to publish your on-premises applications to your users resulting in both
consistent access experience with modern cloud application and the benefits from Azure AD monitoring, reporting,
and security capabilities.
Related capabilities
With Azure AD you can secure your applications with granular access policies and pre-integrated MFA. To learn
more about Azure MFA see Azure MFA.
Getting started
To get started integrating applications with Azure AD, take a look at the Integrating Azure Active Directory with
applications getting started guide.
See also
Article Index for Application Management in Azure Active Directory
Integrating Azure Active Directory with applications
getting started guide
1/16/2018 • 3 min to read • Edit Online
Overview
This topic is intended to give you a roadmap for integrating applications with Azure Active Directory (AD). Each of
the sections below contain a brief summary of a more detailed topic so you can identify which parts of this getting
started guide are relevant to you. Follow the links for a deeper dive on each subject.
See also
Article Index for Application Management in Azure Active Directory
SaaS application integration with Azure Active
Directory
1/10/2018 • 4 min to read • Edit Online
To help integrate your cloud-enabled (SaaS) applications with Azure Active Directory, we have developed a
collection of tutorials that walk you through configuration.
Where we have user provisioning guidance, we have included an application tutorial for user provisioning in the
right column, next to the application tutorial.
For the comprehensive list of SaaS apps that have been pre-integrated into Azure AD, see the Active Directory
Marketplace.
SaaS tutorials
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
&frankly
@Task
10,000ft Plans
123ContactForm
15Five
23 Video
360 Online
Abintegro
Absorb LMS
Accredible
Achieve3000
Adaptive Suite
Adobe EchoSign
ADP eTime
ADP GlobalView
Agiloft
Aha!
AirWatch
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Allocadia
Anaplan
AnswerHub
Apex Portal
AppBlade
AppDynamics
Apptio
Aravo
ArcGIS
Ariba
Asana
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
ASC Contracts
Asset Bank
Atlassian Cloud
Atomic Learning
Autotask
Bamboo HR
BC in the Cloud
BeeLine
BenefitHub
Benefitsolver
BenSelect
BetterWorks
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
BGS Online
Bime
Blackboard Learn
BlueJeans
Bonus.ly
Boomi
Bpm’online
Bridge
Brightspace by Desire2Learn
BritaBIZ
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Bynder
CA PPM
Canvas LMS
Capriza
Central Desktop
Certify
Cezanne HR Software
Cherwell
Chromeriver
Cimpl
Cisco Spark
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Cisco Webex
Citrix ShareFile
Clarizen
ClearCompany
Clear Review
Clever
ClickTime
CloudPassage
Collaborative Innovation
Communifire
Competency IQ
Compliance ELF
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Condeco
Convercent
Cornerstone OnDemand
Coupa
CS Stars
DATABASICS
Datahug
Dealpath
Degreed
Deputy
DigiCert
Direct
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Directions on Microsoft
Domo
Druva
EasyTerritory
Edcor
eDigitalResearch
Egnyte
eKincare
EmpCenter
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Encompass
Envoy
eTouches
EverBridge
Evernote
Evidence.com
Expensify
FactSet
Fieldglass
FileCloud
FilesAnywhere
Flatter Files
FM:Systems
Form.com
FreshDesk
FreshGrade
FreshService
Front
Fuse
Fuze
GaggleAMP
Gigya
GitHub
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Getabstract
Greenhouse
Grovo
HackerOne
Halogen Software
Halosys
HappyFox
Help Scout
Heroku
Hightail
HireVue
Hosted Graphite
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
HPE SaaS
HR2day by Merces
Huddle
IBM OpenPages
ICIMS
IdeaScale
Igloo Software
iLMS
Image Relay
IMAGE WORKS
Inkling
Innotas
InsideView
Insperity ExpensAble
Intacct
InTime
Intralinks
IQNavigator VMS
iQualify LMS
IriusRisk
itslearning
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
ITRP
Jitbit Helpdesk
Jobbadmin
Jobscience
JobScore
Jostle
Keylight
Kindling
Kintone
Kiteworks
Klue
KnowBe4
Kontiki
Kronos
Kudos
LCVista
Learning at Work
Learningpool
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
LearnUpon
Lecorpio
Lesson.ly
Lifesize Cloud
LiquidFiles
Litmos
LogicMonitor
Lucidchart
Lynda.com
Marketo
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
MaxxPoint
MCM
Menlo Security
Mercer BenefitsCentral
MerchLogix
M-Files
Mindflash
Mixpanel
MOBI
MobileIron
MobileXpense
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
MOVEit Transfer
Moxi Engage
Moxtra
Mozy Enterprise
myPolicies
Namely
NetDocuments
New Relic
Nexonia
Nomadesk
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Nomadic
Novatus
O. C. Tanner - AppreciateHub
OfficeSpace Software
Oneteam
Onit
OnTrack
OpenAthens
OpsGenie
Optimizely
Origami
Overdrive Books
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Pacific Timesheet
Pagerduty
Panopto
Panorama9
Pantheon
Pega Systems
People
Peoplecart
PerformanceCentre
Picturepark
Pingboard
PlanMyLeave
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Pluralsight
PolicyStat
PostBeyond
Predictix Ordering
Printix
Procore SSO
Projectplace
Promapp
Proofpoint on Demand
PurelyHR
QPrism
Qualtrics
QuickHelp
Rally Software
RealtimeBoard
Recognize
RedVector
Reflektive
Replicon
Reward Gateway
RFPIO
RightAnswers
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
RightScale
RolePoint
Rollbar
RunMyProcess
Samanage
SanSan
SAP HANA
SAP NetWeaver
ScaleX Enterprise
SCC LifeCycle
Schoox
Sciforma
ScreenSteps
SD Elements
SECURE DELIVER
ServiceChannel
ServiceNow
ShiftPlanning
Showpad
SimpleNexus
Skilljar
Skillport
Skills Manager
SkyDesk Email
Small Improvements
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
SmartRecruiters
SmarterU
Softeon WMS
Soonr Workplace
SpaceIQ
SpringCM
Springer Link
Sprinklr
StatusPage
SuccessFactors
SugarCRM
SumoLogic
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
SumTotalCentral
Syncplicity
Synergi
T&E Express
Tableau Online
Tableau Server
TalentLMS
Tango Analytics
TargetProcess
Teamphoria
TeamSeer
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Teamwork
TextMagic
ThirdLight
Thoughtworks Mingle
ThousandEyes
Tidemark
TimeLive
TimeOffManager
Tinfoil Security
TiViTz
TOPdesk - Public
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
TOPdesk - Secure
Trakopolis
Trakstar
Trello
TurboRater
UltiPro
UNIFI
UserEcho
UserVoice
Velpic SAML
Veracode
Versal
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Vodeclic
Voyance
vxMaintain
Wdesk
Weekdone
Wikispaces
Wingspan eTMF
Work.com
Workfront
Workpath
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Workrite
WORKS MOBILE
Workstars
XaitPorter
xMatters OnDemand
Yardi eLearning
YouEarnedIt
Zendesk
ZIVVER
Zoho Mail
Zoom
Zscaler Beta
APPLICATION TUTORIAL FOR SINGLE SIGN- APPLICATION TUTORIAL FOR USER
LOGO ON PROVISIONING
Zscaler One
Zscaler Two
Zscaler ZSCloud
Zscaler
Related articles
Article Index for Application Management in Azure Active Directory
List of Tutorials on How to Integrate SaaS Apps
Set up Cloud App Discovery in Azure AD
12/12/2017 • 4 min to read • Edit Online
Cloud App Discovery in Azure AD is now based on integration with data available from Microsoft Cloud App
Security. To provide ongoing information on cloud use and shadow IT, Cloud App Discovery compares your traffic
logs to the Cloud App Security catalog of over 15,000 cloud apps. This article describes the setup process and
contains links to the detailed information for each step. It also describes firewall and proxy information and log file
support.
Prerequisites
Your organization must have an Azure AD Premium P1 license to use the product. For more information, see
Azure Active Directory pricing.
To set up Cloud App Discovery, you must be a Global Administrator or a Security Reader in Azure Active
Directory.
Setup steps
1. Set up snapshot reports to check your log format make sure your logs provide usable information to Cloud
App Discovery. They can also provide ad-hoc visibility into traffic logs you manually upload from your
firewalls and proxy servers.
2. Set up continuous reporting to analyze all logs that are forwarded from your network using the Cloud App
Security log collector. You can use them to identify new apps and usage trends.
3. If your logs are not currently supported, set up a custom log parser so that Cloud App Discovery can analyze
them.
NOTE
Continuous report data is analyzed twice a day.
The log collector compresses data before it is uploaded. The outbound traffic on the log collector is around 10% of the
size of the received traffic logs.
NOTE
Cloud App Discovery supports both IPv4 and IPv6 addresses.
If your log is not supported, select Other as the Data source and specify the device and log you are trying to
upload. Your log is reviewed by the Cloud App Security cloud analyst team. When support for your log type is
added we notify you, but instead, you can define a custom parser that matches your log format. For more
information, see Use a custom log parser.
Next steps
Use the following links to continue to set up Cloud App Discovery in Azure AD.
Create snapshot reports
Configure continuous reporting
Use a custom log parser
Create Cloud App Discovery snapshot reports
12/11/2017 • 1 min to read • Edit Online
Before setting up the automatic log collector, upload a log manually and let Cloud App Security parse it. If you
don't have a log yet and you want to see a sample of what your log should look like, use the procedure below to
download a sample log file to see what your log is supposed to look like.
6. Choose the traffic logs that you want to upload. You can upload up to 20 files at once. Compressed and
zipped files are also supported.
7. Click Create. After upload completes, it might take some time for them to be parsed and analyzed. If it does,
Cloud App Discovery sends an email notification when they're ready.
8. Select Manage snapshot reports and the select your snapshot report.
Next steps
Get started using Cloud App Discovery in Azure AD
Configure automatic log upload for continuous reporting
Use a custom log parser
Find unmanaged cloud applications with Cloud App
Discovery
1/9/2018 • 1 min to read • Edit Online
Summary
Cloud App Discovery in Azure Active Directory now provides an enhanced agentless discovery experience
powered by Microsoft Cloud App Security. To use Cloud App Discovery, just sign in with your Azure AD Premium
P1 credentials. This update is available at no additional cost to all Azure AD Premium P1 customers. Get started
with the article Set up Cloud App Discovery in Azure AD, then try out Microsoft Cloud App Security.
IMPORTANT
The current Azure AD Cloud App Discovery experience with agent-based discovery is to be turned off on March 5, 2018,
after which the agents will be disabled and data deleted. Please take action before March 5th to get up and running on the
new experience to avoid disruption of service.
How it works
1. Application usage agents are installed on user's computers.
2. The application usage information captured by the agents is sent over a secure, encrypted channel to the cloud
app discovery service.
3. The Cloud App Discovery service evaluates the data and generates reports.
Next steps
Cloud App Discovery Security and Privacy Considerations
Cloud App Discovery Registry Settings for Proxy Servers with Custom Ports
Cloud App Discovery Agent Changelog
Article Index for Application Management in Azure Active Directory
Cloud App Discovery Registry Settings for Proxy
Services
1/16/2018 • 1 min to read • Edit Online
The purpose of this topic is to tell you how to perform to set the required port on the computers running the Cloud
App Discovery agent. By default, the Cloud App Discovery agent is configured to use only the ports 80 or 443. If
you are planning on installing Cloud App Discovery in an environment with a proxy server that is using a custom
port (neither 80 nor 443), you need to configure your agents to use this port. The configuration is based on a
registry key.
TIP
Check out the improvements to the now agentless Cloud App Discovery in Azure Active Directory (Azure AD), which are
enhanced by integration with Microsoft Cloud App Security.
Modify the port used by the computer running the Cloud App
Discovery agent
80
8080
8118
8888
81
12080
6999
30606
31595
4080
443
1110
Next steps
How can I discover unsanctioned cloud apps that are used within my organization
Cloud App Discovery Security and Privacy
Considerations
1/16/2018 • 10 min to read • Edit Online
This topic explains how data is collected, processed, and secured within Azure Active Directory Cloud App
Discovery. Microsoft is committed to protecting your privacy and securing your data. Microsoft adheres to secure
software development lifecycle practices for operating a service. Securing and protecting data is a top priority at
Microsoft.
TIP
Check out the new agentless Cloud App Discovery in Azure Active Directory (Azure AD), which are enhanced by integration
with Microsoft Cloud App Security.
Overview
Cloud App Discovery is a feature of Azure AD and is hosted in Microsoft Azure.
The Cloud App Discovery endpoint agent is used to collect application discovery data from IT managed machines.
The collected data is sent securely over an encrypted channel to the Azure AD Cloud App Discovery service. The
Cloud App Discovery data for an organization is then visible in the Azure portal.
The following sections follow the secure flow of information from your organization to the Cloud App Discovery
service and ultimately to the Cloud App Discovery portal.
NOTE
The HTTP information above is collected for all non-encrypted connections. For TLS connections, this information is only
captured when the ‘Deep Inspection’ setting is turned on in the portal. The setting is ‘ON’ by default. For more details, see
below, and Getting Started With Cloud App Discovery
In addition to the data that the agent collects about the network activity, it also collects anonymous data about
Software and hardware configuration
Error reports
Data on how the agent is being used.
How the agent works
The agent installation includes two components:
A user-mode component
A kernel-mode driver component (Windows Filtering Platform driver)
When the agent is first installed it stores a machine-specific trusted certificate on the machine which it then uses to
establish a secure connection with the Cloud App Discovery service. The agent periodically retrieves policy
configuration from the Cloud App Discovery service over this secure connection. The policy includes information
about which cloud applications to monitor and whether auto-updating should be enabled, among other things.
As Web traffic is sent and received on the machine from Internet Explorer and Chrome, the Cloud App Discovery
agent analyzes the traffic and extracts the relevant metadata (see the Data collected by the agent section above).
Every minute, the agent uploads the collected metadata to the Cloud App Discovery service over an encrypted
channel.
The driver component intercepts the encrypted traffic and inserts itself into the encrypted stream. More details in
the Intercepting data from encrypted connections (Deep inspection) section below.
Respecting user privacy
Our goal is to provide administrators the tools to set the balance between detailed optics into application usage
and user privacy as appropriate for their organization. To that end, we provide the following knobs in the settings
page in the Portal:
Data Collection: Administrators can choose to specify which applications or application categories they want
to get discovery data on.
Deep Inspection: Administrators can chose to specify if the agent collects HTTP traffic for SSL/TLS connections
(aka 'Deep Inspection'). More on this in the next section.
Consent Options: Administrators can use the Cloud App Discovery portal to choose whether to notify users of
the data collection by the agent, and whether to require user consent before the agent starts collecting user
data.
The Cloud App Discovery endpoint agent only collects the information described in the Data collected by the
agent section above.
Intercepting data from encrypted connections (Deep inspection)
As we mentioned earlier, administrators can configure the agent to monitor data from encrypted connections
('deep inspection'). TLS (Transport Layer Security) is one of the most common protocols in use on the Internet
today. By encrypting communication with TLS, a client can establish a secure and private communication channel
with a web server; TLS provides essential protection for passing authentication credentials and prevent the
disclosure of sensitive information.
While the end-to-end secure encrypted channel provided by TLS enables important security and privacy protection,
the protocol is often abused for malicious or nefarious purposes. So much so, in fact, that TLS is often referred to as
the “universal firewall-bypass protocol”. The root of the problem is that most firewalls are unable to inspect TLS
communication because the application-layer data is encrypted with SSL. Knowing this, attackers frequently
leverage TLS to deliver malicious payloads to a user confident that even the most intelligent application-layer
firewalls are completely blind to TLS and must simply relay TLS communication between hosts. End users
frequently leverage TLS to bypass access controls enforced by their corporate firewalls and proxy servers, using it
to connect to public proxies and for tunneling non-TLS protocols through the firewall that might otherwise be
blocked by policy.
Deep inspection allows the Cloud App Discovery agent to act as a trusted man-in-the-middle. When a client request
is made to access an HTTPS protected resource, the Endpoint Agent driver intercepts the connection and
establishes a new connection to the destination server to retrieves its SSL certificate on behalf of the client. The
agent then verifies that the certificate can be trusted (by checking that it was not revoked, and performing other
certificate checks), and if these pass, the Endpoint Agent then copies the information from the server certificate and
creates its own server certificate -- known as an interception certificate -- using that information. The interception
certificate is signed on-the-fly by the endpoint agent with a root certificate, which is installed in the Windows
trusted certificate store. This self-signed root certificate is marked non-exportable and is ACL’d to administrators. It
is intended to never leave the machine on which it was created. When the end-user’s client application receives the
interception certificate, it will trust it because it can successfully validate the certificate chain all the way to the root
certificate. This process is mostly transparent from an end-user’s point of view with a few caveats as described
below.
By enabling deep inspection, the Cloud App Discovery Endpoint Agent can decrypt and inspect TLS encrypted
communications, allowing the service to reduce noise and provide insights about the usage of the encrypted cloud
apps.
A word of caution
Before turning on deep inspection, it is strongly suggested that you communicate your intentions to your legal and
HR departments and obtain their consent. Inspecting end user’s private encrypted communications can be a
sensitive subject, for obvious reasons. Before a production roll-out of deep inspection, make certain that your
corporate security and acceptable use policies have been updated to indicate that encrypted communication will be
inspected. User notification and exemption of sites deemed sensitive (e.g. banking and medical sites) may also be
necessary if you configure Cloud App Discovery to monitor them. As mentioned above, administrators can use the
Cloud App Discovery portal to choose whether to notify users of the data collection by the agent, and whether to
require user consent before the agent starts collecting user data.
Known issues and drawbacks
There are a few cases where TLS interception may impact the end user experience:
Extended Validation (EV) certificates render the address bar of the web browser green to act as a visual clue that
you are visiting a trusted web site. TLS inspection cannot duplicate EV in the certificate it issues to the client, so
web sites that use EV certificates will work normally but the address bar will not display green.
Public key pinning (also known as certificate pinning) are designed to help protect users from man-in-the-
middle attacks and rogue certificate authorities. When the root certificate for a pinned site does not match one
of the known good CA's, the browser rejects the connection with an error. Since TLS interception is, in fact, a
man-in-the-middle, these connections will fail.
If users click the lock icon in the browser address bar browser to inspect the site information, they will not see a
chain ending in the certificate authority used to sign the website certificate, but instead a certificate chain ending
with the Windows trusted certificate store.
To reduce the occurrences of these issues, we keep track of cloud services and client applications known to use
extended validation or public key pinning and instruct the Endpoint Agent to avoid intercepting impacted
connections. Even in these cases, however, you will still receive reports of the use of these cloud apps and the
volume of data being transferred, but since they are not deep inspected, no details about how the apps were used
will be available.
NOTE
For more details, see Getting Started With Cloud App Discovery
Any user accessing the data in the portal, must be licensed with an Azure AD Premium license.
Additional Resources
How can I discover unsanctioned cloud apps that are used within my organization
Article Index for Application Management in Azure Active Directory
How to provide secure remote access to on-premises
applications
1/4/2018 • 5 min to read • Edit Online
Employees today want to be productive at any place, at any time, and from any device. They want to work on their
own devices, whether they be tablets, phones, or laptops. And they expect to be able to access all their
applications, both SaaS apps in the cloud and corporate apps on-premises. Providing access to on-premises
applications has traditionally involved virtual private networks (VPNs) or demilitarized zones (DMZs). Not only are
these solutions complex and hard to make secure, but they are costly to set up and manage.
There is a better way!
A modern workforce in the mobile-first, cloud-first world needs a modern remote access solution. Azure AD
Application Proxy is a feature of Azure Active Directory that offers remote access as a service. That means it's easy
to deploy, use, and manage.
NOTE
To learn if specific features are supported by your license type, check the Azure Active Directory Pricing information page.
1. The user accesses the application through the Application Proxy service and is directed to the Azure AD sign-in
page to authenticate.
2. After a successful sign-in, a token is generated and sent to the client device.
3. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and
security principal name (SPN) from the token, then directs the request to the Application Proxy connector.
4. If you have configured single sign-on, the connector performs any additional authentication required on behalf
of the user.
5. The connector sends the request to the on-premises application.
6. The response is sent through Application Proxy service and connector to the user.
Single sign-on
Azure AD Application Proxy provides single sign-on (SSO) to applications that use Integrated Windows
Authentication (IWA), or claims-aware applications. If your application uses IWA, Application Proxy impersonates
the user using Kerberos Constrained Delegation to provide SSO. If you have a claims-aware application that trusts
Azure Active Directory, SSO works because the user was already authenticated by Azure AD.
For more information about Kerberos, see All you want to know about Kerberos Constrained Delegation (KCD).
Managing apps
Once your app is published with Application Proxy, you can manage it like any other enterprise app in the Azure
portal. You can use Azure Active Directory security features like conditional access and two-step verification,
control user permissions, and customize the branding for your app.
Get started
Before you configure Application Proxy, make sure you have a supported Azure Active Directory edition and an
Azure AD directory for which you are a global administrator.
Get started with Application Proxy in two steps:
1. Enable Application Proxy and configure the connector.
2. Publish applications - use the quick and easy wizard to get your on-premises apps published and accessible
remotely.
What's next?
Once you publish your first app, there's a lot more you can do with Application Proxy:
Enable single-sign on
Publish applications using your own domain name
Learn about Azure AD Application Proxy connectors
Working with existing on-premises Proxy servers
Set a custom home page
For the latest news and updates, check out the Application Proxy blog
Get started with Application Proxy and install the
connector
12/11/2017 • 4 min to read • Edit Online
This article walks you through the steps to enable Microsoft Azure AD Application Proxy for your cloud directory
in Azure AD.
If you're not yet aware of the security and productivity benefits Application Proxy brings to your organization,
learn more about How to provide secure remote access to on-premises applications.
If your firewall enforces traffic according to originating users, open these ports for traffic from Windows
services that run as a Network Service.
IMPORTANT
The table reflects the port requirements for connector versions 1.5.132.0 and newer. If you still have an older
connector version, you also need to enable the following ports in addition to 80 and 443: 5671, 8080, 9090-9091,
9350, 9352, 10100–10120.
For information about updating your connectors to the newest version, see Understand Azure AD Application
Proxy connectors.
2. If your firewall or proxy allows DNS whitelisting, you can whitelist connections to msappproxy.net and
servicebus.windows.net. If not, you need to allow access to the Azure DataCenter IP ranges, which are
updated each week.
3. Microsoft uses four addresses to verify certificates. Allow access to the following URLs if you haven't done
so for other products:
mscrl.microsoft.com:80
crl.microsoft.com:80
ocsp.msocsp.com:80
www.microsoft.com:80
4. Your connector needs access to login.windows.net and login.microsoftonline.com for the registration
process.
5. Use the Azure AD Application Proxy Connector Ports Test Tool to verify that your connector can reach the
Application Proxy service. At a minimum, make sure that the Central US region and the region closest to
you have all green checkmarks. Beyond that, more green checkmarks means greater resiliency.
For information about connectors and how they stay up to date, see Understand Azure AD Application Proxy
connectors.
Next steps
You are now ready to Publish applications with Application Proxy.
If you have applications that are on separate networks or different locations, use connector groups to organize
the different connectors into logical units. Learn more about Working with Application Proxy connectors.
Publish applications using Azure AD Application
Proxy
1/4/2018 • 3 min to read • Edit Online
Azure Active Directory (AD) Application Proxy helps you support remote workers by publishing on-premises
applications to be accessed over the internet. You can publish these applications through the Azure portal to
provide secure remote access from outside your network.
This article walks you through the steps to publish an on-premises app with Application Proxy. After you complete
this article, your users will be able to access your app remotely. And you'll be ready to configure extra features for
the application like single sign-on, personalized information, and security requirements.
If you're new to Application Proxy, learn more about this feature with the article How to provide secure remote
access to on-premises applications.
TIP
If you're testing out Application Proxy for the first time, choose an application that's set up for password-based
authentication. Application Proxy supports other types of authentication, but password-based apps are the easiest to get up
and running quickly.
External URL: The address your users will go to in order to access the app from outside your
network. If you don't want to use the default Application Proxy domain, read about custom domains
in Azure AD Application Proxy.
Pre Authentication: How Application Proxy verifies users before giving them access to your
application.
Azure Active Directory: Application Proxy redirects users to sign in with Azure AD, which
authenticates their permissions for the directory and application. We recommend keeping this
option as the default, so that you can take advantage of Azure AD security features like
conditional access and Multi-Factor Authentication.
Passthrough: Users don't have to authenticate against Azure Active Directory to access the
application. You can still set up authentication requirements on the backend.
Connector Group: Connectors process the remote access to your application, and connector groups
help you organize connectors and apps by region, network, or purpose. If you don't have any connector
groups created yet, your app is assigned to Default.
5. If necessary, configure additional settings. For most applications, you should keep these settings in their
default states.
Backend Application Timeout: Set this value to Long only if your application is slow to authenticate
and connect.
Translate URLs in Headers: Keep this value as Yes unless your application required the original host
header in the authentication request.
Translate URLs in Application Body: Keep this value as No unless you have hardcoded HTML links to
other on-premises applications, and don't use custom domains. For more information, see Link
translation with Application Proxy.
6. Select Add.
3. On the Add assignment blade, select Users and groups then choose the account you want to add.
4. Select Assign.
When you publish an application through Azure Active Directory Application Proxy, you create an external URL for
your users to go to when they're working remotely. This URL gets the default domain yourtenant.msappproxy.net.
For example, if you published an app named Expenses and your tenant is named Contoso, then the external URL
would be https://expenses-contoso.msappproxy.net. If you want to use your own domain name, configure a
custom domain for your application.
We recommend that you set up custom domains for your applications whenever possible. Some of the benefits of
custom domains include:
Your users can get to the application with the same URL, whether they are working inside or outside of your
network.
If all of your applications have the same internal and external URLs, then links in one application that point to
another continue to work even outside the corporate network.
You control your branding, and create the URLs you want.
If you already uploaded a certificate for this domain, the Certificate field displays the certificate information.
7. Upload the PFX certificate and enter the password for the certificate.
8. Select Save to save your changes.
9. Add a DNS record that redirects the new external URL to the msappproxy.net domain.
TIP
You only need to upload one certificate per custom domain. Once you upload a certificate, you can choose the custom
domain when you publish a new app and not have to do additional configuration except for the DNS record.
Manage certificates
Certificate format
There is no restriction on the certificate signature methods. Elliptic Curve Cryptography (ECC), Subject Alternative
Name (SAN), and other common certificate types are all supported.
You can use a wildcard certificate as long as the wildcard matches the desired external URL.
Changing the domain
All verified domains appear in the External URL dropdown list for your application. To change the domain, just
update that field for the application. If the domain you want isn't in the list, add it as a verified domain. If you
select a domain that doesn't have an associated certificate yet, follow steps 5-7 to add the certificate. Then, make
sure you update the DNS record to redirect from the new external URL.
Certificate management
You can use the same certificate for multiple applications unless the applications share an external host.
You get a warning when a certificate expires, telling you to upload another certificate through the portal. If the
certificate is revoked, your users may see a security warning when accessing the application. We don’t perform
revocation checks for certificates. To update the certificate for a given application, navigate to the application and
follow steps 5-7 for configuring custom domains on published applications to upload a new certificate. If the old
certificate is not being used by other applications, it is deleted automatically.
Currently all certificate management is through individual application pages so you need to manage certificates in
the context of the relevant applications.
Next steps
Enable single sign-on to your published apps with Azure AD authentication.
Enable conditional access to your published apps.
Add your custom domain name to Azure AD
How does Azure AD Application Proxy provide single
sign-on?
1/4/2018 • 3 min to read • Edit Online
Single sign-on is a key element of Azure AD Application Proxy. It provides the best user experience because your
users only have to sign in to Azure Active Directory in the cloud. Once they authenticate to Azure Active Directory,
the Application Proxy connector handles the authentication to the on-premises application. The backend
application can't tell the difference between a remote user signing in through Application Proxy and a regular use
on a domain-joined device.
To use Azure Active Directory for single sign-on to your applications, you need to select Azure Active Directory
as the pre-authentication method. If you select Passthrough then your users don't authenticate to Azure Active
Directory at all, but are directed straight to the application. You can configure this setting when you first publish an
application, or navigate to your application in the Azure portal and edit the Application Proxy settings.
To see your single sign-on options, follow these steps:
1. Sign in to the Azure portal.
2. Navigate to Azure Active Directory > Enterprise applications > All applications.
3. Select the app whose single sign-on options you want to manage.
4. Select Single sign-on.
The dropdown menu shows five options for single sign-on to your application:
Azure AD single sign-on disabled
Password-based sign-on
Linked sign-on
Integrated Windows Authentication
Header-based sign-on
Password-based sign-on
If you want to use Azure Active Directory as a password vault for your on-premises applications, choose
Password-based sign-on. This option is a good choice if your application authenticates with a
username/password combo instead of access tokens or headers. With password-based sign-on, your users need to
sign in to the application the first time they access it. After that, Azure Active Directory supplies the username and
password on behalf of the user.
For information about setting up password-based sign-on, see Password vaulting for single sign-on with
Application Proxy.
Linked sign-on
If you already have a single sign-on solution set up for your on-premises identities, choose Linked sign-on. This
option enables Azure Active Directory to leverage existing SSO solutions, but still gives your users remote access
to the application.
For information about linked sign-on (formally known as existing single sign-on), see What is application access
and single sign-on with Azure Active Directory?.
Header-based sign-on
If your applications use headers for authentication, choose Header-based sign-on. With this option, your users
only need to authentication the Azure Active Directory. Microsoft partners with a third-party authentication service
called PingAccess, which translated the Azure Active Directory access token into a header format for the
application.
For information about setting up header-based authentication, see Header-based authentication for single sign-on
with Application Proxy.
Next steps
Password vaulting for single sign-on with Application Proxy
Kerberos Constrained Delegation for single sign-on with Application Proxy
Header-based authentication for single sign-on with Application Proxy
Kerberos Constrained Delegation for single sign-on
to your apps with Application Proxy
1/4/2018 • 6 min to read • Edit Online
You can provide single sign-on for on-premises applications published through Application Proxy that are
secured with Integrated Windows Authentication. These applications require a Kerberos ticket for access.
Application Proxy uses Kerberos Constrained Delegation (KCD) to support these applications.
You can enable single sign-on to your applications using Integrated Windows Authentication (IWA) by giving
Application Proxy connectors permission in Active Directory to impersonate users. The connectors use this
permission to send and receive tokens on their behalf.
1. The user enters the URL to access the on-prem application through Application Proxy.
2. Application Proxy redirects the request to Azure AD authentication services to preauthenticate. At this point,
Azure AD applies any applicable authentication and authorization policies, such as multifactor authentication.
If the user is validated, Azure AD creates a token and sends it to the user.
3. The user passes the token to Application Proxy.
4. Application Proxy validates the token and retrieves the User Principal Name (UPN) from it, and then sends the
request, the UPN, and the Service Principal Name (SPN) to the Connector through a dually authenticated
secure channel.
5. The Connector performs Kerberos Constrained Delegation (KCD) negotiation with the on-prem AD,
impersonating the user to get a Kerberos token to the application.
6. Active Directory sends the Kerberos token for the application to the Connector.
7. The Connector sends the original request to the application server, using the Kerberos token it received from
AD.
8. The application sends the response to the Connector, which is then returned to the Application Proxy service
and finally to the user.
Prerequisites
Before you get started with single sign-on for IWA applications, make sure your environment is ready with the
following settings and configurations:
Your apps, like SharePoint Web apps, are set to use Integrated Windows Authentication. For more information,
see Enable Support for Kerberos Authentication, or for SharePoint see Plan for Kerberos authentication in
SharePoint 2013.
All your apps have Service Principal Names.
The server running the Connector and the server running the app are domain joined and part of the same
domain or trusting domains. For more information on domain join, see Join a Computer to a Domain.
The server running the Connector has access to read the TokenGroupsGlobalAndUniversal attribute for users.
This default setting might have been impacted by security hardening the environment.
Configure Active Directory
The Active Directory configuration varies, depending on whether your Application Proxy connector and the
application server are in the same domain or not.
Connector and application server in the same domain
1. In Active Directory, go to Tools > Users and Computers.
2. Select the server running the connector.
3. Right-click and select Properties > Delegation.
4. Select Trust this computer for delegation to specified services only.
5. Under Services to which this account can present delegated credentials add the value for the SPN
identity of the application server. This enables the Application Proxy Connector to impersonate users in AD
against the applications defined in the list.
Sharepointserviceaccount can be the SPS machine account or a service account under which the SPS app pool is
running.
If delegated login identity is used, the value might not be unique across all the domains or forests in your
organization. You can avoid this issue by publishing these applications twice using two different Connector
groups. Since each application has a different user audience, you can join its Connectors to a different domain.
Configure SSO for different identities
1. Configure Azure AD Connect settings so the main identity is the email address (mail). This is done as part of
the customize process, by changing the User Principal Name field in the sync settings. These settings also
determine how users log in to Office365, Windows10 devices, and other applications that use Azure AD as
their identity store.
2. In the Application Configuration settings for the application you would like to modify, select the
Delegated Login Identity to be used:
User Principal Name (for example, joe@contoso.com)
Alternate User Principal Name (for example, joed@contoso.local)
Username part of User Principal Name (for example, joe)
Username part of Alternate User Principal Name (for example, joed)
On-premises SAM account name (depends on the domain controller configuration)
Troubleshooting SSO for different identities
If there is an error in the SSO process, it appears in the connector machine event log as explained in
Troubleshooting. But, in some cases, the request is successfully sent to the backend application while this
application replies in various other HTTP responses. Troubleshooting these cases should start by examining event
number 24029 on the connector machine in the Application Proxy session event log. The user identity that was
used for delegation appears in the “user” field within the event details. To turn on session log, select Show
analytic and debug logs in the event viewer view menu.
Next steps
How to configure an Application Proxy application to use Kerberos Constrained Delegation
Troubleshoot issues you're having with Application Proxy
For the latest news and updates, check out the Application Proxy blog
Header-based authentication for single sign-on with
Application Proxy and PingAccess
1/4/2018 • 7 min to read • Edit Online
Azure Active Directory Application Proxy and PingAccess have partnered together to provide Azure Active
Directory customers with access to even more applications. PingAccess expands the existing Application Proxy
offerings to include single sign-on access to applications that use headers for authentication.
NOTE
Since this scenario is a partnership between Azure AD and PingAccess, some of the instructions exist on the Ping Identity
site.
4. Downloading the connector should automatically enable Application Proxy for your directory, but if not you
can select Enable Application Proxy.
Add your app to Azure AD with Application Proxy
There are two actions you need to take in the Azure portal. First, you need to publish your application with
Application Proxy. Then, you need to collect some information about the app that you can use during the
PingAccess steps.
Follow these steps to publish your app. For a more detailed walkthrough of steps 1-8, see Publish applications
using Azure AD Application Proxy.
1. If you didn't in the last section, sign in to the Azure portal as a global administrator.
2. Select Azure Active Directory > Enterprise applications.
3. Select Add at the top of the blade.
4. Select On-premises application.
5. Fill out the required fields with information about your new app. Use the following guidance for the settings:
Internal URL: Normally you provide the URL that takes you to the app’s sign in page when you’re on
the corporate network. For this scenario the connector needs to treat the PingAccess proxy as the
front page of the app. Use this format: https://<host name of your PA server>:<port> . The port is
3000 by default, but you can configure it in PingAccess.
WARNING
For this type of SSO, the internal URL must use https and cannot use http.
6. Select Add at the bottom of the blade. Your application is added, and the quick start menu opens.
7. In the quick start menu, select Assign a user for testing, and add at least one user to the application. Make
sure this test account has access to the on-premises application.
8. Select Assign to save the test user assignment.
9. On the app management blade, select Single sign-on.
10. Choose Header-based sign-on from the drop-down menu. Select Save.
TIP
If this is your first time using header-based single sign-on, you need to install PingAccess. To make sure your Azure
subscription is automatically associated with your PingAccess installation, use the link on this single sign-on page to
download PingAccess. You can open the download site now, or come back to this page later.
11. Close the Enterprise applications blade or scroll all the way to the left to return to the Azure Active Directory
menu.
12. Select App registrations.
13. Select the app you just added, then Reply URLs.
14. Check to see if the external URL that you assigned to your app in step 5 is in the Reply URLs list. If it’s not,
add it now.
15. On the app settings blade, select Required permissions.
16. Select Add. For the API, choose Windows Azure Active Directory, then Select. For the permissions,
choose Read and write all applications and Sign in and read user profile, then Select and Done.
4. Create a key by entering a key description and choosing an expiration date from the drop-down menu.
5. Select Save. A GUID appears in the Value field.
Save this value now, as you won’t be able to see it again after you close this window.
6. Close the App registrations blade or scroll all the way to the left to return to the Azure Active Directory
menu.
7. Select Properties.
8. Save the Directory ID GUID.
Optional - Update GraphAPI to send custom fields
For a list of security tokens that Azure AD sends for authentication, see Azure AD token reference. If you need a
custom claim that sends other tokens, use Graph Explorer or the manifest for the application in the Azure Portal to
set the app field acceptMappedClaims to True.
This example uses Graph Explorer:
PATCH https://graph.windows.net/myorganization/applications/<object_id_GUID_of_your_application>
{
"acceptMappedClaims":true
}
This example uses the Azure portal to udpate the acceptedMappedClaims field:
1. Sign in to the Azure portal as a global administrator.
2. Select Azure Active Directory > App registrations.
3. Select your application > Manifest.
4. Select Edit, search for the acceptedMappedClaims field and change the value to true.
5. Select Save.
NOTE
To use a custom claim, you must also have a custom policy defined and assigned to the application. This policy should
include all required custom attributes.
Policy definition and assignment can be done through PowerShell, Azure AD Graph Explorer, or MS Graph. If you are doing
this in PowerShell, you may need to first use New-AzureADPolicy and then assign it to the application with
Set-AzureADServicePrincipalPolicy . For more information see the Azure AD Policy documentation.
Next steps
Configure PingAccess for Azure AD
How does Azure AD Application Proxy provide single sign-on?
Troubleshoot Application Proxy
Password vaulting for single sign-on with Application
Proxy
1/4/2018 • 1 min to read • Edit Online
Azure Active Directory Application Proxy helps you improve productivity by publishing on-premises applications
so that remote employees can securely access them, too. In the Azure portal, you can also set up single sign-on
(SSO) to these apps. Your users only need to authenticate with Azure AD, and they can access your enterprise
application without having to sign in again.
Application Proxy supports several single sign-on modes. Password-based sign-on is intended for applications that
use a username/password combination for authentication. When you configure password-based sign-on for your
application, your users have to sign in to the on-premises application once. After that, Azure Active Directory stores
the sign-in information and automatically provides it to the application when your users access it remotely.
You should already have published and tested your app with Application Proxy. If not, follow the steps in Publish
applications using Azure AD Application Proxy then come back here.
Next steps
Read about other ways to implement Single sign-on with Application Proxy
Learn about Security considerations for accessing apps remotely with Azure AD Application Proxy
Understand Azure AD Application Proxy connectors
12/11/2017 • 10 min to read • Edit Online
Connectors are what make Azure AD Application Proxy possible. They are simple, easy to deploy and maintain,
and super powerful. This article discusses what connectors are, how they work, and some suggestions for how to
optimize your deployment.
Maintenance
The connectors and the service take care of all the high availability tasks. They can be added or removed
dynamically. Each time a new request arrives it is routed to one of the connectors that is currently available. If a
connector is temporarily not available, it doesn't respond to this traffic.
The connectors are stateless and have no configuration data on the machine. The only data they store is the
settings for connecting the service and its authentication certificate. When they connect to the service, they pull all
the required configuration data and refresh it every couple of minutes.
Connectors also poll the server to find out whether there is a newer version of the connector. If one is found, the
connectors update themselves.
You can monitor your connectors from the machine they are running on, using either the event log and
performance counters. Or you can view their status from the Application Proxy page of the Azure portal:
You don't have to manually delete connectors that are unused. When a connector is running, it remains active as
it connects to the service. Unused connectors are tagged as inactive and are removed after 10 days of inactivity. If
you do want to uninstall a connector, though, uninstall both the Connector service and the Updater service from
the server. Restart your computer to fully remove the service.
Automatic updates
Azure AD provides automatic updates for all the connectors that you deploy. As long as the Application Proxy
Connector Updater service is running, your connectors update automatically. If you don’t see the Connector
Updater service on your server, you need to reinstall your connector to get any updates.
If you don't want to wait for an automatic update to come to your connector, you can perform a manual upgrade.
Go to the connector download page on the server where your connector is located and select Download. This
process kicks off an upgrade for the local connector.
For tenants with multiple connectors, the automatic updates target one connector at a time in each group to
prevent downtime in your environment.
You may experience downtime when your connector updates if:
You only have one connector. To avoid this downtime and improve high availability, we recommend you
install a second connector and create a connector group.
A connector was in the middle of a transaction when the update began. Although the initial transaction is lost,
your browser should automatically retry the operation or you can refresh your page. When the request is
resent, the traffic is routed to a backup connector.
Capacity Planning
While connectors will automatically load balance within a connector group, it is also important to make sure you
have planned enough capacity between connectors to handle the expected traffic volume. In general, the more
users you have, the larger a machine you will need. Below is a table giving an outline of the volume different
machines can handle. Please note it is all based on expected Transactions Per Second (TPS) rather than by user
since usage patterns vary and cannot be used to predict load. Also note that there will be some differences based
on the size of the responses and the backend application response time - larger response sizes and slower
response times will result in a lower Max TPS.
2 8 325 586
4 16 320 1150
8 32 270 1190
CORES RAM EXPECTED LATENCY (MS)-P99 MAX TPS
16 64 245 1200*
* This machine had a connection limit of 800. For all other machines we used the default 200 connection limit.
NOTE
There is not much difference in the maximum TPS between 4, 8, and 16 core machines. The main difference between those
is in the expected latency.
Domain joining
Connectors can run on a machine that is not domain-joined. However, if you want single sign-on (SSO) to
applications that use Integrated Windows Authentication (IWA), you need a domain-joined machine. In this case,
the connector machines must be joined to a domain that can perform Kerberos Constrained Delegation on behalf
of the users for the published applications.
Connectors can also be joined to domains or forests that have a partial trust, or to read-only domain controllers.
Connector authentication
To provide a secure service, connectors have to authenticate toward the service, and the service has to
authenticate toward the connector. This authentication is done using client and server certificates when the
connectors initiate the connection. This way the administrator’s username and password are not stored on the
connector machine.
The certificates used are specific to the Application Proxy service. They get created during the initial registration
and are automatically renewed by the connectors every couple of months.
If a connector is not connected to the service for several months, its certificates may be outdated. In this case,
uninstall and reinstall the connector to trigger registration. You can run the following PowerShell commands:
Import-module AppProxyPSModule
Register-AppProxyConnector
Under the hood
Connectors are based on Windows Server Web Application Proxy, so they have most of the same management
tools including Windows Event Logs
The connectors have both admin and session logs. The admin logs include key events and their errors. The
session logs include all the transactions and their processing details.
To see the logs, go to the Event Viewer, open the View menu, and enable Show analytic and debug logs. Then,
enable them to start collecting events. These logs do not appear in Web Application Proxy in Windows Server
2012 R2, as the connectors are based on a more recent version.
You can examine the state of the service in the Services window. The connector comprises two Windows Services:
the actual connector, and the updater. Both of them must run all the time.
Next steps
Publish applications on separate networks and locations using connector groups
Work with existing on-premises proxy servers
Troubleshoot Application Proxy and connector errors
How to silently install the Azure AD Application Proxy Connector
Security considerations for accessing apps remotely
with Azure AD Application Proxy
1/4/2018 • 8 min to read • Edit Online
This article explains the components that work to keep your users and applications safe when you use Azure Active
Directory Application Proxy.
The following diagram shows how Azure AD enables secure remote access to your on-premises applications.
Security benefits
Azure AD Application Proxy offers the following security benefits:
Authenticated access
If you choose to use Azure Active Directory preauthentication, then only authenticated connections can access your
network.
Azure AD Application Proxy relies on the Azure AD security token service (STS) for all authentication.
Preauthentication, by its very nature, blocks a significant number of anonymous attacks, because only
authenticated identities can access the back-end application.
If you choose Passthrough as your preauthentication method, you don't get this benefit.
Conditional access
Apply richer policy controls before connections to your network are established.
With conditional access, you can define restrictions on what traffic is allowed to access your back-end applications.
You can create policies that restrict sign-ins based on location, strength of authentication, and user risk profile.
You can also use conditional access to configure Multi-Factor Authentication policies, adding another layer of
security to your user authentications.
Traffic termination
All traffic is terminated in the cloud.
Because Azure AD Application Proxy is a reverse-proxy, all traffic to back-end applications is terminated at the
service. The session can get reestablished only with the back-end server, which means that your back-end servers
are not exposed to direct HTTP traffic. This configuration means that you are better protected from targeted attacks.
All access is outbound
You don't need to open inbound connections to the corporate network.
Application Proxy connectors only use outbound connections to the Azure AD Application Proxy service, which
means that there is no need to open firewall ports for incoming connections. Traditional proxies required a
perimeter network (also known as DMZ, demilitarized zone, or screened subnet) and allowed access to
unauthenticated connections at the network edge. This scenario required investments in web application firewall
products to analyze traffic and protect the environment. With Application Proxy, you don't need a perimeter
network because all connections are outbound and take place over a secure channel.
For more information about connectors, see Understand Azure AD Application Proxy connectors.
Cloud-scale analytics and machine learning
Get cutting-edge security protection.
Because it's part of Azure Active Directory, Application Proxy can leverage Azure AD Identity Protection, with data
from the Microsoft Security Response Center and Digital Crimes Unit. Together we proactively identify
compromised accounts and offer protection from high-risk sign-ins. We take into account numerous factors to
determine which sign-in attemps are high risk. These factors include flagging infected devices, anonymizing
networks, and atypical or unlikely locations.
Many of these reports and events are already available through an API for integration with your security
information and event management (SIEM) systems.
Remote access as a service
You don’t have to worry about maintaining and patching on-premises servers.
Unpatched software still accounts for a large number of attacks. Azure AD Application Proxy is an Internet-scale
service that Microsoft owns, so you always get the latest security patches and upgrades.
To improve the security of applications published by Azure AD Application Proxy, we block web crawler robots
from indexing and archiving your applications. Each time a web crawler robot tries to retrieve the robot's settings
for a published app, Application Proxy replies with a robots.txt file that includes User-agent: * Disallow: / .
DDOS prevention
Applications published through Application Proxy are protected against Distributed Denial of Service (DDOS)
attacks.
The Application Proxy service monitors the amount of traffic attempting to reach your applications and network. If
the number of devices requesting remote access to your applications spikes, Microsoft throttles access to your
network.
Microsoft watches traffic patterns for individual applications and for your subscription as a whole. If one
application receives higher than normal requests, then requests to access that application are denied for a short
period of time. If you receive higher than normal requests across your whole subscription, then requests to access
any of your apps are denied. This preventative measure keeps your application servers from being overloaded by
remote access requests, so that your on-premises users can keep accessing their apps.
NOTE
All communications occur over SSL, and they always originate at the connector to the Application Proxy service. The service is
outbound only.
The connector uses a client certificate to authenticate to the Application Proxy service for nearly all calls. The only
exception to this process is the initial setup step, where the client certificate is established.
Installing the connector
When the connector is first set up, the following flow events take place:
1. The connector registration to the service happens as part of the installation of the connector. Users are
prompted to enter their Azure AD admin credentials. The token acquired from this authentication is then
presented to the Azure AD Application Proxy service.
2. The Application Proxy service evaluates the token. It checks whether the user is a company administrator in the
tenant. If the user is not an administrator, the process is terminated.
3. The connector generates a client certificate request and passes it, along with the token, to the Application Proxy
service. The service in turn verifies the token and signs the client certificate request.
4. The connector uses the client certificate for future communication with the Application Proxy service.
5. The connector performs an initial pull of the system configuration data from the service using its client
certificate, and it is now ready to take requests.
Updating the configuration settings
Whenever the Application Proxy service updates the configuration settings, the following flow events take place:
1. The connector connects to the configuration endpoint within the Application Proxy service by using its client
certificate.
2. After the client certificate is validated, the Application Proxy service returns configuration data to the connector
(for example, the connector group that the connector should be part of).
3. If the current certificate is more than 180 days old, the connector generates a new certificate request, which
effectively updates the client certificate every 180 days.
Accessing published applications
When users access a published application, the following events take place between the Application Proxy service
and the Application Proxy connector:
1. The service authenticates the user for the app
2. The service places a request in the connector queue
3. A connector processes the request from the queue
4. The connector waits for a response
5. The service streams data to the user
To learn more about what takes place in each of these steps, keep reading.
1. The service authenticates the user for the app
If you configured the app to use Passthrough as its preauthentication method, the steps in this section are skipped.
If you configured the app to preauthenticate with Azure AD, users are redirected to the Azure AD STS to
authenticate, and the following steps take place:
1. Application Proxy checks for any conditional access policy requirements for the specific application. This step
ensures that the user has been assigned to the application. If two-step verification is required, the
authentication sequence prompts the user for a second authentication method.
2. After all checks have passed, the Azure AD STS issues a signed token for the application and redirects the
user back to the Application Proxy service.
3. Application Proxy verifies that the token was issued to correct the application. It performs other checks also,
such as ensuring that the token was signed by Azure AD, and that it is still within the valid window.
4. Application Proxy sets an encrypted authentication cookie to indicate that authentication to the application
has occurred. The cookie includes an expiration timestamp that's based on the token from Azure AD and
other data, such as the user name that the authentication is based on. The cookie is encrypted with a private
key known only to the Application Proxy service.
5. Application Proxy redirects the user back to the originally requested URL.
If any part of the preauthentication steps fails, the user’s request is denied, and the user is shown a message
indicating the source of the problem.
2. The service places a request in the connector queue
Connectors keep an outbound connection open to the Application Proxy service. When a request comes in, the
service queues up the request on one of the open connections for the connector to pick up.
The request includes items from the application, such as the request headers, data from the encrypted cookie, the
user making the request, and the request ID. Although data from the encrypted cookie is sent with the request, the
authentication cookie itself is not.
3. The connector processes the request from the queue.
Based on the request, Application Proxy performs one of the following actions:
If the request is a simple operation (for example, there is no data within the body as is with a RESTful GET
request), the connector makes a connection to the target internal resource and then waits for a response.
If the request has data associated with it in the body (for example, a RESTful POST operation), the connector
makes an outbound connection by using the client certificate to the Application Proxy instance. It makes this
connection to request the data and open a connection to the internal resource. After it receives the request
from the connector, the Application Proxy service begins accepting content from the user and forwards data
to the connector. The connector, in turn, forwards the data to the internal resource.
4. The connector waits for a response.
After the request and transmission of all content to the back end is complete, the connector waits for a response.
After it receives a response, the connector makes an outbound connection to the Application Proxy service, to
return the header details and begin streaming the return data.
5. The service streams data to the user.
Some processing of the application may occur here. If you configured Application Proxy to translate headers or
URLs in your application, that processing happens as needed during this step.
Next steps
Network topology considerations when using Azure AD Application Proxy
Understand Azure AD Application Proxy connectors
Network topology considerations when using Azure
Active Directory Application Proxy
1/4/2018 • 7 min to read • Edit Online
This article explains network topology considerations when using Azure Active Directory (Azure AD) Application
Proxy for publishing and accessing your applications remotely.
Traffic flow
When an application is published through Azure AD Application Proxy, traffic from the users to the applications
flows through three connections:
1. The user connects to the Azure AD Application Proxy service public endpoint on Azure
2. The Application Proxy service connects to the Application Proxy connector
3. The Application Proxy connector connects to the target application
Use case 3
Scenario: The app is in an organization's network in the US. ExpressRoute with public peering exists between
Azure and the corporate network.
Recommendation: Follow patterns 1 and 2, explained in the previous section.
First, place the connector as close as possible to the app. Then, the system automatically uses ExpressRoute for hop
2.
If the ExpressRoute link is using public peering, the traffic between the proxy and the connector flows over that link.
Hop 2 has optimized latency.
Use case 4
Scenario: The app is in an organization's network in the US. ExpressRoute with private peering exists between
Azure and the corporate network.
Recommendation: Follow pattern 3, explained in the previous section.
Place the connector in the Azure datacenter that is connected to the corporate network through ExpressRoute
private peering.
The connector can be placed in the Azure datacenter. Since the connector still has a line of sight to the application
and the datacenter through the private network, hop 3 remains optimized. In addition, hop 2 is optimized further.
Use case 5
Scenario: The app is in an organization's network in the EU, with the Application Proxy instance and most users in
the US.
Recommendation: Place the connector near the app. Because US users are accessing an Application Proxy
instance that happens to be in the same region, hop 1 is not too expensive. Hop 3 is optimized. Consider using
ExpressRoute to optimize hop 2.
You can also consider using one other variant in this situation. If most users in the organization are in the US, then
chances are that your network extends to the US as well. Place the connector in the US, and use the dedicated
internal corporate network line to the application in the EU. This way hops 2 and 3 are optimized.
Next steps
Enable Application Proxy
Enable single-sign on
Enable conditional access
Troubleshoot issues you're having with Application Proxy
Compare remote access solutions
1/4/2018 • 1 min to read • Edit Online
Azure Active Directory Application Proxy is one of two remote access solutions that Microsoft offers. The other is
Web Application Proxy, the on-premises version. These two solutions replace earlier products that Microsoft
offered: Microsoft Forefront Threat Management Gateway (TMG) and Unified Access Gateway (UAG). Use this article
to understand how these four solutions compare to each other. For those of you still using the deprecated TMG or
UAG solutions, use this article to help plan your migration to one of the Application Proxy.
Feature comparison
Use this table to understand how Threat Management Gateway (TMG), Unified Access Gateway (UAG), Web
Application Proxy (WAP), and Azure AD Application Proxy (AP) compare to each other.
Rich protocol support - Yes Yes, if running over Yes, if running over
HTTP HTTP or through
Remote Desktop
Gateway
No components in - - - Yes
the demilitarized zone
(DMZ)
No inbound - - - Yes
connections
For most scenarios, we recommend Azure AD Application as the modern solution. Web Application Proxy is only
preferred in scenarios that require a proxy server for AD FS, and you can't use custom domains in Azure Active
Directory.
Azure AD Application Proxy offers unique benefits when compared to similar products, including:
Extending Azure AD to on-premises resources
Cloud-scale security and protection
Features like conditional access and Multi-Factor Authentication are easy to enable
No componenet in the demilitarized zone
No inbound connections required
One access panel that your users can go to for all their applications, including O365, Azure AD integrated SaaS
apps, and your on-premises web apps.
Next steps
Use Azure AD Application to provide secure remote access to on-premises applications
Transition from Forefront TMG and UAG to Application Proxy.
Publish applications on separate networks and
locations using connector groups
1/4/2018 • 6 min to read • Edit Online
Customers utilize Azure AD's Application Proxy for more and more scenarios and applications. So we've made
App Proxy even more flexible by enabling more topologies. You can create Application Proxy connector groups so
that you can assign specific connectors to serve specific applications. This capability gives you more control and
ways to optimize your Application Proxy deployment.
Each Application Proxy connector is assigned to a connector group. All the connectors that belong to the same
connector group act as a separate unit for high-availability and load balancing. All connectors belong to a
connector group. If you don't create groups, then all your connectors are in a default group. Your admin can
create new groups and assign connectors to them in the Azure portal.
All applications are assigned to a connector group. If you don't create groups, then all your applications are
assigned to a default group. But if you organize your connectors into groups, you can set each application to work
with a specific connector group. In this case, only the connectors in that group serve the application upon request.
This feature is useful if your applications are hosted in different locations. You can create connector groups based
on location, so that applications are always served by connectors that are physically close to them.
TIP
If you have a large Application Proxy deployment, don't assign any applications to the default connector group. That way,
new connectors don't receive any live traffic until you assign them to an active connector group. This configuration also
enables you to put connectors in an idle mode by moving them back to the default group, so that you can perform
maintenance without impacting your users.
Prerequisites
To group your connectors, you have to make sure you installed multiple connectors. When you install a new
connector, it automatically joins the Default connector group.
4. Give your new connector group a name, then use the dropdown menu to select which connectors belong
in this group.
5. Select Save.
Assign applications to your connector groups
Use these steps for each application that you've published with Application Proxy. You can assign an application
to a connector group when you first publish it, or you can use these steps to change the assignment whenever
you want.
1. From the management dashboard for your directory, select Enterprise applications > All applications >
the application you want to assign to a connector group > Application Proxy.
2. Use the Connector Group dropdown menu to select the group you want the application to use.
3. Select Save to apply the change.
Sample configurations
Some examples that you can implement, include the following connector groups.
Default configuration – no use for connector groups
If you don’t use connector groups, your configuration would look like this:
This configuration is sufficient for small deployments and tests. It will also work well if your organization has a flat
network topology.
Default configuration and an isolated network
This configuration is an evolution of the default one, in which there is a specific app that runs in an isolated
network such as IaaS virtual network:
Recommended configuration – several specific groups and a default group for idle
The recommended configuration for large and complex organizations is to have the default connector group as a
group that doesn’t serve any applications and is used for idle or newly installed connectors. All applications are
served using customized connector groups. This enables all the complexity of the scenarios described above.
In the example below, the company has two datacenters, A and B, with two connectors that serve each site. Each
site has different applications that run on it.
Next steps
Understand Azure AD Application Proxy connectors
Enable single-sign on
Work with existing on-premises proxy servers
1/4/2018 • 6 min to read • Edit Online
This article explains how to configure Azure Active Directory (Azure AD) Application Proxy connectors to work with
outbound proxy servers. It is intended for customers with network environments that have existing proxies.
We start by looking at these main deployment scenarios:
Configure connectors to bypass your on-premises outbound proxies.
Configure connectors to use an outbound proxy to access Azure AD Application Proxy.
For more information about how connectors work, see Understand Azure AD Application Proxy connectors.
To ensure that the Connector Updater service also bypasses the proxy, make a similar change to the
ApplicationProxyConnectorUpdaterService.exe.config file. This file is located at C:\Program Files\Microsoft AAD
App Proxy Connector Updater.
Be sure to make copies of the original files, in case you need to revert to the default .config files.
As a result of having only outbound traffic, there's no need to configure inbound access through your firewalls.
NOTE
Application Proxy does not support authentication to other proxies. The connector/updater network service accounts should
be able to connect to the proxy without being challenged for authentication.
Step 1: Configure the connector and related services to go through the outbound proxy
If WPAD is enabled in the environment and configured appropriately, the connector automatically discovers the
outbound proxy server and attempt to use it. However, you can explicitly configure the connector to go through an
outbound proxy.
To do so, edit the C:\Program Files\Microsoft AAD App Proxy
Connector\ApplicationProxyConnectorService.exe.config file and add the system.net section shown in this code
sample. Change proxyserver:8080 to reflect your local proxy server name or IP address, and the port that it's
listening on.
Next, configure the Connector Updater service to use the proxy by making a similar change to the C:\Program
Files\Microsoft AAD App Proxy Connector Updater\ApplicationProxyConnectorUpdaterService.exe.config file.
Step 2: Configure the proxy to allow traffic from the connector and related services to flow through
There are four aspects to consider at the outbound proxy:
Proxy outbound rules
Proxy authentication
Proxy ports
SSL inspection
Proxy outbound rules
Allow access to the following endpoints for connector service access:
*.msappproxy.net
*.servicebus.windows.net
For initial registration, allow access to the following endpoints:
login.windows.net
login.microsoftonline.com
If you can't allow connectivity by FQDN and need to specify IP ranges instead, use these options:
Allow the connector outbound access to all destinations.
Allow the connector outbound access to all of the Azure datacenter IP ranges. The challenge with using the list
of Azure datacenter IP ranges is that it's updated weekly. You need to put a process in place to ensure that your
access rules are updated accordingly. Only using a subset of the IP addresses may cause your configuration to
break.
Proxy authentication
Proxy authentication is not currently supported. Our current recommendation is to allow the connector
anonymous access to the Internet destinations.
Proxy ports
The connector makes outbound SSL-based connections by using the CONNECT method. This method essentially
sets up a tunnel through the outbound proxy. Configure the proxy server to allow tunneling to ports 443 and 80.
NOTE
When Service Bus runs over HTTPS, it uses port 443. However, by default, Service Bus attempts direct TCP connections and
falls back to HTTPS only if direct connectivity fails.
SSL inspection
Do not use SSL inspection for the connector traffic, because it causes problems for the connector traffic. The
connector uses a certificate to authenticate to the Application Proxy service, and that certificate can be lost during
SSL inspection.
Next steps
Understand Azure AD Application Proxy connectors
If you have problems with connector connectivity issues, ask your question in the Azure Active Directory
forum or create a ticket with our support team.
Working with claims-aware apps in Application Proxy
1/4/2018 • 1 min to read • Edit Online
Claims-aware apps perform a redirection to the Security Token Service (STS). The STS requests credentials from the
user in exchange for a token and then redirects the user to the application. There are a few ways to enable
Application Proxy to work with these redirects. Use this article to configure your deployment for claims-aware apps.
Prerequisites
Make sure that the STS that the claims-aware app redirects to is available outside of your on-premises network.
You can make the STS available by exposing it through a proxy or by allowing outside connections.
Configure ADFS
You can configure ADFS for claims-aware apps in one of two ways. The first is by using custom domains. The
second is with WS-Federation.
Option 1: Custom domains
If all the internal URLs for your applications are fully qualified domain names (FQDNs), then you can configure
custom domains for your applications. Use the custom domains to create external URLs that are the same as the
internal URLs. When your external URLs match your internal URLs, then the STS redirections work whether your
users are on-premises or remote.
Option 2: WS -Federation
1. Open ADFS Management.
2. Go to Relying Party Trusts, right-click on the app you are publishing with Application Proxy, and choose
Properties.
In addition to web applications, Azure Active Directory Application Proxy can also be used to publish native client
apps that are configured with the Azure AD Authentication Library (ADAL). Native client apps differ from web apps
because they are installed on a device, while web apps are accessed through a browser.
Application Proxy supports native client apps by accepting Azure AD issued tokens sent in the header. The
Application Proxy service performs authentication on behalf of the users. This solution does not use application
tokens for authentication.
Use the Azure AD Authentication Library, which takes care of authentication and supports many client
environments, to publish native applications. Application Proxy fits into the Native Application to Web API scenario.
This article walks you through the four steps to publish a native application with Application Proxy and the Azure
AD Authentication Library.
8. Select Done.
Next steps
For more information about the native application flow, see Native application to web API
Learn about setting up Single sign-on for Application Proxy
Create an unattended installation script for the Azure
AD Application Proxy connector
1/4/2018 • 2 min to read • Edit Online
This topic helps you create a Windows PowerShell script that enables unattended installation and registration for
your Azure AD Application Proxy connector.
This capability is useful when you want to:
Install the connector on Windows servers that don't have user interface enabled, or that you can't access with
Remote Desktop.
Install and register many connectors at once.
Integrate the connector installation and registration as part of another procedure.
Create a standard server image that contains the connector bits but is not registered.
For the Application Proxy connector to work, it has to be registered with your Azure AD directory using a global
administrator and password. Ordinarily this information is entered during Connector installation in a pop-up dialog
box, but you can use PowerShell to automate this process instead.
There are two steps for an unattended installation. First, install the connector. Second, register the connector with
Azure AD.
AADApplicationProxyConnectorInstaller.exe REGISTERCONNECTOR="false" /q
$User = "<username>"
$PlainPassword = '<password>'
$SecurePassword = $PlainPassword | ConvertTo-SecureString -AsPlainText -Force
$cred = New-Object –TypeName System.Management.Automation.PSCredential –ArgumentList $User,
$SecurePassword
2. Go to C:\Program Files\Microsoft AAD App Proxy Connector and run the following script using the
$cred object that you created:
class Program
{
#region constants
/// <summary>
/// The AAD authentication endpoint uri
/// </summary>
static readonly Uri AadAuthenticationEndpoint = new
Uri("https://login.microsoftonline.com/common/oauth2/token?api-version=1.0");
/// <summary>
/// The application ID of the connector in AAD
/// </summary>
static readonly string ConnectorAppId = "55747057-9b5d-4bd4-b387-abf52a8bd489";
/// <summary>
/// The reply address of the connector application in AAD
/// </summary>
static readonly Uri ConnectorRedirectAddress = new Uri("urn:ietf:wg:oauth:2.0:oob");
/// <summary>
/// The AppIdUri of the registration service in AAD
/// </summary>
static readonly Uri RegistrationServiceAppIdUri = new
Uri("https://proxy.cloudwebappproxy.net/registerapp");
#endregion
token = authResult.AccessToken;
tenantID = authResult.TenantId;
}
2. Once you have the token, create a SecureString using the token:
$SecureToken = $Token | ConvertTo-SecureString -AsPlainText -Force
3. Run the following Windows PowerShell command, replacing <tenant GUID> with your directory ID:
RegisterConnector.ps1 -modulePath "C:\Program Files\Microsoft AAD App Proxy Connector\Modules\" -
moduleName "AppProxyPSModule" -Authenticationmode Token -Token $SecureToken -TenantId <tenant GUID>
Next steps
Publish applications using your own domain name
Enable single-sign on
Troubleshoot issues you're having with Application Proxy
Set a custom home page for published apps by using
Azure AD Application Proxy
1/4/2018 • 4 min to read • Edit Online
This article discusses how to configure apps to direct users to a custom home page. When you publish an
application with Application Proxy, you set an internal URL but sometimes that's not the page your users should
see first. Set a custom home page so that your users go to the right page when they access the apps. Your users
will see the custom home page that you set, whether they access the app from the Azure Active Directory Access
Panel or the Office 365 app launcher.
When users launch the app, they're directed by default to the root domain URL for the published app. The landing
page is typically set as the home page URL. Use the Azure AD PowerShell module to define custom home page
URLs when you want app users to land on a specific page within the app.
Here's one example of why a company would set a custom home page:
Inside your corporate network, users go to https://ExpenseApp/login/login.aspx to sign in and access your app.
Because you have other assets like images that Application Proxy needs to access at the top level of the folder
structure, you publish the app with https://ExpenseApp as the internal URL.
The default external URL is https://ExpenseApp-contoso.msappproxy.net, which doesn't take your users to the
sign-in page.
Set https://ExpenseApp-contoso.msappproxy.net/login/login.aspx as the home page URL.
NOTE
When you give users access to published apps, the apps are displayed in the Azure AD Access Panel and the Office 365 app
launcher.
If you're running the command as a non-admin, use the -scope currentuser option.
2. During the installation, select Y to install two packages from Nuget.org. Both packages are required.
Find the ObjectID of the app
Obtain the ObjectID of the app, and then search for the app by its home page.
1. In the same PowerShell window, import the Azure AD module.
Import-Module AzureAD
Connect-AzureAD
3. Find the app based on its home page URL. You can find the URL in the portal by going to Azure Active
Directory > Enterprise applications > All applications. This example uses sharepoint-iddemo.
4. You should get a result that's similar to the one shown here. Copy the ObjectID GUID to use in the next
section.
DisplayName : SharePoint
Homepage : https://sharepoint-iddemo.msappproxy.net/
ObjectId : 8af89bfa-eac6-40b0-8a13-c2c4e3ee22a4
Now that you've confirmed the app, you're ready to update the home page, as follows.
2. Create a blank application object to hold the changes that you want to make. This variable holds the values
that you want to update. Nothing is created in this step.
3. Set the home page URL to the value that you want. The value must be a subdomain path of the published
app. For example, if you change the home page URL from https://sharepoint-iddemo.msappproxy.net/ to
https://sharepoint-iddemo.msappproxy.net/hybrid/, app users go directly to the custom home page.
$homepage = “https://sharepoint-iddemo.msappproxy.net/hybrid/”
4. Make the update by using the GUID (ObjectID) that you copied in "Step 1: Find the ObjectID of the app."
NOTE
Any changes that you make to the app might reset the home page URL. If your home page URL resets, repeat the steps in
this section to set it back.
Next steps
Enable remote access to SharePoint with Azure AD Application Proxy
Enable Application Proxy in the Azure portal
Redirect hardcoded links for apps published with
Azure AD Application Proxy
1/4/2018 • 4 min to read • Edit Online
Azure AD Application Proxy makes your on-premises apps available to users who are remote or on their own
devices. Some apps, however, were developed with local links embedded in the HTML. These links don't work
correctly when the app is used remotely. When you have several on-premises applications point to each other, your
users expect the links to keep working when they're not at the office.
The best way to make sure that links work the same both inside and outside of your corporate network is to
configure the external URLs of your apps to be the same as their internal URLs. Use custom domains to configure
your external URLs to have your corporate domain name instead of the default application proxy domain.
If you can't use custom domains in your tenant, then the link translation feature of Application Proxy keeps your
links working no matter where your users are. When you have apps that point directly to internal endpoints or
ports, you can map these internal URLs to the published external Application Proxy URLs. When link translation is
enabled, and Application Proxy searches through HTML, CSS, and select JavaScript tags for published internal links.
Then the Application Proxy service translates them so that your users get an uninterrupted experience.
NOTE
The link translation feature is for tenants that, for whatever reason, can't use custom domains to have the same internal and
external URLs for their apps. Before you enable this feature, see if custom domains in Azure AD Application Proxy can work
for you.
Or, if the application you need to configure with link translation is SharePoint, see Configure alternate access mappings for
SharePoint 2013 for another approach to mapping links.
.
4. Select Save to apply your changes.
Now, when your users access this application, the proxy will automatically scan for internal URLs that have been
published through Application Proxy on your tenant.
Send feedback
We want your help to make this feature work for all your apps. We search over 30 tags in HTML and CSS, and are
considering which JavaScript cases to support. If you have an example of generated links that aren't being
translated, send a code snippet to Application Proxy Feedback.
Next steps
Use custom domains with Azure AD Application Proxy to have the same internal and external URL
Configure alternate access mappings for SharePoint 2013
Publish Remote Desktop with Azure AD Application
Proxy
1/4/2018 • 5 min to read • Edit Online
Remote Desktop Service and Azure AD Application Proxy work together to improve the productivity of workers
who are away from the corporate network.
The intended audience for this article is:
Current Application Proxy customers who want to offer more applications to their end users by publishing on-
premises applications through Remote Desktop Services.
Current Remote Desktop Services customers who want to reduce the attack surface of their deployment by
using Azure AD Application Proxy. This scenario gives a limited set of two-step verification and conditional
access controls to RDS.
In an RDS deployment, the RD Web role and the RD Gateway role run on Internet-facing machines. These
endpoints are exposed for the following reasons:
RD Web provides the user a public endpoint to sign in and view the various on-premises applications and
desktops they can access. Upon selecting a resource, an RDP connection is created using the native app on the
OS.
RD Gateway comes into the picture once a user launches the RDP connection. The RD Gateway handles
encrypted RDP traffic coming over the internet and translates it to the on-premises server that the user is
connecting to. In this scenario, the traffic the RD Gateway is receiving comes from the Azure AD Application
Proxy.
TIP
If you haven't deployed RDS before, or want more information before you begin, learn how to seamlessly deploy RDS with
Azure Resource Manager and Azure Marketplace.
Requirements
Both the RD Web and RD Gateway endpoints must be located on the same machine, and with a common
root. RD Web and RD Gateway are published as a single application with Application Proxy so that you can
have a single sign-on experience between the two applications.
You should already have deployed RDS, and enabled Application Proxy.
This scenario assumes that your end users go through Internet Explorer on Windows 7 or Windows 10
desktops that connect through the RD Web page. If you need to support other operating systems, see
Support for other client configurations.
On Internet Explorer, enable the RDS ActiveX add-on.
8. Run this command for each collection. Replace <yourcollectionname> and <proxyfrontendurl> with your
own information. This command enables single sign-on between RD Web and RD Gateway, and optimizes
performance:
For example:
9. To verify the modification of the custom RDP properties as well as view the RDP file contents that will be
downloaded from RDWeb for this collection, run the following command:
(get-wmiobject -Namespace root\cimv2\terminalservices -Class
Win32_RDCentralPublishedRemoteDesktop).RDPFileContents
Now that you've configured Remote Desktop, Azure AD Application Proxy has taken over as the internet-facing
component of RDS. You can remove the other public internet-facing endpoints on your RD Web and RD Gateway
machines.
The pre-authentication flow offers more security benefits than the passthrough flow. With pre-authentication you
can use Azure AD authentication features like single sign-on, conditional access, and two-step verification for your
on-premises resources. You also ensure that only authenticated traffic reaches your network.
To use passthrough authentication, there are just two modifications to the steps listed in this article:
1. In Publish the RD host endpoint step 1, set the Preauthentication method to Passthrough.
2. In Direct RDS traffic to Application Proxy, skip step 8 entirely.
Next steps
Enable remote access to SharePoint with Azure AD Application Proxy
Security considerations for accessing apps remotely by using Azure AD Application Proxy
Enable remote access to SharePoint with Azure AD
Application Proxy
1/4/2018 • 8 min to read • Edit Online
This article discusses how to integrate an on-premises SharePoint server with Azure Active Directory (Azure AD)
Application Proxy.
To enable remote access to SharePoint with Azure AD Application Proxy, follow the sections in this article step by
step.
Prerequisites
This article assumes that you already have SharePoint 2013 or newer in your environment. In addition, consider
the following prerequisites:
SharePoint includes native Kerberos support. Therefore, users who are accessing internal sites remotely
through Azure AD Application Proxy can assume to have a single sign-on (SSO) experience.
This scenario includes configuration changes to your SharePoint server. We recommend using a staging
environment. This way, you can make updates to your staging server first, and then facilitate a testing cycle
before going into production.
We require SSL on the published URL. You need to have SSL enabled on your internal site to ensure that
links are sent/mapped correctly. If you haven't configured SSL, see Configure SSL for SharePoint 2013 for
instructions. Also, make sure that the connector machine trusts the certificate that you issue. (The certificate
does not need to be publicly issued.)
NOTE
You need to have a previously created Azure AD account for the service. We suggest that you allow for an automatic
password change. For more information about the full set of steps and troubleshooting issues, see Configure automatic
password change in SharePoint 2013.
To ensure that your sites are running under a defined service account, perform the following steps:
1. Open the SharePoint 2013 Central Administration site.
2. Go to Security and select Configure service accounts.
3. Select Web Application Pool - SharePoint - 80. The options may be slightly different based on the name
of your web pool, or if the web pool uses SSL by default.
4. If Select an account for this component field is set to Local Service or Network Service, you need to
create an account. If not, you're finished and can move to the next section.
5. Select Register new managed account. After your account is created, you must set Web Application Pool
before you can use the account.
Configure SharePoint for Kerberos
You use KCD to perform single sign-on to the SharePoint server.
To configure your SharePoint site for Kerberos authentication:
1. Open the SharePoint 2013 Central Administration site.
2. Go to Application Management, select Manage web applications, and select your SharePoint site. In
this example, it is SharePoint - 80.
<service class>/<host>:<port>
sharepoint.demo.o365identity.us
HTTP/sharepoint.demo.o365identity.us demo
You might also need to set SPNs for specific sites on your server. For more information, see Configure Kerberos
authentication. Pay close attention to the "Create Service Principal Names for your Web applications using
Kerberos authentication" section.
The easiest way for you to set SPNs is to follow the SPN formats that may already be present for your sites. Copy
those SPNs to register against the service account. To do this:
1. Browse to the site with the SPN from another machine. When you do, the relevant set of Kerberos tickets is
cached on the machine. These tickets contain the SPN of the target site that you browsed to.
2. You can pull the SPN for that site by using a tool called Klist. In a command window that's running in the
same context as the user who accessed the site in the browser, run the following command:
Klist
Klist then returns the set of target SPNs. In this example, the highlighted value is the SPN that's needed:
3. Now that you have the SPN, make sure that it's configured correctly on the service account that you set up
for the web application earlier. Run the following command from the command prompt as an
administrator of the domain:
This command sets the SPN for the SharePoint service account running as demo\sp_svc.
Replace http/sharepoint.demo.o365identity.us with the SPN for your server and demo\sp_svc with the
service account in your environment. The Setspn command searches for the SPN before it adds it. In this
case, you might see a Duplicate SPN Value error. If you see this error, make sure that the value is
associated with the service account.
You can verify that the SPN was added by running the Setspn command with the -l option. To learn more about
this command, see Setspn.
Ensure that the connector is set as a trusted delegate to SharePoint
Configure the KCD so that the Azure AD Application Proxy service can delegate user identities to the SharePoint
service. Configure KCD by enabling the Application Proxy connector to retrieve Kerberos tickets for your users
who have been authenticated in Azure AD. Then that server passes the context to the target application, or
SharePoint in this case.
To configure the KCD, repeat the following steps for each connector machine:
1. Log in as a domain administrator to a DC, and then open Active Directory Users and Computers.
2. Find the computer that the connector is running on. In this example, it's the same SharePoint server.
3. Double-click the computer, and then click the Delegation tab.
4. Ensure that the delegation settings are set to Trust this computer for delegation to the specified
services only. Then, select Use any authentication protocol.
5. Click the Add button, click Users or Computers, and locate the service account.
6. In the list of SPNs, select the one that you created earlier for the service account.
7. Click OK. Click OK again to save the changes.
TIP
SharePoint uses the Host Header value to look up the site. It also generates links based on this value. The net effect
is that any link that SharePoint generates is a published URL that is correctly set to use the external URL. Setting the
value to YES also enables the connector to forward the request to the back-end application. However, setting the
value to NO means that the connector will not send the internal host name. Instead, the connector sends the host
header as the published URL to the back-end application.
2. Once your app is published, configure the single sign-on settings with the following steps:
a. On the application page in the portal, select Single sign-on.
b. For Single Sign-on Mode, select Integrated Windows Authentication.
c. Set Internal Application SPN to the value that you set earlier. For this example, that would be
http/sharepoint.demo.o365identity.us.
3. To finish setting up your application, go to the Users and groups section and assign users to access this
application.
Step 3: Ensure that SharePoint knows about the external URL
Your last step is to ensure that SharePoint can find the site based on the external URL, so that it renders links
based on that external URL. You do this by configuring alternate access mappings for the SharePoint site.
1. Open the SharePoint 2013 Central Administration site.
2. Under System Settings, select Configure Alternate Access Mappings. The Alternate Access Mappings
box opens.
3. In the drop-down list beside Alternate Access Mapping Collection, select Change Alternate Access
Mapping Collection.
4. Select your site--for example, SharePoint - 80.
5. You can choose to add the published URL as either an internal URL or a public URL. This example uses a public
URL as the extranet.
6. Click Edit Public URLs in the Extranet path, and then enter the External URL that was created when you
published the application. For example, enter https://sharepoint-iddemo.msappproxy.net.
7. Click Save.
You can now access the SharePoint site externally via Azure AD Application Proxy.
Next steps
Working with custom domains in Azure AD Application Proxy
Understand Azure AD Application Proxy connectors
Access your on-premises applications through
Microsoft Teams
1/4/2018 • 1 min to read • Edit Online
Azure Active Directory Application Proxy gives you single sign-on to on-premises applications no matter where you
are. Microsoft Teams streamlines your collaborative efforts in one place. Integrating the two together means that
your users can be productive with their teammates in any situation.
Your users can add cloud apps to their Teams channels using tabs, but what about the SharePoint sites or planning
tool that are hosted on-premises? Application Proxy is the solution. They can add apps published through
Application Proxy to their channels using the same external URLs they always use to access their apps remotely.
And because Application Proxy authenticates through Azure Active Directory, your users get a single sign-on
experience.
Once one member of a team adds the tab, it shows up for everyone in the channel. Any users who have access to
the app get single sign-on access with the credentials they use for Microsoft Teams. Any users who don't have
access to the app can see the tab in Teams, but are blocked until you give them permissions to the on-premises app
and the Azure portal published version of the app.
Next steps
Learn how to publish on-premises SharePoint sites with Application Proxy.
Configure your apps to use custom domains for their external URL.
Troubleshoot Application Proxy problems and error
messages
1/4/2018 • 10 min to read • Edit Online
If errors occur in accessing a published application or in publishing applications, check the following options to
see if Microsoft Azure AD Application Proxy is working correctly:
Open the Windows Services console and verify that the Microsoft AAD Application Proxy Connector
service is enabled and running. You may also want to look at the Application Proxy service properties page, as
shown in the following image:
Open Event Viewer and look for Application Proxy connector events in Applications and Services Logs >
Microsoft > AadApplicationProxy > Connector > Admin.
If needed, more detailed logs are available by turning on the Application Proxy connector session logs.
For more information about the Azure AD Troubleshooting tool, see Troubleshooting tool to validate connector
networking prerequisites.
Get-EventLog application –source “Microsoft AAD Application Proxy Connector” –EntryType “Error” –Newest 1
Once you find the Connector error from the event log, use this table of common errors to resolve the problem:
Connector registration failed: Make sure you enabled If you closed the registration window without signing in to
Application Proxy in the Azure Management Portal and that Azure AD, run the Connector wizard again and register the
you entered your Active Directory user name and password Connector.
correctly. Error: 'One or more errors occurred.'
If the registration window opens and then immediately closes
without allowing you to log in, you will probably get this
error. This error occurs when there is a networking error on
your system. Make sure that it is possible to connect from a
browser to a public website and that the ports are open as
specified in Application Proxy prerequisites.
Clear error is presented in the registration window. Cannot If you see this error and then the window closes, you entered
proceed the wrong username or password. Try again.
Connector registration failed: Make sure you enabled You are trying to sign in using a Microsoft Account and not a
Application Proxy in the Azure Management Portal and that domain that is part of the organization ID of the directory
you entered your Active Directory user name and password you are trying to access. Make sure that the admin is part of
correctly. Error: 'AADSTS50059: No tenant-identifying the same domain name as the tenant domain, for example, if
information found in either the request or implied by any the Azure AD domain is contoso.com, the admin should be
provided credentials and search by service principal URI has admin@contoso.com.
failed.
Failed to retrieve the current execution policy for running If the Connector installation fails, check to make sure that
PowerShell scripts. PowerShell execution policy is not disabled.
Connector failed to download the configuration. The Connector’s client certificate, which is used for
authentication, expired. This may also occur if you have the
Connector installed behind a proxy. In this case, the
Connector cannot access the Internet and will not be able to
provide applications to remote users. Renew trust manually
using the Register-AppProxyConnector cmdlet in Windows
PowerShell. If your Connector is behind a proxy, it is
necessary to grant Internet access to the Connector accounts
“network services” and “local system.” This can be
accomplished either by granting them access to the Proxy or
by setting them to bypass the proxy.
Connector registration failed: Make sure you are a Global The alias you're trying to log in with isn't an admin on this
Administrator of your Active Directory to register the domain. Your Connector is always installed for the directory
Connector. Error: 'The registration request was denied.' that owns the user’s domain. Make sure that the admin
account you are trying to sign in with has global permissions
to the Azure AD tenant.
Kerberos errors
This table covers the more common errors that come from Kerberos setup and configuration, and includes
suggestions for resolution.
Failed to retrieve the current execution policy for running If the Connector installation fails, check to make sure that
PowerShell scripts. PowerShell execution policy is not disabled.
12008 - Azure AD exceeded the maximum number of This error may indicate incorrect configuration between Azure
permitted Kerberos authentication attempts to the backend AD and the backend application server, or a problem in time
server. and date configuration on both machines. The backend server
declined the Kerberos ticket created by Azure AD. Verify that
Azure AD and the backend application server are configured
correctly. Make sure that the time and date configuration on
the Azure AD and the backend application server are
synchronized.
13016 - Azure AD cannot retrieve a Kerberos ticket on behalf There is a problem with the STS configuration. Fix the UPN
of the user because there is no UPN in the edge token or in claim configuration in the STS.
the access cookie.
ERROR RECOMMENDED STEPS
13019 - Azure AD cannot retrieve a Kerberos ticket on behalf This event may indicate incorrect configuration between
of the user because of the following general API error. Azure AD and the domain controller server, or a problem in
time and date configuration on both machines. The domain
controller declined the Kerberos ticket created by Azure AD.
Verify that Azure AD and the backend application server are
configured correctly, especially the SPN configuration. Make
sure the Azure AD is domain joined to the same domain as
the domain controller to ensure that the domain controller
establishes trust with Azure AD. Make sure that the time and
date configuration on the Azure AD and the domain
controller are synchronized.
13020 - Azure AD cannot retrieve a Kerberos ticket on behalf This event may indicate incorrect configuration between
of the user because the backend server SPN is not defined. Azure AD and the domain controller server, or a problem in
time and date configuration on both machines. The domain
controller declined the Kerberos ticket created by Azure AD.
Verify that Azure AD and the backend application server are
configured correctly, especially the SPN configuration. Make
sure the Azure AD is domain joined to the same domain as
the domain controller to ensure that the domain controller
establishes trust with Azure AD. Make sure that the time and
date configuration on the Azure AD and the domain
controller are synchronized.
13022 - Azure AD cannot authenticate the user because the This event may indicate incorrect configuration between
backend server responds to Kerberos authentication attempts Azure AD and the backend application server, or a problem in
with an HTTP 401 error. time and date configuration on both machines. The backend
server declined the Kerberos ticket created by Azure AD.
Verify that Azure AD and the backend application server are
configured correctly. Make sure that the time and date
configuration on the Azure AD and the backend application
server are synchronized.
End-user errors
This list covers errors that your end users might encounter when they try to access the app and fail.
The website cannot display the page. Your user may get this error when trying to access the app
you published if the application is an IWA application. The
defined SPN for this application may be incorrect. For IWA
apps, make sure that the SPN configured for this application
is correct.
ERROR RECOMMENDED STEPS
The website cannot display the page. Your user may get this error when trying to access the app
you published if the application is an OWA application. This
could be caused by one of the following:
The defined SPN for this application is incorrect. Make sure
that the SPN configured for this application is correct.
The user who tried to access the application is using a
Microsoft account rather than the proper corporate account
to sign in, or the user is a guest user. Make sure the user
signs in using their corporate account that matches the
domain of the published application. Microsoft Account users
and guest cannot access IWA applications.
The user who tried to access the application is not properly
defined for this application on the on-prem side. Make sure
that this user has the proper permissions as defined for this
backend application on the on-prem machine.
This corporate app can’t be accessed. You are not authorized Your users may get this error when trying to access the app
to access this application. Authorization failed. Make sure to you published if they use Microsoft accounts instead of their
assign the user with access to this application. corporate account to sign in. Guest users may also get this
error. Microsoft Account users and guests cannot access IWA
applications. Make sure the user signs in using their corporate
account that matches the domain of the published
application.
You may not have assigned the user for this application. Go
to the Application tab, and under Users and Groups, assign
this user or user group to this application.
This corporate app can’t be accessed right now. Please try Your users may get this error when trying to access the app
again later…The connector timed out. you published if they are not properly defined for this
application on the on-prem side. Make sure that your users
have the proper permissions as defined for this backend
application on the on-prem machine.
This corporate app can’t be accessed. You are not authorized Your users may get this error when trying to access the app
to access this application. Authorization failed. Make sure that you published if they weren't explicitly assigned with a
the user has a license for Azure Active Directory Premium or Premium/Basic license by the subscriber’s administrator. Go
Basic. to the subscriber’s Active Directory Licenses tab and make
sure that this user or user group is assigned a Premium or
Basic license.
See also
Enable Application Proxy for Azure Active Directory
Publish applications with Application Proxy
Enable single sign-on
Enable conditional access
Assign a user or group to an enterprise app in Azure
Active Directory
12/7/2017 • 3 min to read • Edit Online
To assign a user or group to an enterprise app, you must have the appropriate permissions to manage the
enterprise app, and you must be global admin for the directory.
NOTE
For Microsoft Applications (such as Office 365 apps), use PowerShell to assign users to an enterprise app.
4. On the Enterprise applications blade, select All applications. This lists the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Users &
Groups.
7. On the appname - User & Group Assignment blade, select the Add command.
8. On the Add Assignment blade, select Users and groups.
9. On the Users and groups blade, select one or more users or groups from the list and then select the Select
button at the bottom of the blade.
10. On the Add Assignment blade, select Role. Then, on the Select Role blade, select a role to apply to the
selected users or groups, and then select the OK button at the bottom of the blade.
11. On the Add Assignment blade, select the Assign button at the bottom of the blade. The assigned users or
groups have the permissions defined by the selected role for this enterprise app.
How do I assign a user to an enterprise app using PowerShell?
1. Open an elevated Windows PowerShell command prompt.
NOTE
You need to install the AzureAD module (use the command Install-Module -Name AzureAD ). If prompted to
install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
For more information about how to assign a user to an application role visit the documentation for New-
AzureADUserAppRoleAssignment
Example
This example assigns the user Britta Simon to the Microsoft Workplace Analytics application using PowerShell.
1. In PowerShell, assign the corresponding values to the variables $username, $app_name and
$app_role_name.
2. In this example, we don't know what is the exact name of the application role we want to assign to Britta
Simon. Run the following commands to get the user ($user) and the service principal ($sp) using the user
UPN and the service principal display names.
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
3. Run the command $sp.AppRoles to display the roles available for the Workplace Analytics application. In
this example, we want to assign Britta Simon the Analyst (Limited access) Role.
4. Assign the role name to the $app_role_name variable.
5. Run the following command to assign the user to the app role:
Next steps
See all of my groups
Remove a user or group assignment from an enterprise app
Disable user sign-ins for an enterprise app
Change the name or logo of an enterprise app
Change the name or logo of an enterprise app in
Azure Active Directory
12/11/2017 • 1 min to read • Edit Online
It's easy to change the name or logo for a custom enterprise application in Azure Active Directory (Azure AD). You
must have the appropriate permissions to make these changes, and you must be the creator of the custom app.
4. On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Properties.
7. On the appname - Properties blade, browse for a file to use as a new logo, or edit the app name, or both.
Next steps
See all of my groups
Assign a user or group to an enterprise app
Remove a user or group assignment from an enterprise app
Disable user sign-ins for an enterprise app
Disable user sign-ins for an enterprise app in Azure
Active Directory
12/11/2017 • 1 min to read • Edit Online
It's easy to disable an enterprise application so that no users may sign in to it in Azure Active Directory (Azure AD).
You must have the appropriate permissions to manage the enterprise app, and you must be global admin for the
directory.
4. On the Enterprise applications blade, select All applications. You see a list of the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Properties.
7. On the appname - Properties blade, select No for Enabled for users to sign-in?.
8. Select the Save command.
Next steps
See all my groups
Assign a user or group to an enterprise app
Remove a user or group assignment from an enterprise app
Change the name or logo of an enterprise app
Remove a user or group assignment from an
enterprise app in Azure Active Directory
12/11/2017 • 1 min to read • Edit Online
It's easy to remove a user or a group from being assigned access to one of your enterprise applications in Azure
Active Directory (Azure AD). You must have the appropriate permissions to manage the enterprise app, and you
must be global admin for the directory.
4. On the Enterprise applications blade, select All applications. You'll see a list of the apps you can manage.
5. On the Enterprise applications - All applications blade, select an app.
6. On the appname blade (that is, the blade with the name of the selected app in the title), select Users &
Groups.
7. On the appname - User & Group Assignment blade, select one of more users or groups and then select
the Remove command. Confirm your decision at the prompt.
Next steps
See all of my groups
Assign a user or group to an enterprise app
Disable user sign-ins for an enterprise app
Change the name or logo of an enterprise app
View all the enterprise apps that I can manage in
Azure Active Directory
12/11/2017 • 1 min to read • Edit Online
You can manage your enterprise applications in the Azure Active Directory (Azure AD). This includes viewing the
apps you can manage, assigning users or groups to an app, maintaining properties for the app such as the
application name/logo, and even disabling an application so that no users can sign in to it.
4. On the Enterprise applications blade, select All applications. From this blade you can select apps to manage,
change the displayed columns, or filter the list to find that app you want (for example, to view only disabled
apps).
Next steps
Assign a user or group to an enterprise app
Remove a user or group assignment from an enterprise app
Disable user sign-ins for an enterprise app
Change the name or logo of an enterprise app
Managing user account provisioning for enterprise
apps in the Azure portal
12/11/2017 • 5 min to read • Edit Online
This article describes how to use the Azure portal to manage automatic user account provisioning and de-
provisioning for applications that support it, particularly ones that have been added from the "featured" category of
the Azure Active Directory application gallery. To learn more about automatic user account provisioning and how it
works, see Automate User Provisioning and Deprovisioning to SaaS Applications with Azure Active Directory.
Selecting the All applications link on the left shows a list of all apps that have been configured, including apps that
had been added from the gallery. Selecting an app loads the resource blade for that app, where reports can be
viewed for that app and a variety of settings can be managed.
User account provisioning settings can be managed by selecting Provisioning on the left.
Provisioning modes
The Provisioning blade begins with a Mode menu, which shows what provisioning modes are supported for an
enterprise application, and allows them to be configured. The available options include:
Automatic - This option appears if Azure AD supports automatic API-based provisioning and/or de-
provisioning of user accounts to this application. Selecting this mode displays an interface that guides
administrators through configuring Azure AD to connect to the application's user management API, creating
account mappings and workflows that define how user account data should flow between Azure AD and the
app, and managing the Azure AD provisioning service.
Manual - This option is shown if Azure AD does not support automatic provisioning of user accounts to this
application. This option means that user account records stored in the application must be managed using an
external process, based on the user management and provisioning capabilities provided by that application
(which can include SAML Just-In-Time provisioning).
Feedback
We hope you like your Azure AD experience. Please keep the feedback coming! Post your feedback and ideas for
improvement in the Admin Portal section of our feedback forum. We’re excited about building cool new stuff
every day, and do use your guidance to shape and define what we build next.
Managing single sign-on for enterprise apps
12/11/2017 • 4 min to read • Edit Online
This article describes how to use the Azure portal to manage single sign-on settings for enterprise applications.
Enterprise apps are apps that are deployed and used within your organization. This article applies particularly to
apps that were added from the Azure Active Directory application gallery.
Select All applications to view a list of all apps that have been configured. Selecting an app displays the resources
for that app, where reports can be viewed for that app and a variety of settings can be managed.
To manage single sign-on settings, select Single sign-on.
Single sign-on modes
Single sign-on begins with a Mode menu, which allows the single sign-on mode to be configured. The available
options include:
SAML-based sign-on - This option is available if the application supports full federated single sign-on with
Azure Active Directory using the SAML 2.0 protocol, WS-Federation, or OpenID connect protocols.
Password-based sign-on - This option is available if Azure AD supports password form filling for this
application.
Linked sign-on - Formerly known as "Existing single sign-on", this option allows administrators to place a link
to this application in their user's Azure AD Access Panel or Office 365 application launcher.
For more information about these modes, see How does single sign-on with Azure Active Directory work.
SAML-based sign-on
The SAML-based sign-on option is divided in four sections:
Domains and URLs
This is where all details about the application's domain and URLs are added to your Azure AD directory. All inputs
required to make single sign-on work app are displayed directly on the screen, whereas all optional inputs can be
viewed by selecting the Show advanced URL settings checkbox. The full list of supported inputs includes:
sign-on URL – Where the user goes to sign in to the application. If the application is configured to perform
service-provider-initiated single sign-on, when a user opens this URL, the service provider redirects to Azure AD
to authenticate and sign the user in.
If this field is populated, then Azure AD uses the URL to start the application from Office 365 and the
Azure AD Access Panel.
If this field is omitted, then Azure AD instead performs identity-provider-initiated sign-on when the app
is launched from Office 365, the Azure AD Access Panel, or from the Azure AD single sign-on URL.
Identifier - This URI should uniquely identify the application for which single sign-on is being configured. This
is the value that Azure AD sends back to application as the Audience parameter of the SAML token, and the
application is expected to validate it. This value also appears as the Entity ID in any SAML metadata provided by
the application.
Reply URL - The reply URL is where the application expects to receive the SAML token. This is also referred to
as the Assertion Consumer Service (ACS) URL. After these have been entered, click Next to proceed to the next
screen. This screen provides information about what needs to be configured on the application side to enable it
to accept a SAML token from Azure AD.
Relay State - The relay state is an optional parameter that can help tell the application where to redirect the
user after authentication is completed. Typically the value is a valid URL at the application, however some
applications use this field differently (see the app's single sign-on documentation for details). The ability to set
the relay state is a new feature that is unique to the new Azure portal.
User Attributes
This is where admins can view and edit the attributes that are sent in the SAML token that Azure AD issues to the
application each time users sign in.
The only editable attribute supported is the User Identifier attribute. The value of this attribute is the field in Azure
AD that uniquely identifies each user within the application. For example, if the app was deployed using the "Email
address" as the username and unique identifier, then the value would be set to the "user.mail" field in Azure AD.
SAML Signing Certificate
This section shows the details of the certificate that Azure AD uses to sign the SAML tokens that are issued to the
application each time the user authenticates. It allows the properties of the current certificate to be inspected,
including the expiration date.
Application Configuration
The final section provides the documentation and/or controls required to configure the application itself to use
Azure Active Directory as an identity provider.
The Configure Application fly-out menu provides new concise, embedded instructions for configuring the
application. This is another new feature unique to the new Azure portal.
NOTE
For a complete example of embedded documentation, see the Salesforce.com application. Documentation for additional apps
is being continually added.
Password-based sign-on
If supported for the application, selecting the password-based SSO mode and selecting Save instantly configures it
to do password-based SSO. For more information about deploying password-based SSO, see How does single
sign-on with Azure Active Directory work.
Linked sign-on
If supported for the application, selecting the linked SSO mode allows you to enter the URL that you want the
Azure AD Access Panel or Office 365 to redirect to when users click on this app. For more information about linked
SSO (formerly known as "existing SSO"), see How does single sign-on with Azure Active Directory work.
Feedback
We hope you like using the improved Azure AD experience. Please keep the feedback coming! Post your feedback
and ideas for improvement in the Admin Portal section of our feedback forum. We’re excited about building cool
new stuff every day, and use your guidance to shape and define what we build next.
Advanced certificate signing options in the SAML
token for gallery apps in Azure Active Directory
12/11/2017 • 2 min to read • Edit Online
Today Azure Active Directory (Azure AD) supports thousands of pre-integrated applications in the Azure Active
Directory App Gallery. This number includes more than 500 applications that support single sign-on by using the
SAML 2.0 protocol. When a user authenticates to an application through Azure AD by using SAML, Azure AD sends
a token to the application (via an HTTP POST). Then, the application validates and uses the token to log in the user
instead of prompting for a username and password. These SAML tokens are signed with the unique certificate that's
generated in Azure AD and by specific standard algorithms.
Azure AD uses some of the default settings for the gallery applications. The default values are set up based on the
application's requirements.
Azure AD supports advanced certificate signing settings. To select these options, first select the Show advanced
certificate signing settings check box:
After you select this check box, you can set up certificate signing options and the certificate signing algorithm.
SHA-1. This is the older algorithm, and it's treated as less secure than SH-256. If an application supports only
this signing algorithm, you can select this option in the Signing Algorithm drop-down list. Azure AD then
signs the SAML response with the SHA-1 algorithm.
Next steps
Article index for application management in Azure Active Directory
Configure single sign-on to applications that are not in the Azure Active Directory App Gallery
Troubleshoot SAML-based single sign-on
Hide an application from user's experience in Azure
Active Directory
1/10/2018 • 2 min to read • Edit Online
If you have an application that you do not want to show on users’ access panels or Office 365 launchers, there are
options to hide this app tile. The following two options are available for hiding applications from user's app
launchers.
Hide a third-party application from users access panels and Office 365 app launchers
Hide all Office 365 applications from users access panels
By hiding the app users still have permissions to the app but will not see them appear on their app launchers. You
must have the appropriate permissions to manage the enterprise app, and you must be a global admin for the
directory.
4. On the Enterprise applications screen, select All applications. You see a list of the apps you can manage.
5. On the Enterprise applications - All applications screen, select an app.
6. On the appname screen (that is, the screen with the name of the selected app in the title), select Properties.
7. On the appname - Properties screen, select Yes for Visible to users?.
Next steps
See all my groups
Assign a user or group to an enterprise app
Remove a user or group assignment from an enterprise app
Change the name or logo of an enterprise app
Configure sign-in auto-acceleration for an application
by using a Home Realm Discovery policy
12/11/2017 • 8 min to read • Edit Online
The following document provides an introduction to Home Realm Discovery and auto-acceleration.
Auto-acceleration
Some organizations configure their Azure Active Directory tenant to federate with another IdP, such as AD FS for
user authentication.
In these cases, when a user signs into an application, they are first first presented with an Azure AD sign-in page.
After they have typed their UPN, they are then taken to the IdP sign-in page. Under certain circumstances,
administrators might want to direct users to the sign-in page when they're signing in to specific applications.
This means users can skip the initial Azure Active Directory page. This process is referred to as “sign-in auto-
acceleration.”
In cases where the tenant is federated to another IdP for sign-in, auto-acceleration makes user sign-in more
streamlined. You can configure auto-acceleration for individual applications.
NOTE
If you configure an application for auto-acceleration, guest users cannot sign in. If you take a user straight to a federated IdP
for authentication, there is no way to for them to get back to the Azure Active Directory sign-in page. Guest users, who
might need to be directed to other tenants or an external IdP such as a Microsoft account, can't sign in to that application
because they're skipping the Home Realm Discovery step.
Domain hints
Domain hints are directives that are included in the authentication request from an application. They can be used to
accelerate the user to their federated IdP sign-in page. Or they can be used by a multi-tenant application to
accelerate the user straight to the branded Azure AD sign-in page for their tenant.
For example, the application "largeapp.com" might enable their customers to access the application at a custom
URL "contoso.largeapp.com." The app might also include a domain hint to contoso.com in the authentication
request.
Domain hint syntax varies depending on the protocol that's used, and it's typically configured in the application.
WS-Federation: whr=contoso.com in the query string.
SAML: Either a SAML authentication request that contains a domain hint or a query string whr=contoso.com.
Open ID Connect: A query string domain_hint=contoso.com.
If a domain hint is included in the authentication request from the application, and the tenant is federated with that
domain, Azure AD attempts to redirect sign-in to the IdP that's configured for that domain.
If the domain hint doesn’t refer to a verified federated domain, it is ignored and normal Home Realm Discovery is
invoked.
For more information about auto-acceleration using the domain hints that are supported by Azure Active Directory,
see the Enterprise Mobility + Security blog.
NOTE
If a domain hint is included in an authentication request, its presence overrides any HRD policy that is set for the application.
Connect-AzureAD -Confirm
3. Run the following command to see all the policies in your organization:
Get-AzureADPolicy
If nothing is returned, it means you have no policies created in your tenant.
Example: Set auto -acceleration for an application
In this example, you create a policy that auto-accelerates users to an AD FS sign-in screen when they are signing in
to an application. Users can sign in to AD FS without having to enter a username on the Azure AD sign-in page first.
Step 1: Create an HRD policy
If you have a single federated domain that authenticates users for applications, you need to create only one HRD
policy.
To see your new policy and get its ObjectID, run the following command:
Get-AzureADPolicy
To enable auto-acceleration after you have an HRD policy, you can assign it to multiple application service
principles.
Step 2: Locate the service principal to which to assign the policy
You need the ObjectID of the service principals to which you want to assign the policy. There are several ways to
find the ObjectID of service principals.
You can use the portal, or you can query Microsoft Graph. You can also go to the Graph Explorer Tool and sign in to
your Azure AD account to see all your organization's service principals. Because you are using PowerShell, you can
use the get-AzureADServicePrincipal cmdlet to list the service principles and their IDs.
Step 3: Assign the policy to your service principal
After you have the ObjectID of the service principal of the application for which you want to configure auto-
acceleration, run the following command. This command associates the HRD policy that you created in step 1 with
the service principal that you located in step 2.
Add-AzureADServicePrincipalPolicy -Id <ObjectID of the Service Principal> -RefObjectId <ObjectId of the Policy>
You can repeat this command for each service principal to which you want to add the policy.
Step 4: Check which application service principals your auto-acceleration policy is assigned to
To check which applications have auto-acceleration policy configured, use the Get-AzureADPolicyAppliedObject
cmdlet. Pass it the ObjectID of the policy that you want to check on.
Get-AzureADPolicy
Note the ObjectID of the policy that you want to list assignments for.
Step 2: List the service principals to which the policy is assigned
Get-AzureADPolicyAppliedObject -ObjectId <ObjectId of the Policy>
Step 3: Check removal by listing the service principals to which the policy is assigned
Next steps
For more information about how authentication works in Azure AD, see Authentication scenarios for Azure AD.
For more information about user single sign-on, see Application access and single sign-on with Azure Active
Directory.
Visit the Active Directory developer's guide for an overview of all developer-related content.
Managing access to apps
12/11/2017 • 4 min to read • Edit Online
Ongoing access management, usage evaluation, and reporting continue to be a challenge after an app is
integrated into your organization's identity system. In many cases, IT Administrators or helpdesk have to take an
ongoing active role in managing access to your apps. Sometimes, assignment is performed by a general or
divisional IT team. Often, the assignment decision is intended to be delegated to the business decision maker,
requiring their approval before IT makes the assignment. Other organizations invest in integration with an existing
automated identity and access management system, like Role-Based Access Control (RBAC) or Attribute-Based
Access Control (ABAC). Both the integration and rule development tend to be specialized and expensive.
Monitoring or reporting on either management approach is its own separate, costly, and complex investment.
Single sign-on means being able to access all of the applications and resources that you need to do business, by
signing in only once using a single user account. Once signed in, you can access all of the applications you need
without being required to authenticate (for example, type a password) a second time.
Many organizations rely upon software as a service (SaaS) applications such as Office 365, Box and Salesforce for
end-user productivity. Historically, IT staff needs to individually create and update user accounts in each SaaS
application, and users have to remember a password for each SaaS application.
Azure Active Directory extends on-premises Active Directory into the cloud, enabling users to use their primary
organizational account to not only sign in to their domain-joined devices and company resources, but also all of
the web and SaaS applications needed for their job.
So not only do users not have to manage multiple sets of usernames and passwords, their applications access can
be automatically provisioned or de-provisioned based on their organization group members, and also their status
as an employee. Azure Active Directory introduces security and access governance controls that enable you to
centrally manage users' access across SaaS applications.
Azure AD enables easy integration to many of today’s popular SaaS applications; it provides identity and access
management, and enables users to single sign-on to applications directly, or discover and launch them from a
portal such as Office 365 or the Azure AD access panel.
The architecture of the integration consists of the following four main building blocks:
Single sign-on enables users to access their SaaS applications based on their organizational account in Azure
AD. Single sign-on is what enables users to authenticate to an application using their single organizational
account.
User provisioning enables user provisioning and de-provisioning into target SaaS based on changes made in
Windows Server Active Directory and/or Azure AD. A provisioned account is what enables a user to be
authorized to use an application, after they have authenticated through single sign-on.
Centralized application access management in the Azure portal enables single point of SaaS application access
and management, with the ability to delegate application access decision making and approvals to anyone in
the organization
Unified reporting and monitoring of user activity in Azure AD
For more information about the Office 365 application launcher, see Have your app appear in the Office 365 app
launcher.
Direct sign-on to federated apps
Most federated applications that support SAML 2.0, WS-Federation, or OpenID connect also support the ability for
users to start at the application, and then get signed in through Azure AD either by automatic redirection or by
clicking on a link to sign in. This is known as service provider -initiated sign-on, and most federated applications in
the Azure AD application gallery support this (see the documentation linked from the app’s single sign-on
configuration wizard in the Azure management portal for details).
Similar to organization-specific URLs for the access panel, you can further customize this URL by adding one of the
active or verified domains for your directory after the myapps.microsoft.com domain. This ensures any
organizational branding is loaded immediately on the sign-in page without the user needing to enter their user ID
first:
https://myapps.microsoft.com/contosobuild.com/signin/Twitter/230848d52c8745d4b05a60d29a40fced
When an authorized user clicks on one of these application-specific links, they first see their organizational sign-in
page (assuming they are not already signed in), and after sign-in are redirected to their app without stopping at
the access panel first. If the user is missing pre-requisites to access the application, such as the password-based
single sign browser extension, then the link will prompt the user to install the missing extension. The link URL also
remains constant if the single sign-on configuration for the application changes.
These links use the same access control mechanisms as the access panel and Office 365, and only those users or
groups who have been assigned to the application in the Azure management portal will be able to successfully
authenticate. However, any user who is unauthorized will see a message explaining that they have not been
granted access, and are given a link to load the access panel to view available applications for which they do have
access.
Related articles
Article Index for Application Management in Azure Active Directory
List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory
Finding unsanctioned cloud applications with Cloud App Discovery
Introduction to Managing Access to Apps
Comparing Capabilities for Managing External Identities in Azure AD
Manage certificates for federated single sign-on in
Azure Active Directory
12/11/2017 • 3 min to read • Edit Online
This article covers common questions and information related to the certificates that Azure Active Directory (Azure
AD) creates to establish federated single sign-on (SSO) to your SaaS applications. Add applications from the Azure
AD app gallery or by using a non-gallery application template. Configure the application by using the federated
SSO option.
This article is relevant only to apps that are configured to use Azure AD SSO through SAML federation, as shown in
the following example:
Customize the expiration date for your federation certificate and roll it
over to a new certificate
By default, certificates are set to expire after three years. You can choose a different expiration date for your
certificate by completing the following steps. The screenshots use Salesforce for the sake of example, but these
steps can apply to any federated SaaS app.
1. In the Azure portal, click Enterprise application in the left pane and then click New application on the
Overview page:
2. Search for the gallery application and then select the application that you want to add. If you cannot find the
required application, add the application by using the Non-gallery application option. This feature is
available only in the Azure AD Premium (P1 and P2) SKU.
3. Click the Single sign-on link in the left pane and change Single Sign-on Mode to SAML-based Sign-on.
This step generates a three-year certificate for your application.
4. To create a new certificate, click the Create new certificate link in the SAML Signing Certificate section.
5. The Create a new certificate link opens the calendar control. You can set any date and time up to three
years from the current date. The selected date and time is the new expiration date and time of your new
certificate. Click Save.
6. Now the new certificate is available to download. Click the Certificate link to download it. At this point, your
certificate is not active. When you want to roll over to this certificate, select the Make new certificate
active check box and click Save. From that point, Azure AD starts using the new certificate for signing the
response.
7. To learn how to upload the certificate to your particular SaaS application, click the View application
configuration tutorial link.
2. Select the desired expiration date and time for your new certificate and click Save.
3. Download the certificate in the SAML Signing certificate option. Upload the new certificate to the SaaS
application's single sign-on configuration screen. To learn how to do this for your particular SaaS
application, click the View application configuration tutorial link.
4. To activate the new certificate in Azure AD, select the Make new certificate active check box and click the
Save button at the top of the page. This rolls over the new certificate on the Azure AD side. The status of the
certificate changes from New to Active. From that point, Azure AD starts using the new certificate for
signing the response.
Related articles
List of tutorials on how to integrate SaaS apps with Azure Active Directory
Article index for application management in Azure Active Directory
Application access and single sign-on with Azure Active Directory
Troubleshooting SAML-based single sign-on
Use Tenant Restrictions to manage access to SaaS
cloud applications
12/11/2017 • 7 min to read • Edit Online
Large organizations that emphasize security want to move to cloud services like Office 365, but need to know that
their users only can access approved resources. Traditionally, companies restrict domain names or IP addresses
when they want to manage access. This approach fails in a world where SaaS apps are hosted in a public cloud,
running on shared domain names like outlook.office.com and login.microsoftonline.com. Blocking these addresses
would keep users from accessing Outlook on the web entirely, instead of merely restricting them to approved
identities and resources.
Azure Active Directory's solution to this challenge is a feature called Tenant Restrictions. Tenant Restrictions enables
organizations to control access to SaaS cloud applications, based on the Azure AD tenant the applications use for
single sign-on. For example, you may want to allow access to your organization’s Office 365 applications, while
preventing access to other organizations’ instances of these same applications.
Tenant Restrictions gives organizations the ability to specify the list of tenants that their users are permitted to
access. Azure AD then only grants access to these permitted tenants.
This article focuses on Tenant Restrictions for Office 365, but the feature should work with any SaaS cloud app that
uses modern authentication protocols with Azure AD for single sign-on. If you use SaaS apps with a different Azure
AD tenant from the tenant used by Office 365, make sure that all required tenants are permitted. For more
information about SaaS cloud apps, see the Active Directory Marketplace.
How it works
The overall solution comprises the following components:
1. Azure AD – If the Restrict-Access-To-Tenants: <permitted tenant list> is present, Azure AD only issues
security tokens for the permitted tenants.
2. On-premises proxy server infrastructure – a proxy device capable of SSL inspection, configured to insert
the header containing the list of permitted tenants into traffic destined for Azure AD.
3. Client software – to support Tenant Restrictions, client software must request tokens directly from Azure
AD, so that traffic can be intercepted by the proxy infrastructure. Tenant Restrictions is currently supported
by browser-based Office 365 applications and by Office clients when modern authentication (like OAuth 2.0)
is used.
4. Modern Authentication – cloud services must use modern authentication to use Tenant Restrictions and
block access to all non-permitted tenants. Office 365 cloud services must be configured to use modern
authentication protocols by default. For the latest information on Office 365 support for modern
authentication, read Updated Office 365 modern authentication.
The following diagram illustrates the high-level traffic flow. SSL inspection is only required on traffic to Azure AD,
not to the Office 365 cloud services. This distinction is important because the traffic volume for authentication to
Azure AD is typically much lower than traffic volume to SaaS applications like Exchange Online and SharePoint
Online.
Set up Tenant Restrictions
There are two steps to get started with Tenant Restrictions. The first step is to make sure that your clients can
connect to the right addresses. The second is to configure your proxy infrastructure.
URLs and IP addresses
To use Tenant Restrictions, your clients must be able to connect to the following Azure AD URLs to authenticate:
login.microsoftonline.com, login.microsoft.com, and login.windows.net. Additionally, to access Office 365, your
clients must also be able to connect to the FQDNs/URLs and IP addresses defined in Office 365 URLs and IP address
ranges.
Proxy configuration and requirements
The following configuration is required to enable Tenant Restrictions through your proxy infrastructure. This
guidance is generic, so you should refer to your proxy vendor’s documentation for specific implementation steps.
Prerequisites
The proxy must be able to perform SSL interception, HTTP header insertion, and filter destinations using
FQDNs/URLs.
Clients must trust the certificate chain presented by the proxy for SSL communications. For example, if
certificates from an internal PKI are used, the internal issuing root certificate authority certificate must be
trusted.
This feature is included in Office 365 subscriptions, but if you want to use Tenant Restrictions to control
access to other SaaS apps then Azure AD Premium 1 licenses are required.
Configuration
For each incoming request to login.microsoftonline.com, login.microsoft.com, and login.windows.net, insert two
HTTP headers: Restrict-Access-To-Tenants and Restrict-Access-Context.
The headers should include the following elements:
For Restrict-Access-To-Tenants, a value of <permitted tenant list>, which is a comma-separated list of tenants
you want to allow users to access. Any domain that is registered with a tenant can be used to identify the tenant
in this list. For example, to permit access to both Contoso and Fabrikam tenants, the name/value pair looks like:
Restrict-Access-To-Tenants: contoso.onmicrosoft.com,fabrikam.onmicrosoft.com
For Restrict-Access-Context, a value of a single directory ID, declaring which tenant is setting the Tenant
Restrictions. For example, to declare Contoso as the tenant that set the Tenant Restrictions policy, the
name/value pair looks like: Restrict-Access-Context: 456ff232-35l2-5h23-b3b3-3236w0826f3d
TIP
You can find your directory ID in the Azure portal. Sign in as an administrator, select Azure Active Directory, then select
Properties.
To prevent users from inserting their own HTTP header with non-approved tenants, the proxy needs to replace the
Restrict-Access-To-Tenants header if it is already present in the incoming request.
Clients must be forced to use the proxy for all requests to login.microsoftonline.com, login.microsoft.com, and
login.windows.net. For example, if PAC files are used to direct clients to use the proxy, end users should not be able
to edit or disable the PAC files.
Admin experience
While configuration of Tenant Restrictions is done on the corporate proxy infrastructure, admins can access the
Tenant Restrictions reports in the Azure portal directly. To view the reports, go to the Azure Active Directory
Overview page, then look under ‘Other capabilities’.
The admin for the tenant specified as the Restricted-Access-Context tenant can use this report to see all sign-ins
blocked because of the Tenant Restrictions policy, including the identity used and the target directory ID.
Like other reports in the Azure portal, you can use filters to specify the scope of your report. You can filter on a
specific user, application, client, or time interval.
Testing
If you want to try out Tenant Restrictions before implementing it for your whole organization, there are two options:
a host-based approach using a tool like Fiddler, or a staged rollout of proxy settings.
Fiddler for a host-based approach
Fiddler is a free web debugging proxy that can be used to capture and modify HTTP/HTTPS traffic, including
inserting HTTP headers. To configure Fiddler to test Tenant Restrictions, perform the following steps:
1. Download and install Fiddler.
2. Configure Fiddler to decrypt HTTPS traffic, per Fiddler’s help documentation.
3. Configure Fiddler to insert the Restrict-Access-To-Tenants and Restrict-Access-Context headers using custom
rules:
a. In the Fiddler Web Debugger tool, select the Rules menu and select Customize Rules… to open the
CustomRules file.
b. Add the following lines at the beginning of the OnBeforeRequest function. Replace <tenant domain> with
a domain registered with your tenant, for example, contoso.onmicrosoft.com. Replace <directory ID> with
your tenant's Azure AD GUID identifier.
if (oSession.HostnameIs("login.microsoftonline.com") || oSession.HostnameIs("login.microsoft.com") ||
oSession.HostnameIs("login.windows.net")){ oSession.oRequest["Restrict-Access-To-Tenants"] = "
<tenant domain>"; oSession.oRequest["Restrict-Access-Context"] = "<directory ID>";}
If you need to allow multiple tenants, use a comma to separate the tenant names. For example:
oSession.oRequest["Restrict-Access-To-Tenants"] = "contoso.onmicrosoft.com,fabrikam.onmicrosoft.com";
Next steps
Read about Updated Office 365 modern authentication
Review the Office 365 URLs and IP address ranges
Using System for Cross-Domain Identity
Management to automatically provision users and
groups from Azure Active Directory to applications
1/17/2018 • 22 min to read • Edit Online
Overview
Azure Active Directory (Azure AD) can automatically provision users and groups to any application or identity store
that is fronted by a web service with the interface defined in the System for Cross-Domain Identity Management
(SCIM) 2.0 protocol specification. Azure Active Directory can send requests to create, modify, or delete assigned
users and groups to the web service. The web service can then translate those requests into operations on the
target identity store.
Figure 1: Provisioning from Azure Active Directory to an identity store via a web service
This capability can be used in conjunction with the “bring your own app” capability in Azure AD to enable single
sign-on and automatic user provisioning for applications that provide or are fronted by a SCIM web service.
There are two use cases for using SCIM in Azure Active Directory:
Provisioning users and groups to applications that support SCIM Applications that support SCIM 2.0 and
use OAuth bearer tokens for authentication works with Azure AD without configuration.
Build your own provisioning solution for applications that support other API-based provisioning For
non-SCIM applications, you can create a SCIM endpoint to translate between the Azure AD SCIM endpoint and
any API the application supports for user provisioning. To help you develop a SCIM endpoint, we provide
Common Language Infrastructure (CLI) libraries along with code samples that show you how to do provide a
SCIM endpoint and translate SCIM messages.
NOTE
You can optionally disable syncing of group objects by disabling the "groups" mapping.
11. Under Settings, the Scope field defines which users and or groups are synchronized. Selecting "Sync only
assigned users and groups" (recommended) will only sync users and groups assigned in the Users and
groups tab.
12. Once your configuration is complete, change the Provisioning Status to On.
13. Click Save to start the Azure AD provisioning service.
14. If syncing only assigned users and groups (recommended), be sure to select the Users and groups tab and
assign the users and/or groups you wish to sync.
Once the initial synchronization has started, you can use the Audit logs tab to monitor progress, which shows all
actions performed by the provisioning service on your app. For more information on how to read the Azure AD
provisioning logs, see Reporting on automatic user account provisioning.
NOTE
The initial sync takes longer to perform than subsequent syncs, which occur approximately every 20 minutes as long as the
service is running.
2. Express route handlers are available for parsing node.js request objects representing calls (as defined by the
SCIM specification), made to a node.js web service.
Building a Custom SCIM Endpoint
Using the CLI libraries, developers using those libraries can host their services within any executable Common
Language Infrastructure assembly, or within Internet Information Services. Here is sample code for hosting a
service within an executable assembly, at the address http://localhost:9000:
Microsoft.SystemForCrossDomainIdentityManagement.IMonitor monitor =
new DevelopersMonitor();
Microsoft.SystemForCrossDomainIdentityManagement.IProvider provider =
new DevelopersProvider(arguments[1]);
Microsoft.SystemForCrossDomainIdentityManagement.Service webService = null;
try
{
webService = new WebService(monitor, provider);
webService.Start("http://localhost:9000");
Console.ReadKey(true);
}
finally
{
if (webService != null)
{
{
webService.Dispose();
webService = null;
}
}
}
public WebService(
Microsoft.SystemForCrossDomainIdentityManagement.IMonitor monitoringBehavior,
Microsoft.SystemForCrossDomainIdentityManagement.IProvider providerBehavior)
{
this.monitor = monitoringBehavior;
this.provider = providerBehavior;
}
set
{
this.monitor = value;
}
}
set
{
this.provider = value;
}
}
}
This service must have an HTTP address and server authentication certificate of which the root certification
authority is one of the following:
CNNIC
Comodo
CyberTrust
DigiCert
GeoTrust
GlobalSign
Go Daddy
Verisign
WoSign
A server authentication certificate can be bound to a port on a Windows host using the network shell utility:
netsh http add sslcert ipport=0.0.0.0:443 certhash=0000000000003ed9cd0c315bbb6dc1c08da5e6 appid={00112233-4455-
6677-8899-AABBCCDDEEFF}
Here, the value provided for the certhash argument is the thumbprint of the certificate, while the value provided for
the appid argument is an arbitrary globally unique identifier.
To host the service within Internet Information Services, a developer would build a CLA code library assembly with
a class named Startup in the default namespace of the assembly. Here is a sample of such a class:
Microsoft.SystemForCrossDomainIdentityManagement.IWebApplicationStarter starter;
public Startup()
{
Microsoft.SystemForCrossDomainIdentityManagement.IMonitor monitor =
new DevelopersMonitor();
Microsoft.SystemForCrossDomainIdentityManagement.IProvider provider =
new DevelopersProvider();
this.starter =
new Microsoft.SystemForCrossDomainIdentityManagement.WebApplicationStarter(
provider,
monitor);
}
2. Add the following code to that method to have any request to any of the service’s endpoints authenticated
as bearing a token issued by Azure Active Directory on behalf of a specified tenant, for access to the Azure
AD Graph web service:
// SystemIdentityModel.Tokens.TokenValidationParameters is defined in
// System.IdentityModel.Token.Jwt.dll.
SystemIdentityModel.Tokens.TokenValidationParameters tokenValidationParameters =
new TokenValidationParameters()
{
ValidAudience = "00000002-0000-0000-c000-000000000000"
};
// WindowsAzureActiveDirectoryBearerAuthenticationOptions is defined in
// Microsoft.Owin.Security.ActiveDirectory.dll
Microsoft.Owin.Security.ActiveDirectory.
WindowsAzureActiveDirectoryBearerAuthenticationOptions authenticationOptions =
new WindowsAzureActiveDirectoryBearerAuthenticationOptions() {
TokenValidationParameters = tokenValidationParameters,
Tenant = "03F9FCBC-EA7B-46C2-8466-F81917F3C15E" // Substitute the appropriate tenant’s
// identifier for this one.
};
applicationBuilder.UseWindowsAzureActiveDirectoryBearerAuthentication(authenticationOptions);
}
IsSoftDeleted active
displayName displayName
givenName name.givenName
jobTitle title
mailNickname externalId
manager manager
objectId id
surname name.familyName
user-PrincipalName userName
displayName externalId
mailNickname displayName
members members
HTTP://SCHEMAS.MICROSOFT.COM/2006/11/RESOURCEMANAGEM
AZURE ACTIVE DIRECTORY GROUP ENT/ADSCIM/GROUP
objectId id
If the service was built using the Common Language Infrastructure libraries provided by Microsoft for
implementing SCIM services, then the request is translated into a call to the Query method of the service’s
provider. Here is the signature of that method:
// System.Threading.Tasks.Tasks is defined in mscorlib.dll.
// Microsoft.SystemForCrossDomainIdentityManagement.Resource is defined in
// Microsoft.SystemForCrossDomainIdentityManagement.Schemas.
// Microsoft.SystemForCrossDomainIdentityManagement.IQueryParameters is defined in
// Microsoft.SystemForCrossDomainIdentityManagement.Protocol.
System.Threading.Tasks.Task<Microsoft.SystemForCrossDomainIdentityManagement.Resource[]> Query(
Microsoft.SystemForCrossDomainIdentityManagement.IQueryParameters parameters,
string correlationIdentifier);
In the following sample of a query for a user with a given value for the externalId attribute, values of the
arguments passed to the Query method are:
parameters.AlternateFilters.Count: 1
parameters.AlternateFilters.ElementAt(0).AttributePath: "externalId"
parameters.AlternateFilters.ElementAt(0).ComparisonOperator: ComparisonOperator.Equals
parameters.AlternateFilter.ElementAt(0).ComparisonValue: "jyoung"
correlationIdentifier: System.Net.Http.HttpRequestMessage.GetOwinEnvironment["owin.RequestId"]
2. If the response to a query to the web service for a user with an externalId attribute value that matches the
mailNickname attribute value of a user does not return any users, then Azure Active Directory requests that
the service provision a user corresponding to the one in Azure Active Directory. Here is an example of such a
request:
POST https://.../scim/Users HTTP/1.1
Authorization: Bearer ...
Content-type: application/json
{
"schemas":
[
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0User"],
"externalId":"jyoung",
"userName":"jyoung",
"active":true,
"addresses":null,
"displayName":"Joy Young",
"emails": [
{
"type":"work",
"value":"jyoung@Contoso.com",
"primary":true}],
"meta": {
"resourceType":"User"},
"name":{
"familyName":"Young",
"givenName":"Joy"},
"phoneNumbers":null,
"preferredLanguage":null,
"title":null,
"department":null,
"manager":null}
The Common Language Infrastructure libraries provided by Microsoft for implementing SCIM services
would translate that request into a call to the Create method of the service’s provider. The Create method
has this signature:
System.Threading.Tasks.Task<Microsoft.SystemForCrossDomainIdentityManagement.Resource> Create(
Microsoft.SystemForCrossDomainIdentityManagement.Resource resource,
string correlationIdentifier);
In a request to provision a user, the value of the resource argument is an instance of the
Microsoft.SystemForCrossDomainIdentityManagement. Core2EnterpriseUser class, defined in the
Microsoft.SystemForCrossDomainIdentityManagement.Schemas library. If the request to provision the user
succeeds, then the implementation of the method is expected to return an instance of the
Microsoft.SystemForCrossDomainIdentityManagement. Core2EnterpriseUser class, with the value of the
Identifier property set to the unique identifier of the newly provisioned user.
3. To update a user known to exist in an identity store fronted by an SCIM, Azure Active Directory proceeds by
requesting the current state of that user from the service with a request such as:
In a service built using the Common Language Infrastructure libraries provided by Microsoft for
implementing SCIM services, the request is translated into a call to the Retrieve method of the service’s
provider. Here is the signature of the Retrieve method:
// System.Threading.Tasks.Tasks is defined in mscorlib.dll.
// Microsoft.SystemForCrossDomainIdentityManagement.Resource and
// Microsoft.SystemForCrossDomainIdentityManagement.IResourceRetrievalParameters
// are defined in Microsoft.SystemForCrossDomainIdentityManagement.Schemas.
System.Threading.Tasks.Task<Microsoft.SystemForCrossDomainIdentityManagement.Resource>
Retrieve(
Microsoft.SystemForCrossDomainIdentityManagement.IResourceRetrievalParameters
parameters,
string correlationIdentifier);
public interface
Microsoft.SystemForCrossDomainIdentityManagement.IResourceRetrievalParameters:
IRetrievalParameters
{
Microsoft.SystemForCrossDomainIdentityManagement.IResourceIdentifier
ResourceIdentifier
{ get; }
}
public interface Microsoft.SystemForCrossDomainIdentityManagement.IResourceIdentifier
{
string Identifier
{ get; set; }
string Microsoft.SystemForCrossDomainIdentityManagement.SchemaIdentifier
{ get; set; }
}
In the example of a request to retrieve the current state of a user, the values of the properties of the object
provided as the value of the parameters argument are as follows:
Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
4. If a reference attribute is to be updated, then Azure Active Directory queries the service to determine
whether or not the current value of the reference attribute in the identity store fronted by the service already
matches the value of that attribute in Azure Active Directory. For users, the only attribute of which the
current value is queried in this way is the manager attribute. Here is an example of a request to determine
whether the manager attribute of a particular user object currently has a certain value:
The value of the attributes query parameter, id, signifies that if a user object exists that satisfies the
expression provided as the value of the filter query parameter, then the service is expected to respond with a
urn:ietf:params:scim:schemas:core:2.0:User or urn:ietf:params:scim:schemas:extension:enterprise:2.0:User
resource, including only the value of that resource’s id attribute. The value of the id attribute is known to the
requestor. It is included in the value of the filter query parameter; the purpose of asking for it is actually to
request a minimal representation of a resource that satisfying the filter expression as an indication of
whether or not any such object exists.
If the service was built using the Common Language Infrastructure libraries provided by Microsoft for
implementing SCIM services, then the request is translated into a call to the Query method of the service’s
provider. The value of the properties of the object provided as the value of the parameters argument are as
follows:
parameters.AlternateFilters.Count: 2
parameters.AlternateFilters.ElementAt(x).AttributePath: "id"
parameters.AlternateFilters.ElementAt(x).ComparisonOperator: ComparisonOperator.Equals
parameters.AlternateFilter.ElementAt(x).ComparisonValue: "54D382A4-2050-4C03-94D1-
E769F1D15682"
parameters.AlternateFilters.ElementAt(y).AttributePath: "manager"
parameters.AlternateFilters.ElementAt(y).ComparisonOperator: ComparisonOperator.Equals
parameters.AlternateFilter.ElementAt(y).ComparisonValue: "2819c223-7f76-453a-919d-413861904646"
parameters.RequestedAttributePaths.ElementAt(0): "id"
parameters.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
Here, the value of the index x may be 0 and the value of the index y may be 1, or the value of x may be 1 and
the value of y may be 0, depending on the order of the expressions of the filter query parameter.
5. Here is an example of a request from Azure Active Directory to an SCIM service to update a user:
The Microsoft Common Language Infrastructure libraries for implementing SCIM services would translate
the request into a call to the Update method of the service’s provider. Here is the signature of the Update
method:
// System.Threading.Tasks.Tasks and
// System.Collections.Generic.IReadOnlyCollection<T>
// are defined in mscorlib.dll.
// Microsoft.SystemForCrossDomainIdentityManagement.IPatch,
// Microsoft.SystemForCrossDomainIdentityManagement.PatchRequestBase,
// Microsoft.SystemForCrossDomainIdentityManagement.IResourceIdentifier,
// Microsoft.SystemForCrossDomainIdentityManagement.PatchOperation,
// Microsoft.SystemForCrossDomainIdentityManagement.OperationName,
// Microsoft.SystemForCrossDomainIdentityManagement.IPath and
// Microsoft.SystemForCrossDomainIdentityManagement.OperationValue
// are all defined in Microsoft.SystemForCrossDomainIdentityManagement.Protocol.
System.Threading.Tasks.Task Update(
Microsoft.SystemForCrossDomainIdentityManagement.IPatch patch,
string correlationIdentifier);
public Microsoft.SystemForCrossDomainIdentityManagement.IPath
Path
{ get; set; }
public System.Collections.Generic.IReadOnlyCollection
<Microsoft.SystemForCrossDomainIdentityManagement.OperationValue> Value
{ get; }
In the example of a request to update a user, the object provided as the value of the patch argument has
these property values:
ResourceIdentifier.Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
ResourceIdentifier.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
(PatchRequest as PatchRequest2).Operations.Count: 1
(PatchRequest as PatchRequest2).Operations.ElementAt(0).OperationName: OperationName.Add
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Path.AttributePath: "manager"
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.Count: 1
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Reference:
http://.../scim/Users/2819c223-7f76-453a-919d-413861904646
(PatchRequest as PatchRequest2).Operations.ElementAt(0).Value.ElementAt(0).Value: 2819c223-7f76-
453a-919d-413861904646
6. To de-provision a user from an identity store fronted by an SCIM service, Azure AD sends a request such as:
If the service was built using the Common Language Infrastructure libraries provided by Microsoft for
implementing SCIM services, then the request is translated into a call to the Delete method of the service’s
provider. That method has this signature:
The object provided as the value of the resourceIdentifier argument has these property values in the
example of a request to de-provision a user:
ResourceIdentifier.Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
ResourceIdentifier.SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
Related articles
Article Index for Application Management in Azure Active Directory
Automate User Provisioning/Deprovisioning to SaaS Apps
Customizing Attribute Mappings for User Provisioning
Writing Expressions for Attribute Mappings
Scoping Filters for User Provisioning
Account Provisioning Notifications
List of Tutorials on How to Integrate SaaS Apps
Troubleshoot Azure Active Directory Application
Management and Development
12/22/2017 • 1 min to read • Edit Online
This article will help you to find helpful documents related to troubleshooting some of the most common issues
related to managing Enterprise Applications and developing new applications with the Application Registry.
The following links will bring you to a content map which will help you to resolve some of the most common issues
with application development with the Application Registry in Azure Active Directory.
Problems with Application Configuration and Registration
Problems with Application Development
Problems configuring or registering my application
12/11/2017 • 1 min to read • Edit Online
The following links will bring you to a content map which will help you to resolve some of the most common issues
faced when managing Enterprise Applications in Azure Active Directory.
Problems with Application Configuration
Problems with Sign-in
Problems with Provisioning
Problems Managing Access
Problems with the Access Panel
Problems with the Application Proxy
Problems with Conditional Access
Problems adding or configuring applications
12/11/2017 • 1 min to read • Edit Online
I can complete Azure AD sign in, but I'm seeing a prompt that I don't
expect
The following documents can help you to resolve some of the most common issues in this category.
A user sees an unexpected consent prompt when signing in to an application
A user sees an unexpected error when performing consent to an application
This guide provides an overview of developing line-of-business (LoB) applications for Azure Active Directory
(AD).The intended audience is Active Directory/Office 365 global administrators.
Overview
Building applications integrated with Azure AD gives users in your organization single sign-on with Office 365.
Having the application in Azure AD gives you control over the authentication policy for the application. To learn
more about conditional access and how to protect apps with multi-factor authentication (MFA) see Configuring
access rules.
Register your application to use Azure Active Directory. Registering the application means that your developers can
use Azure AD to authenticate users and request access to user resources such as email, calendar, and documents.
Any member of your directory (not guests) can register an application, otherwise known as creating an application
object.
Registering an application allows any user to do the following:
Get an identity for their application that Azure AD recognizes
Get one or more secrets/keys that the application can use to authenticate itself to AD
Brand the application in the Azure portal with a custom name, logo, etc.
Apply Azure AD authorization features to their app, including:
Role-Based Access Control (RBAC)
Azure Active Directory as oAuth authorization server (secure an API exposed by the application)
Declare required permissions necessary for the application to function as expected, including:
- App permissions (global administrators only). For example: Role membership in another Azure AD
application or role membership relative to an Azure Resource, Resource Group, or Subscription
- Delegated permissions (any user). For example: Azure AD, Sign-in, and Read Profile
NOTE
By default, any member can register an application. To learn how to restrict permissions for registering applications to specific
members, see How applications are added to Azure AD.
Here’s what you, the global administrator, need to do to help developers make their application ready for
production:
Configure access rules (access policy/MFA)
Configure the app to require user assignment and assign users
Suppress the default user consent experience
Related Articles
Enable secure remote access to on-premises applications with Azure AD Application Proxy
Azure Conditional Access Preview for SaaS Apps
Managing access to apps with Azure AD
Article Index for Application Management in Azure Active Directory
Article Index for Application Management in
Azure Active Directory
1/16/2018 • 13 min to read • Edit Online
This page provides a comprehensive list of every document written about the various application-related
features in Azure Active Directory (Azure AD).
There is a brief introduction to each major feature area, as well as guidance on which articles to read
depending on what information you're looking for.
Overview Articles
The articles below are good starting points for those who simply want a brief explanation of Azure AD
application management features.
ARTICLE GUIDE
An introduction to the application management problems Managing Applications with Azure Active Directory (AD)
that Azure AD solves
An overview of the various features in Azure AD related to Application Access and Single Sign-on in Azure Active
enabling single sign-on, defining who has access to apps, Directory
and how users launch apps
A look at the different steps involved when integrating Integrating Azure Active Directory with Applications
apps into your Azure AD
Enabling Single Sign-On to SaaS Apps
A technical explanation of how apps are represented in How and Why Applications are Added to Azure AD
Azure AD
Troubleshooting Articles
This section provides quick access to relevant troubleshooting guides. More information about each feature
area can be found on the rest of this page.
FEATURE AREA
Password-Based Single Sign-On Troubleshooting the Access Panel Extension for Internet
Explorer
ARTICLE GUIDE
An introduction to federation and other types of sign-on Single Sign-On with Azure AD
Thousands of SaaS apps that are pre-integrated with Getting started with the Azure AD application gallery
Azure AD with simplified single sign-on configuration
steps Full List of Pre-Integrated Apps that Support Federation
More than 150 app tutorials on how to configure single List of Tutorials on How to Integrate SaaS Apps with
sign-on for apps such as Salesforce, ServiceNow, Google Azure Active Directory
Apps, Workday, and many more
How to manually set up and customize your single sign- How to Configure Federated Single Sign-On to Apps that
on configuration are not in the Azure Active Directory Application Gallery
Troubleshooting guide for federated apps that use the Troubleshooting SAML-Based Single Sign-On
SAML protocol
How to configure your app's certificate's expiration date, Managing Certificates for Federated Single Sign-On in
and how to renew your certificates Azure Active Directory
Federated single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure AD
Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium,
then you can use groups to assign access to federated applications.
Password-Based Single Sign-On: Account sharing and SSO for non-federated apps
To enable single sign-on to applications that don't support federation, Azure AD offers password
management features that can securely store passwords to SaaS apps and automatically sign users into
those apps. You can easily distribute credentials for newly created accounts and share team accounts with
multiple people. Users don't necessarily need to know the credentials to the accounts that they're given
access to.
ARTICLE GUIDE
An introduction to how password-based SSO works and a Password-Based Single Sign-On with Azure AD
brief technical overview
ARTICLE GUIDE
A summary of the scenarios related to account sharing Sharing accounts with Azure AD
and how these problems are solved by Azure AD
Automatically change the password for certain apps at a Automated Password Rollover (preview)
regular interval
Deployment and troubleshooting guides for the Internet How to Deploy the Access Panel Extension for Internet
Explorer version of the Azure AD password management Explorer using Group Policy
extension
Troubleshooting the Access Panel Extension for Internet
Explorer
Password-based single sign-on is available for all editions of Azure AD for up to ten apps per user. Azure
AD Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD
Premium, then you can use groups to assign access to applications. Automated password rollover is an
Azure AD Premium feature.
App Proxy: Single sign-on and remote access to on-premises applications
If you have applications in your private network that need to be accessed by users and devices outside the
network, then you can use Azure AD Application Proxy to enable secure, remote access to those apps.
ARTICLE GUIDE
Overview of Azure AD Application Proxy and how it works Providing secure remote access to on-premises
applications
Tutorials on how to configure Application Proxy and how How to Set Up Azure AD App Proxy
to publish your first app
How to Silently Install the App Proxy Connector
How to enable single sign-on and conditional access for Single-sign-on with Application Proxy
apps published with App Proxy
Conditional Access and Application Proxy
Guidance on how to use Application Proxy for the How to Support Native Client Applications
following scenarios
How to Support Claims-Aware Applications
Application Proxy is available for all editions of Azure AD for up to ten apps per user. Azure AD Premium
supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium, then you
can use groups to assign access to applications.
You may also be interested in Azure AD Domain Services, which allows you to migrate your on-premises
applications to Azure while still satisfying the identity needs of those applications.
Enabling single sign-on between Azure AD and on-premises AD
If your organization maintains a Windows Server Active Directory on premises along with your Azure Active
Directory in the cloud, then you will likely want to enable single sign-on between these two systems. Azure
AD Connect (the tool that integrates these two systems together) provides multiple options for setting up
single sign-on: establish federation with ADFS or another federation provider, or enable password
synchronization.
ARTICLE GUIDE
An overview on the single sign-on options offered in User Sign On Options in Azure AD Connect
Azure AD Connect, as well as information on managing
hybrid environments
General guidance for managing environments with both Azure AD Hybrid Identity Design Considerations
on-premises Active Directory and Azure Active Directory
Integrating your On-Premises Identities with Azure Active
Directory
Guidance on using Password Sync to enable SSO Implement Password Synchronization with Azure AD
Connect
Guidance on using Password Writeback to enable SSO Getting Started with Password Management in Azure AD
Guidance on using third party identity providers to enable List of Compatible Third-Party Identity Providers That Can
SSO Be Used to Enable Single Sign-On
How Windows 10 users can enjoy the benefits of single Extending Cloud Capabilities to Windows 10 Devices
sign-on via Azure AD Join through Azure Active Directory Join
Azure AD Connect is available for all editions of Azure Active Directory. Azure AD Self-Service Password
Reset is available for Azure AD Basic and Azure AD Premium. Password Writeback to on-prem AD is an
Azure AD Premium feature.
Conditional Access: Enforce additional security requirements for high-risk apps
Once you set up single sign-on to your apps and resources, you can then further secure sensitive
applications by enforcing specific security requirements on every sign-in to that app. For instance, you can
use Azure AD to demand that all access to a particular app always require multi-factor authentication,
regardless of whether or not that app innately supports that functionality. Another common example of
conditional access is to require that users be connected to the organization's trusted network in order to
access a particularly sensitive application.
ARTICLE GUIDE
An introduction to the conditional access capabilities Managing Risk With Conditional Access
offered across Azure AD, Office365, and Intune
ARTICLE GUIDE
How to enable conditional access for the following types Conditional Access for SaaS Apps
of resources
Conditional Access for Office 365 services
How to register devices with Azure Active Directory in Overview of Azure Active Directory Device Registration
order to enable device-based conditional access policies
How to Enable Automatic Device Registration for Domain
Joined Windows Devices
— Steps for Windows 8.1 devices
— Steps for Windows 7 devices
| How to use the Microsoft Authenticator app for two-step verification |Microsoft Authenticator |
Conditional Access is an Azure AD Premium feature.
ARTICLE GUIDE
A general overview of how it works Finding unsanctioned cloud applications with Cloud App
Discovery
A deeper dive into how it works, with answers to Security and Privacy Considerations
questions on privacy
Tutorials for deploying Cloud App Discovery Group Policy Deployment Guide
The change log for updates to the Cloud App Discovery Change log
agent
Learn about how it works and find answers to common Automate User Provisioning & Deprovisioning to SaaS
questions Apps
How to enable automated provisioning to any app that Set up Automated User Provisioning to any SCIM-Enabled
supports the SCIM protocol App
How to report on and troubleshoot user provisioning Reporting on automatic user provisioning
Provisioning notifications
Automated user provisioning is available for all editions of Azure AD for up to ten apps per user. Azure AD
Premium supports unlimited applications. If your organization has Azure AD Basic or Azure AD Premium,
then you can use groups to manage which users get provisioned.
Building applications that integrate with Azure AD
If your organization is developing or maintaining line-of-business (LoB) applications, or if you're an app
developer with customers who use Azure Active Directory, the following tutorials will help you integrate
your applications with Azure AD.
ARTICLE GUIDE
Guidance for both IT professionals and application The IT Pro's Guide for Developing Applications for Azure
developers on integrating apps with Azure AD AD
How to application vendors can add their apps to the Listing your Application in the Azure Active Directory
Azure AD App Gallery Application Gallery
How to manage access to developed applications using How to Enable User Assignment for Developed
Azure Active Directory Applications
If you're developing consumer-facing applications, you may be interested in using Azure Active Directory
B2C so that you don't have to develop your own identity system to manage your users. Learn more.
Instructions for setting up your groups in Azure AD How to Create Security Groups
Use dynamic groups to automatically populate group Dynamic Group Membership: Advanced Rules
membership using attribute-based membership rules
Troubleshooting Dynamic Group Memberships
Group-based application access management is available for Azure AD Basic and Azure AD Premium. Self-
service group management, self-service application management, and dynamic groups are Azure AD
Premium features.
B2B Collaboration: Enable partner access to applications
If your business has partnered with other companies, it's likely that you need to manage partner access to
your corporate applications. Azure Active Directory B2B Collaboration provides an easy and secure way to
share your apps with partners.
ARTICLE GUIDE
An overview of different Azure AD features that can help Comparing Capabilities for Managing External Identities in
you manage external users such as partners, customers, Azure AD
etc.
An introduction to B2B Collaboration and how to get Simple, Secure, Cloud Partner Integration with Azure AD
started
Azure Active Directory B2B Collaboration
A deeper dive into Azure AD B2B Collaboration and how B2B Collaboration: How it works
to use it
Current Limitations of Azure AD B2B Collaboration
Reference articles with technical details on how Azure AD CSV File Format for Adding Partner Users
B2B Collaboration works
User Attributes Affected by Azure AD B2B Collaboration
B2B Collaboration is currently available for all editions of Azure Active Directory.
Access Panel: A portal for accessing apps and self-service features
The Azure AD Access Panel is where end-users can launch their apps and access the self-service features
that allow them to manage their apps and group memberships. In addition to the Access Panel, other
options for accessing SSO-enabled apps are included in the list below.
ARTICLE GUIDE
A comparison of the different options available for Deploying Azure AD Integrated Applications to Users
deploying single sign-on apps to users
An overview of the Access Panel and its mobile equivalent Introduction to Access Panel and MyApps
MyApps — iOS
— Android
How to access Azure AD apps from the Office 365 website Using the Office 365 App Launcher
How to access Azure AD apps from the Intune Managed Intune Managed Browser
Browser mobile app — iOS
— Android
How to access Azure AD apps using deep links to initiate Getting Direct Sign-On Links to Your Apps
single sign-on
ARTICLE GUIDE
An overview of the reporting features in Azure Active Getting Started with Azure AD Reporting
Directory
How to monitor the sign-ins and app-usage of your users View Your Access and Usage Reports
Track changes made to who can access a particular Azure Active Directory Audit Report Events
application
Export the data of these reports to your preferred tools Getting Started with the Azure AD Reporting API
using the Reporting API
To see which reports are included with different editions of Azure Active Directory, click here.
See also
What is Azure Active Directory?
Azure Active Directory B2C
Azure Active Directory Domain Services
Azure Multi-Factor Authentication
Integrate your on-premises directories with Azure
Active Directory
1/3/2018 • 7 min to read • Edit Online
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to
provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
This topic will guide you through the planning, deployment, and operation steps. It is a collection of links to the
topics related to this area.
IMPORTANT
Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great time
to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these tools are
now deprecated are no longer supported as of April 13, 2017.
SOLUTION SCENARIO
Before you start - Hardware and prerequisites Steps to complete before you start to install Azure AD
Connect.
Express settings If you have a single forest AD then this is the recommended
option to use.
User sign in with the same password using password
synchronization.
Customized settings Used when you have multiple forests. Supports many on-
premises topologies.
Customize your sign-in option, such as ADFS for federation
or use a 3rd party identity provider.
Customize synchronization features, such as filtering and
writeback.
Upgrade from DirSync Used when you have an existing DirSync server already
running.
Upgrade from Azure AD Sync or Azure AD Connect There are several different methods depending on your
preference.
After installation you should verify it is working as expected and assign licenses to the users.
Next steps to Install Azure AD Connect
TOPIC LINK
TOPIC LINK
Accounts used for installation More about Azure AD Connect credentials and permissions
Understanding the default configuration Azure AD Connect sync: Understanding the default
configuration
Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts
Change the default configuration Best practices for changing the default configuration
Configure federation features
Azure AD Connect provides several features that simplify federating with Azure AD using AD FS and managing your
federation trust. Azure AD Connect supports AD FS on Windows Server 2012R2 or later.
Update SSL certificate of AD FS farm even if you are not using Azure AD Connect to manage your federation trust.
Add an AD FS server to your farm to expand the farm as required.
Repair the trust with Azure AD in a few simple clicks.
ADFS can be configured to support multiple domains. For example you might have multiple top domains you need
to use for federation.
if your ADFS server has not been configured to automatically update certificates from Azure AD or if you use a non-
ADFS solution, then you will be notified when you have to update certificates.
Next steps to configure federation features
TOPIC LINK
Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD
Manually updating federation certificates Renewing Federation Certificates for Office 365 and Azure AD
Compare DirSync, Azure ADSync, and Azure AD Connect Directory integration tools comparison
Configuring a SAML 2.0 Idp Using a SAML 2.0 Identity Provider (IdP) for Single Sign On
Additional Resources
Ignite 2015 presentation on extending your on-premises directories to the cloud.
Quickstart: Add a custom domain name to Azure
Active Directory
12/11/2017 • 4 min to read • Edit Online
Every Azure AD directory comes with an initial domain name in the form of domainname.onmicrosoft.com. The
initial domain name cannot be changed or deleted, but you can add your corporate domain name to Azure AD as
well. For example, your organization probably has other domain names used to do business and users who sign
in using your corporate domain name. Adding custom domain names to Azure AD allows you to assign user
names in the directory that are familiar to your users, such as ‘alice@contoso.com.’ instead of 'alice@domain
name.onmicrosoft.com'. The process is simple:
1. Add the custom domain name to your directory
2. Add a DNS entry for the domain name at the domain name registrar
3. Verify the custom domain name in Azure AD
4. On Custom domain names, enter the name of your custom domain in the box, such as 'contoso.com', and
then select Add Domain. Be sure to include the .com, .net, or other top-level extension.
5. On domainname (that is, your new domain name is the title), gather the DNS entry information to use
later to verify the custom domain name in Azure AD.
TIP
If you plan to federate your on-premises Windows Server AD with Azure AD, then you need to select the I plan to
configure this domain for single sign-on with my local Active Directory checkbox when you run the Azure AD
Connect tool to synchronize your directories. You also need to register the same domain name you select for federating
with your on-premises directory in the Azure AD Domain step in the wizard. You can see what that step in the wizard
looks like in these instructions. If you do not have the Azure AD Connect tool, you can download it here.
Add a DNS entry for the domain name at the domain name registrar
The next step to use your custom domain name with Azure AD is to update the DNS zone file for the domain.
Azure AD can then verify that your organization owns the custom domain name. You can use Azure DNS for your
Azure/Office 365/external DNS records within Azure, or add the DNS entry at a different DNS registrar.
1. Sign in to the domain name registrar for the domain. If you don't have access to update the DNS entry, ask the
person or team who has this access to complete step 2 and to let you know when it is completed.
2. Update the DNS zone file for the domain by adding the DNS entry provided to you by Azure AD. The DNS
entry doesn't change any behaviors such as mail routing or web hosting.
Troubleshooting
If you can't verify a custom domain name, try the following troubleshooting steps:
1. Wait an hour. DNS records must propagate before Azure AD can verify the domain. This process can take an
hour or more.
2. Ensure the DNS record was entered, and that it is correct. Complete this step at the website for the
domain name registrar for the domain. Azure AD can't verify the domain name if
The DNS entry is not present in the DNS zone file
It is not an exact match with the DNS entry that Azure AD provided you.
If you do not have access to update DNS records for the domain at the domain name registrar, share the
DNS entry with the person or team at your organization who has this access, and ask them to add the DNS
entry.
3. Delete the domain name from another directory in Azure AD. A domain name can be verified in only a
single directory. If a domain name is currently verified in a different directory, it can't be verified in your new
directory until it is deleted on the other one. To learn about deleting domain names, read Manage custom
domain names.
Repeat the steps in this article to add each of your domain names.
Learn more
Conceptual overview of custom domain names in Azure AD
Manage custom domain names
Next steps
In this quickstart, you’ve learned how to add a custom domain to Azure AD.
You can use the following link to add a new custom domain in Azure AD from the Azure portal.
Add a custom domain
Managing custom domain names in your Azure
Active Directory
12/11/2017 • 3 min to read • Edit Online
A domain name is an important part of the identifier for many directory resources: it is part of a user name or
email address for a user, part of the address for a group, and can be part of the app ID URI for an application. A
resource in Azure Active Directory (Azure AD) can include a domain name that is already verified as owned by the
directory that contains the resource. Only a global administrator can perform domain management tasks in Azure
AD.
4. Select the name of the domain that you want to be the primary domain.
5. Select the Make primary command. Confirm your choice when prompted.
You can change the primary domain name for your directory to be any verified custom domain that is not
federated. Changing the primary domain for your directory will not change the user names for any existing users.
What to do if you change the DNS registrar for your custom domain
name
If you change the DNS registrar for your custom domain name, you can continue to use your custom domain
name with Azure AD itself without interruption and without additional configuration tasks. If you use your custom
domain name with Office 365, Intune, or other services that rely on custom domain names in Azure AD, refer to
the documentation for those services.
Next steps
Add custom domain names
Manage your Azure AD directory
1/2/2018 • 7 min to read • Edit Online
NOTE
If the user is signed in with a work or school account, the user must not be attempting to delete their home directory. For
example, if the user is signed in as joe@contoso.onmicrosoft.com, that user cannot delete the directory that has
contoso.onmicrosoft.com as its default domain.
Azure AD requires that certain conditions are met to delete a directory. This reduces risk that deleting a directory
negatively impacts users or applications, such as the ability of users to sign in to Office 365 or access resources in
Azure. For example, if a directory for a subscription is unintentionally deleted, then users can't access the Azure
resources for that subscription.
The following conditions are checked:
The only user in the directory should be the global administrator who is to delete the directory. Any other users
must be deleted before the directory can be deleted. If users are synchronized from on-premises, then sync
must be turned off, and the users must be deleted in the cloud directory by using the Azure portal or Azure
PowerShell cmdlets. There is no requirement to delete groups or contacts, such as contacts added from the
Office 365 Admin Center.
There can be no applications in the directory. Any applications must be deleted before the directory can be
deleted.
No multi-factor authentication providers can be linked to the directory.
There can be no subscriptions for any Microsoft Online Services such as Microsoft Azure, Office 365, or Azure
AD Premium associated with the directory. For example, if a default directory was created for you in Azure, you
cannot delete this directory if your Azure subscription still relies on this directory for authentication. Similarly,
you can't delete a directory if another user has associated a subscription with it.
Next steps
Azure AD Forum
Azure Multi-Factor Authentication Forum
StackOverflow for Azure questions
Azure Active Directory PowerShell
Assigning administrator roles in Azure AD
Understand how multiple Azure Active Directory
tenants interact
1/3/2018 • 1 min to read • Edit Online
In Azure Active Directory (Azure AD), each tenant is a fully independent resource: a peer that is logically
independent from the other tenants that you manage. There is no parent-child relationship between tenants. This
independence between tenants includes resource independence, administrative independence, and synchronization
independence.
Resource independence
If you create or delete a resource in one tenant, it has no impact on any resource in another tenant, with the
partial exception of external users.
If you use one of your domain names with one tenant, it cannot be used with any other tenant.
Administrative independence
If a non-administrative user of tenant 'Contoso' creates a test tenant 'Test,' then:
By default, the user who creates a tenant is added as an external user in that new tenant, and assigned the global
administrator role in that tenant.
The administrators of tenant 'Contoso' have no direct administrative privileges to tenant 'Test,' unless an
administrator of 'Test' specifically grants them these privileges. However, administrators of 'Contoso' can
control access to tenant 'Test' if they control the user account that created 'Test.'
If you add/remove an administrator role for a user in one tenant, the change does not affect the administrator
roles that the user has in another tenant.
Synchronization independence
You can configure each Azure AD tenant independently to get data synchronized from a single instance of either:
The Azure AD Connect tool, to synchronize data with a single AD forest.
The Azure Active tenant Connector for Forefront Identity Manager, to synchronize data with one or more on-
premises forests, and/or non-Azure AD data sources.
NOTE
Unlike other Azure resources, your tenants are not child resources of an Azure subscription. If your Azure subscription is
canceled or expired, you can still access your tenant data using Azure PowerShell, the Azure Graph API, or the Office 365
Admin Center. You can also associate another subscription with the tenant.
Next steps
For a broad overview of Azure AD licensing issues and best practices, see What is Azure Active tenant licensing?.
What is self-service signup for Azure Active
Directory?
12/11/2017 • 2 min to read • Edit Online
This article explains self-service signup and how to support it in Azure Active Directory (Azure AD). If you want to
take over a domain name from an unmanaged Azure AD tenant, see Take over an unmanaged directory as
administrator.
The following flowchart explains the different combinations for these parameters and the resulting conditions for
the directory and self-service signup.
For more information and examples of how to use these parameters, see Set-MsolCompanySettings.
Next steps
Add a custom domain name to Azure AD
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set-MsolCompanySettings
Take over an unmanaged directory as administrator
in Azure Active Directory
12/11/2017 • 6 min to read • Edit Online
This article describes two ways to take over a DNS domain name in an unmanaged directory in Azure Active
Directory (Azure AD). When a self-service user signs up for a cloud service that uses Azure AD, they are added to an
unmanaged Azure AD directory based on their email domain. For more about self-service or "viral" signup for a
service, see
What is self -service signup f or Azure Active Dir ectory?
When the DNS TXT records are verified at your domain name registrar, you can manage the Azure AD tenant.
When you complete the preceding steps, you are now the global administrator of the Fourth Coffee tenant in Office
365. To integrate the domain name with your other Azure services, you can remove it from Office 365 and add it to
a different managed tenant in Azure.
Adding the domain name to a managed tenant in Azure AD
1. Open the Office 365 Admin center.
2. Select Users tab, and create a new user account with a name like user@fourthcoffeexyz.onmicrosoft.com that
does not use the custom domain name.
3. Ensure that the new user account has global admin privileges for the Azure AD tenant.
4. Open Domains tab in the Office 365 Admin center, select the domain name and select Remove.
5. If you have any users or groups in Office 365 that reference the removed domain name, they must be
renamed to the .onmicrosoft.com domain. If you force delete the domain name, all users are automatically
renamed, in this example to user@fourthcoffeexyz.onmicrosoft.com.
6. Sign in to the Azure AD admin center with an account that is the global admin for the Azure AD tenant.
7. Select Custom domain names, then add the domain name. You'll have to enter the DNS TXT records to
verify ownership of the domain name.
NOTE
Any users of Power BI or Azure Rights Management service who have licenses assigned in the Office 365 tenant must save
their dashboards if the domain name is removed. They must sign in with a user name like
user@fourthcoffeexyz.onmicrosoft.com rather than user@fourthcoffee.xyz.
CMDLET USAGE
get-msoldomain Shows your domain names associated with the current tenant.
new-msoldomain –name <domainname> Adds the domain name to tenant as Unverified (no DNS
verification has been performed yet).
get-msoldomain The domain name is now included in the list of domain names
associated with your managed tenant, but is listed as
Unverified.
get-msoldomainverificationdns –Domainname Provides the information to put into new DNS TXT record for
<domainname> –Mode DnsTxtRecord the domain (MS=xxxxx). Verification might not happen
immediately because it takes some time for the TXT record to
propagate, so wait a few minutes before considering the -
ForceTakeover option.
confirm-msoldomain –Domainname <domainname> – If your domain name is still not verified, you can proceed
ForceTakeover Force with the -ForceTakeover option. It verifies that the TXT
record was created and kicks off the takeover process.
The -ForceTakeover option should be added to the
cmdlet only when forcing an external admin takeover, such as
when the unmanaged tenant has Office 365 services blocking
the takeover.
get-msoldomain The domain list now shows the the domain name as Verified.
PowerShell example
1. Connect to Azure AD using the credentials that were used to respond to the self-service offering:
import-module MSOnline
$msolcred = get-credential
For example:
4. Copy the value (the challenge) that is returned from this command. For example:
MS=32DD01B82C05D27151EA9AE93C5890787F0E65D9
5. In your public DNS namespace, create a DNS txt record that contains the value that you copied in the previous
step. The name for this record is the name of the parent domain, so if you create this resource record by using
the DNS role from Windows Server, leave the Record name blank and just paste the value into the Text box.
6. Run the Confirm-MsolDomain cmdlet to verify the challenge:
For example:
Next steps
Add a custom domain name to Azure AD
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set-MsolCompanySettings
Enterprise State Roaming overview
12/11/2017 • 1 min to read • Edit Online
With Windows 10, Azure Active Directory (Azure AD) users gain the ability to securely synchronize their user
settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified
experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise
State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8.
Additionally, Enterprise State Roaming offers:
Separation of corporate and consumer data – Organizations are in control of their data, and there is no
mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using
Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays
encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
Better management and monitoring – Provides control and visibility over who syncs settings in your
organization and on which devices through the Azure AD portal integration.
Enterprise State Roaming is available in multiple Azure regions. You can find the updated list of available regions
on the Azure Services by Regions page under Azure Active Directory.
ARTICLE DESCRIPTION
Enable Enterprise State Roaming in Azure Active Directory Enterprise State Roaming is available to any organization with
a Premium Azure Active Directory (Azure AD) subscription.
For more details on how to get an Azure AD subscription, see
the Azure AD product page.
Settings and data roaming FAQ This topic answers some questions IT administrators might
have about settings and app data sync.
Group policy and MDM settings for settings sync Windows 10 provides Group Policy and mobile device
management (MDM) policy settings to limit settings sync.
Windows 10 roaming settings reference The following is a complete list of all the settings that will be
roamed and/or backed-up in Windows 10.
Troubleshooting This topic goes through some basic steps for troubleshooting,
and contains a list of known issues.
Enable Enterprise State Roaming in Azure Active
Directory
12/11/2017 • 4 min to read • Edit Online
Enterprise State Roaming is available to any organization with an Azure AD Premium or Enterprise Mobility +
Security (EMS) license. For more information on how to get an Azure AD subscription, see the Azure AD product
page.
When you enable Enterprise State Roaming, your organization is automatically granted a free, limited-use license
for Azure Rights Management. This free subscription is limited to encrypting and decrypting enterprise settings
and application data synced by Enterprise State Roaming. You must have a paid subscription to use the full
capabilities of Azure Rights Management.
For a Windows 10 device to use the Enterprise State Roaming service, the device must authenticate using an Azure
AD identity. For devices that are joined to Azure AD, the user’s primary sign-in identity is their Azure AD identity,
so no additional configuration is required. For devices that use on-premises Active Directory, the IT admin must
connect the domain-joined devices to Azure AD for Windows 10 experiences.
Data storage
Enterprise State Roaming data is hosted in one or more Azure regions that best align with the country/region
value set in the Azure Active Directory instance. Enterprise State Roaming data is partitioned based on three major
geographic regions: North America, EMEA, and APAC. Enterprise State Roaming data for the tenant is locally
located with the geographical region, and is not replicated across regions. For example::
An EMEA country such as “France” or “Zambia" one or of the Azure regions within Europe
A North American country such as “United States” or one or more of the Azure regions within the US
“Canada”
An APAC country such as “Australia” or “New Zealand” one or more of the Azure regions within Asia
South American and Antarctica regions one or more Azure regions within the US
The country/region value is set as part of the Azure AD directory creation process and cannot be subsequently
modified. If you need more details on your data storage location, file a ticket with Azure support.
5. If there are devices syncing for this user, you see the devices as shown here.
Data retention
Data synced to Azure using Enterprise State Roaming is retained until it is manually deleted or until the data in
question is determined to be stale.
Explicit deletion
Explicit deletion is when an Azure admin deletes a user or a directory or otherwise requests explicitly that data is to
be deleted.
User deletion: When a user is deleted in Azure AD, the user account roaming data is deleted after 90 to 180
days.
Directory deletion: Deleting an entire directory in Azure AD is an immediate operation. All the settings data
associated with that directory is deleted after 90 to 180 days.
On request deletion: If the Azure AD admin wants to manually delete a specific user’s data or settings data,
the admin can file a ticket with Azure support.
Stale data deletion
Data that has not been accessed for one year (“the retention period”) will be treated as stale and may be deleted
from Azure. The retention period is subject to change but will not be less than 90 days. The stale data may be a
specific set of Windows/application settings or all settings for a user. For example:
If no devices access a particular settings collection (for example, an application is removed from the device, or a
settings group such as “Theme” is disabled for all of a user’s devices), then that collection becomes stale after
the retention period and may be deleted.
If a user has turned off settings sync on all his/her devices, then none of the settings data will be accessed, and
all the settings data for that user will become stale and may be deleted after the retention period.
If the Azure AD directory admin turns off Enterprise State Roaming for the entire directory, then all users in that
directory will stop syncing settings, and all settings data for all users will become stale and may be deleted after
the retention period.
Deleted data recovery
The data retention policy is not configurable. Once the data is permanently deleted, it is not recoverable. However,
The settings data is deleted only from Azure, not from the end-user device. If any device later reconnects to the
Enterprise State Roaming service, the settings are again synced and stored in Azure.
Related topics
Enterprise State Roaming overview
Settings and data roaming FAQ
Group Policy and MDM settings for settings sync
Windows 10 roaming settings reference
Troubleshooting
Group Policy and MDM settings
12/11/2017 • 1 min to read • Edit Online
Use these group policy and mobile device management (MDM) settings only on corporate-owned devices because
these policies are applied to the user’s entire device. Applying an MDM policy to disable settings sync for a
personal, user-owned device will negatively impact the use of that device. Additionally, other user accounts on the
device will also be affected by the policy.
Enterprises that want to manage roaming for personal (unmanaged) devices can use the Azure portal to enable or
disable roaming, rather than using Group Policy or MDM. The following tables describe the policy settings
available.
MDM settings
The MDM policy settings apply to both Windows 10 and Windows 10 Mobile. Windows 10 Mobile support exists
only for Microsoft account based roaming via user’s OneDrive account. Please refer to “Devices and endpoints”
section for details on what devices are supported for Azure AD based syncing.
NAME DESCRIPTION
Allow Microsoft Account Connection Allows users to authenticate using a Microsoft account on the
device
Allow Sync My Settings Allows users to roam Windows settings and app data;
Disabling this policy will disable sync as well as backups on
mobile devices
NAME DESCRIPTION
Accounts: Block Microsoft Accounts This policy setting prevents users from adding new Microsoft
accounts on this computer
Do not sync Prevents users to roam Windows settings and app data
Do not sync browser settings Disables syncing of the Internet Explorer group
Do not sync other Windows settings Disables syncing of Other Windows settings group
Do not sync on metered connections Disables roaming on metered connections, such as cellular 3G
Related topics
Enterprise State Roaming overview
Enable enterprise state roaming in Azure Active Directory
Settings and data roaming FAQ
Windows 10 roaming settings reference
Troubleshooting
Windows 10 roaming settings reference
12/11/2017 • 7 min to read • Edit Online
The following is a complete list of all the settings that will be roamed or backed up in Windows 10.
What is backup?
Windows settings generally sync by default, but some settings are only backed up, such as the list of installed
applications on a device. Backup is for mobile devices only and currently not available for Enterprise State
Roaming users. Backup uses a Microsoft account and stores the settings and application data into OneDrive. If a
user disables sync on the device using the Settings app, application data that normally syncs becomes backup
only. Backup data can only be accessed through the restore operation during the first run experience of a new
device. Backups can be disabled via the device settings, and can be managed and deleted through the user’s
OneDrive account.
Related topics
Enterprise state roaming overview
Enable enterprise state roaming in Azure Active Directory
Settings and data roaming FAQ
Group policy and MDM settings for settings sync
Troubleshooting
Settings and data roaming FAQ
1/9/2018 • 10 min to read • Edit Online
This topic answers some questions IT administrators might have about settings and app data sync.
NOTE
Windows 10 devices that are enterprise-owned and are connected to Azure AD can no longer connect their Microsoft
accounts to a domain account. The ability to connect a Microsoft account to a domain account and have all the user's data
sync to the Microsoft account (that is, the Microsoft account roaming via the connected Microsoft account and Active
Directory functionality) is removed from Windows 10 devices that are joined to a connected Active Directory or Azure AD
environment.
What are the roaming settings options for existing Windows desktop
applications?
Roaming only works for Universal Windows apps. There are two options available for enabling roaming on an
existing Windows desktop application:
The Desktop Bridge helps you bring your existing Windows desktop apps to the Universal Windows Platform.
From here, minimal code changes will be required to take advantage of Azure AD app data roaming. The
Desktop Bridge provides your apps with an app identity, which is needed to enable app data roaming for
existing desktop apps.
User Experience Virtualization (UE-V) helps you create a custom settings template for existing Windows
desktop apps and enable roaming for Win32 apps. This option does not require the app developer to change
code of the app. UE-V is limited to on-premises Active Directory roaming for customers who have purchased
the Microsoft Desktop Optimization Pack.
Administrators can configure UE-V to roam Windows desktop app data by changing roaming of Windows OS
settings and Universal app data through UE-V group policies, including:
Roam Windows settings group policy
Do not synchronize Windows Apps group policy
Internet Explorer roaming in the applications section
In the future, Microsoft may investigate ways to make UE-V deeply integrated into Windows and extend UE-V to
roam settings through the Azure AD cloud.
Known issues
Please see the documentation in the troubleshooting section for a list of known issues.
Related topics
Enterprise state roaming overview
Enable enterprise state roaming in Azure Active Directory
Group policy and MDM settings for settings sync
Windows 10 roaming settings reference
Troubleshooting
Troubleshooting Enterprise State Roaming settings in
Azure Active Directory
1/16/2018 • 9 min to read • Edit Online
This topic provides information on how to troubleshoot and diagnose issues with Enterprise State Roaming, and
provides a list of known issues.
Known issues
Sync does not work on devices that have apps side -loaded using MDM software
Affects devices running the Windows 10 Anniversary Update (Version 1607). In Event Viewer under the
SettingSync-Azure logs, the Event ID 6013 with error 80070259 is frequently seen.
Recommended action
Make sure the Windows 10 v1607 client has the August 23, 2016 Cumulative Update (KB3176934 OS Build
14393.82).
Theme is not syncing, as well as data protected with Windows Information Protection
To prevent data leakage, data that is protected with Windows Information Protection will not sync through
Enterprise State Roaming for devices using the Windows 10 Anniversary Update.
Recommended action
None. Future updates to Windows may resolve this issue.
Sync does not work on devices that use smart card for login
If you attempt to sign in to your Windows device using a smart card or virtual smart card, settings sync will stop
working.
Recommended action
None. Future updates to Windows may resolve this issue.
Azure AD Joined device is not syncing and the user has a mixed case User Principal Name.
If the user has a mixed case UPN (e.g. UserName instead of username) and the user is on an Azure AD Joined
device which has upgraded from Windows 10 Build 10586 to 14393, the user's device may fail to sync.
Recommended action
The user will need to unjoin and rejoin the device to the cloud. To do this, login as the Local Administrator user
and unjoin the device by going to Settings > System > About and select "Manage or disconnect from work or
school". Clean up the files below, and then Azure AD Join the device again in Settings > System > About and
selecting "Connect to Work or School". Continue to join the device to Azure Active Directory and complete the
flow.
In the cleanup step, cleanup the following files:
Settings.dat in C:\Users\<Username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\Settings\
All the files under the folder
C:\Users\<Username>\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Account
Event ID 6065: 80070533 This user can’t sign in because this account is currently disabled
In Event Viewer under the SettingSync/Debug logs, this error can be seen when the user's credentials have
expired. In addition, it can occur when the tenant did not automatically have AzureRMS provisioned.
Recommended action
In the first case, have the user update their credentials and login to the device with the new credentials. To solve
the AzureRMS issue, proceed with the steps listed in KB3193791.
Next steps
Use the User Voice forum to provide feedback and make suggestions on how to improve Enterprise State
Roaming.
For more information, see the Enterprise State Roaming overview.
Related topics
Enterprise state roaming overview
Enable enterprise state roaming in Azure Active Directory
Settings and data roaming FAQ
Group policy and MDM settings for settings sync
Windows 10 roaming settings reference
Integrate your on-premises directories with Azure
Active Directory
1/3/2018 • 7 min to read • Edit Online
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to
provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
This topic will guide you through the planning, deployment, and operation steps. It is a collection of links to the
topics related to this area.
IMPORTANT
Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great time
to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these tools are
now deprecated are no longer supported as of April 13, 2017.
SOLUTION SCENARIO
Before you start - Hardware and prerequisites Steps to complete before you start to install Azure AD
Connect.
Express settings If you have a single forest AD then this is the recommended
option to use.
User sign in with the same password using password
synchronization.
Customized settings Used when you have multiple forests. Supports many on-
premises topologies.
Customize your sign-in option, such as ADFS for federation
or use a 3rd party identity provider.
Customize synchronization features, such as filtering and
writeback.
Upgrade from DirSync Used when you have an existing DirSync server already
running.
Upgrade from Azure AD Sync or Azure AD Connect There are several different methods depending on your
preference.
After installation you should verify it is working as expected and assign licenses to the users.
Next steps to Install Azure AD Connect
TOPIC LINK
TOPIC LINK
Accounts used for installation More about Azure AD Connect credentials and permissions
Understanding the default configuration Azure AD Connect sync: Understanding the default
configuration
Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts
Change the default configuration Best practices for changing the default configuration
Configure federation features
Azure AD Connect provides several features that simplify federating with Azure AD using AD FS and managing your
federation trust. Azure AD Connect supports AD FS on Windows Server 2012R2 or later.
Update SSL certificate of AD FS farm even if you are not using Azure AD Connect to manage your federation trust.
Add an AD FS server to your farm to expand the farm as required.
Repair the trust with Azure AD in a few simple clicks.
ADFS can be configured to support multiple domains. For example you might have multiple top domains you need
to use for federation.
if your ADFS server has not been configured to automatically update certificates from Azure AD or if you use a non-
ADFS solution, then you will be notified when you have to update certificates.
Next steps to configure federation features
TOPIC LINK
Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD
Manually updating federation certificates Renewing Federation Certificates for Office 365 and Azure AD
Compare DirSync, Azure ADSync, and Azure AD Connect Directory integration tools comparison
Configuring a SAML 2.0 Idp Using a SAML 2.0 Identity Provider (IdP) for Single Sign On
Additional Resources
Ignite 2015 presentation on extending your on-premises directories to the cloud.
Manage access to Azure resources with Azure Active
Directory
12/11/2017 • 1 min to read • Edit Online
Identity and access management for cloud resources is a critical function for any organization that is using the
cloud. Azure Active Directory (Azure AD) is the identity and access system for Microsoft Azure.
Before exploring the supporting feature areas of Azure AD, check out the following video: "Locking down access to
the Azure Cloud using SSO, Roles Based Access Control, and Conditional." In it, you learn about:
Best practices for configuring single sign-on to the Azure portal, with on-premises Active Directory.
Using Azure RBAC for fine-grained access control to resources in subscriptions.
Enforcing strong authentication rules using Azure AD Conditional Access.
The concept of Managed Service Identity, where Azure resources can automatically authenticate to Azure
services, and developers don’t need to handle API keys or secrets.
Feature areas
Azure AD provides the following capabilities for managing access to Azure resources:
Relationship between Azure AD tenants and subscriptions Learn about how Azure AD is the trusted source of users and
groups for an Azure subscription.
Role-Based Access Control (RBAC) Offer fine-grained access management through roles assigned
to users, groups, or service principals.
Privileged Identity Management with RBAC Control highly privileged access by assigning privileged roles
just-in-time.
Conditional Access for Azure management Set up conditional access policies to allow or block access to
Azure management endpoints.
Managed Service Identity (MSI) Give Azure resources like Virtual Machines their own identity
so that you don’t have to put credentials in your code.
Understanding resource access in Azure
12/11/2017 • 2 min to read • Edit Online
Access control in Azure starts from a billing perspective. The owner of an Azure account, accessed by visiting the
Azure Accounts Center, is the Account Administrator (AA). Subscriptions are a container for billing, but they also
act as a security boundary: each subscription has a Service Administrator (SA) who can add, remove, and modify
Azure resources in that subscription by using the Azure portal. The default SA of a new subscription is the AA, but
the AA can change the SA in the Azure Accounts Center.
Subscriptions also have an association with a directory. The directory defines a set of users. These can be users
from the work or school that created the directory or they can be external guest users. Subscriptions are accessible
by a subset of those directory users who have been assigned as either Service Administrator (SA) or Co-
Administrator (CA); the only exception is that, for legacy reasons, Microsoft accounts (formerly Windows Live ID)
can be assigned as SA or CA without being present in the directory.
Functionality within the Azure portal enables SAs that are signed in using a Microsoft Account to change the
directory with which a subscription is associated. This operation has implications on the access control of that
subscription.
In the simple case, an organization (such as Contoso) will enforce billing and access control across the same set of
subscriptions. That is, the directory is associated to subscriptions that are owned by a single Azure Account. Upon
successful login to the Azure portal, users see two collections of resources (depicted in orange in the previous
illustration):
Directories where their user account exists (sourced or added as a foreign principal). Note that the directory
used for login isn’t relevant to this computation, so your directories will always be shown regardless of where
you logged in.
Resources that are part of subscriptions that are associated with the directory used for login AND which the
user can access (where they are an SA or CA).
Users with subscriptions across multiple directories have the ability to switch the current context of the Azure
portal by using the subscription filter. Under the covers, this results in a separate login to a different directory, but
this is accomplished seamlessly using single sign-on (SSO).
Operations such as moving resources between subscriptions can be more difficult as a result of this single
directory view of subscriptions. To perform the resource transfer, it may be necessary to first use the Edit
Directory command on the Subscriptions page in Settings to associate the subscriptions to the same directory.
Next Steps
To learn more about how to change administrators for an Azure subscription, see How to add or change Azure
administrator roles
For more information on how Azure Active Directory relates to your Azure subscription, see How Azure
subscriptions are associated with Azure Active Directory
For more information on how to assign roles in Azure AD, see Assigning administrator roles in Azure Active
Directory
Get started with Role-Based Access Control in the
Azure portal
1/4/2018 • 3 min to read • Edit Online
Security-oriented companies should focus on giving employees the exact permissions they need. Too many
permissions can expose an account to attackers. Too few permissions means that employees can't get their work
done efficiently. Azure Role-Based Access Control (RBAC) helps address this problem by offering fine-grained
access management for Azure.
Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they
need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or
resources, you can allow only certain actions. For example, use RBAC to let one employee manage virtual machines
in a subscription, while another can manage SQL databases within the same subscription.
The RBAC role that you assign dictates what resources the user, group, or application can manage within that
scope.
Built-in roles
Azure RBAC has three basic roles that apply to all resource types:
Owner has full access to all resources including the right to delegate access to others.
Contributor can create and manage all types of Azure resources but can’t grant access to others.
Reader can view existing Azure resources.
The rest of the RBAC roles in Azure allow management of specific Azure resources. For example, the Virtual
Machine Contributor role allows the user to create and manage virtual machines. It does not give them access to
the virtual network or the subnet that the virtual machine connects to.
RBAC built-in roles lists the roles available in Azure. It specifies the operations and scope that each built-in role
grants to users. If you're looking to define your own roles for even more control, see how to build Custom roles in
Azure RBAC.
Next Steps
Get started with Role-Based Access Control in the Azure portal.
See the RBAC built-in roles
Define your own Custom roles in Azure RBAC
View access assignments for users and groups in the
Azure portal
12/11/2017 • 2 min to read • Edit Online
With role-based access control (RBAC) in the Azure Active Directory (Azure AD), you can manage access to your
Azure resources.
Access assigned with RBAC is fine-grained because there are two ways you can restrict the permissions:
Scope: RBAC role assignments are scoped to a specific subscription, resource group, or resource. A user given
access to a single resource cannot access any other resources in the same subscription.
Role: Within the scope of the assignment, access is narrowed even further by assigning a role. Roles can be
high-level, like owner, or specific, like virtual machine reader.
Roles can only be assigned from within the subscription, resource group, or resource that is the scope for the
assignment. But you can view all the access assignments for a given user or group in a single place. You can have
up to 2000 role assignments in each subscription.
Get more information about how to Use role assignments to manage access to your Azure subscription resources.
Next steps
Get started with Role-Based Access Control to Use role assignments to manage access to your Azure
subscription resources
See the RBAC built-in roles
Use Role-Based Access Control to manage access
to your Azure subscription resources
12/11/2017 • 2 min to read • Edit Online
Azure Role-Based Access Control (RBAC) enables fine-grained access management for Azure. Using RBAC,
you can grant only the amount of access that users need to perform their jobs. This article helps you get up
and running with RBAC in the Azure portal. If you want more details about how RBAC helps you manage
access, see What is Role-Based Access Control.
Within each subscription, you can grant up to 2000 role assignments.
View access
You can see who has access to a resource, resource group, or subscription from its main blade in the Azure
portal. For example, we want to see who has access to one of our resource groups:
1. Select Resource groups in the navigation bar on the left.
2. Select the name of the resource group from the Resource groups blade.
3. Select Access control (IAM) from the left menu.
4. The Access control blade lists all users, groups, and applications that have been granted access to the
resource group.
Notice that some roles are scoped to This resource while others are Inherited it from another scope. Access
is either assigned specifically to the resource group or inherited from an assignment to the parent
subscription.
NOTE
Classic subscription admins and co-admins are considered owners of the subscription in the new RBAC model.
Add Access
You grant access from within the resource, resource group, or subscription that is the scope of the role
assignment.
1. Select Add on the Access control blade.
2. Select the role that you wish to assign from the Select a role blade.
3. Select the user, group, or application in your directory that you wish to grant access to. You can search
the directory with display names, email addresses, and object identifiers.
4. Select OK to create the assignment. The Adding user popup tracks the progress.
After successfully adding a role assignment, it will appear on the Users blade.
Remove Access
1. Hover your cursor over the name of the assignment that you want to remove. A check box appears next to
the name.
2. Use the check boxes to select one or more role assignments.
3. Select Remove.
4. Select Yes to confirm the removal.
Inherited assignments cannot be removed. If you need to remove an inherited assignment, you need to do it
at the scope where the role assignment was created. In the Scope column, next to Inherited there is a link
that takes you to the resources where this role was assigned. Go to the resource listed there to remove the
role assignment.
Next Steps
Create an access change history report
See the RBAC built-in roles
Define your own Custom roles in Azure RBAC
Built-in roles for Azure role-based access control
1/2/2018 • 23 min to read • Edit Online
Azure Role-Based Access Control (RBAC) comes with the following built-in roles that can be assigned to users,
groups, and services. You can’t modify the definitions of built-in roles. However, you can create Custom roles in
Azure RBAC to fit the specific needs of your organization.
Roles in Azure
The following table provides brief descriptions of the built-in roles. Click the role name to see the detailed list of
actions and notactions for the role. The actions property specifies the allowed actions on Azure resources.
Action strings can use wildcard characters. The notactions property specifies the actions that are excluded from
the allowed actions.
The action defines what type of operations you can perform on a given resource type. For example:
Write enables you to perform PUT, POST, PATCH, and DELETE operations.
Read enables you to perform GET operations.
This article only addresses the different roles that exist today. When you assign a role to a user, though, you can
limit the allowed actions further by defining a scope. This is helpful if you want to make someone a Website
Contributor, but only for one resource group.
NOTE
The Azure role definitions are constantly evolving. This article is kept as up to date as possible, but you can always find the
latest roles definitions in Azure PowerShell. Use the Get-AzureRmRoleDefinition cmdlet to list all current roles. You can dive
in to a specific role using (get-azurermroledefinition "<role name>").actions or
(get-azurermroledefinition "<role name>").notactions as applicable. Use Get-AzureRmProviderOperation to list
operations of specific Azure resource providers.
API Management Service Contributor Can manage API Management service and the APIs
API Management Service Operator Role Can manage API Management service, but not the APIs
themselves
API Management Service Reader Role Read-only access to API Management service and APIs
Data Factory Contributor Can create and manage data factories, and child resources
within them.
DevTest Labs User Can view everything and connect, start, restart, and
shutdown virtual machines
Logic App Contributor Can manage all aspects of a Logic App, but not create a new
one.
Logic App Operator Can start and stop workflows defined within a Logic App.
Monitoring Contributor Can read monitoring data and edit monitoring settings
New Relic APM Account Contributor Can manage New Relic Application Performance Management
accounts and applications
Site Recovery Contributor Can manage Site Recovery in Recovery Services vault
Site Recovery Operator Can manage failover and failback operations Site Recovery in
Recovery Services vault
ROLE NAME DESCRIPTION
Site Recovery Reader Can view all Site Recovery management operations
SQL DB Contributor Can manage SQL databases, but not their security-related
policies
SQL Security Manager Can manage the security-related policies of SQL servers and
databases
SQL Server Contributor Can manage SQL servers and databases, but not their
security-related policies
Classic Virtual Machine Contributor Can manage classic virtual machines, but not the virtual
network or storage account to which they are connected
Virtual Machine Contributor Can manage virtual machines, but not the virtual network or
storage account to which they are connected
Classic Network Contributor Can manage classic virtual networks and reserved IPs
Website Contributor Can manage websites, but not the web plans to which they
are connected
Role permissions
The following tables describe the specific permissions given to each role. This can include Actions, which give
permissions, and NotActions, which restrict them.
API Management Service Contributor
Can manage API Management services
ACTIONS
ACTIONS
Microsoft.ApiManagement/Service/updatehostname/action Set up, update, or remove custom domain names for an API
Management Service
ACTIONS
ACTIONS
Automation Operator
Able to start, stop, suspend, and resume jobs
ACTIONS
Backup Contributor
Can manage all backup management actions, except creating Recovery Services vault and giving access to others
ACTIONS
Backup Operator
Can manage all backup management actions except creating vaults, removing backup and giving access to others
ACTIONS
Backup Reader
Can monitor backup management in Recovery Services vault
ACTIONS
Billing Reader
Can view all Billing information
ACTIONS
BizTalk Contributor
Can manage BizTalk services
ACTIONS
ACTIONS
Contributor
Can manage everything except access
ACTIONS
NOTACTIONS
ACTIONS
Microsoft.DataFactory/dataFactories/* Create and manage data factories, and child resources within
them.
ACTIONS
ACTIONS
ACTIONS
ACTIONS
Monitoring Reader
Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with
Azure Monitor.
ACTIONS
Monitoring Contributor
Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and
security with Azure Monitor.
ACTIONS
Network Contributor
Can manage all network resources
ACTIONS
Owner
Can manage everything, including access
ACTIONS
Reader
Can view everything, but can't make changes
ACTIONS
ACTIONS
ACTIONS
Security Manager
Can manage security components, security policies, and virtual machines
ACTIONS
ACTIONS
ACTIONS
ACTIONS
SQL DB Contributor
Can manage SQL databases but not their security-related policies
ACTIONS
NOTACTIONS
ACTIONS
ACTIONS
NOTACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
ACTIONS
Website Contributor
Can manage websites but not the web plans to which they are connected
ACTIONS
Microsoft.Web/sites/* Create and manage websites (site creation also requires write
permissions to the associated App Service Plan)
See also
Role-Based Access Control: Get started with RBAC in the Azure portal.
Custom roles in Azure RBAC: Learn how to create custom roles to fit your access needs.
Create an access change history report: Keep track of changing role assignments in RBAC.
Role-Based Access Control troubleshooting: Get suggestions for fixing common issues.
Create custom roles for Azure Role-Based Access
Control
12/11/2017 • 3 min to read • Edit Online
Create a custom role in Azure Role-Based Access Control (RBAC) if none of the built-in roles meet your specific
access needs. Custom roles can be created using Azure PowerShell, Azure Command-Line Interface (CLI), and the
REST API. Just like built-in roles, you can assign custom roles to users, groups, and applications at subscription,
resource group, and resource scopes. Custom roles are stored in an Azure AD tenant and can be shared across
subscriptions.
Each tenant can create up to 2000 custom roles.
The following example shows a custom role for monitoring and restarting virtual machines:
{
"Name": "Virtual Machine Operator",
"Id": "cadb4a5a-4e7a-47be-84db-05cad13b6769",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [
],
"AssignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e",
"/subscriptions/e91d47c4-76f3-4271-a796-21b4ecfe3624",
"/subscriptions/34370e90-ac4a-4bf9-821f-85eeedeae1a2"
]
}
Actions
The Actions property of a custom role specifies the Azure operations to which the role grants access. It is a
collection of operation strings that identify securable operations of Azure resource providers. Operation strings
follow the format of Microsoft.<ProviderName>/<ChildResourceType>/<action> . Operation strings that contain
wildcards (*) grant access to all operations that match the operation string. For instance:
*/read grants access to read operations for all resource types of all Azure resource providers.
Microsoft.Compute/* grants access to all operations for all resource types in the Microsoft.Compute resource
provider.
Microsoft.Network/*/read grants access to read operations for all resource types in the Microsoft.Network
resource provider of Azure.
Microsoft.Compute/virtualMachines/* grants access to all operations of virtual machines and its child resource
types.
Microsoft.Web/sites/restart/Action grants access to restart websites.
Use Get-AzureRmProviderOperation (in PowerShell) or azure provider operations show (in Azure CLI) to list
operations of Azure resource providers. You may also use these commands to verify that an operation string is
valid, and to expand wildcard operation strings.
Get-AzureRMProviderOperation Microsoft.Network/*
NotActions
Use the NotActions property if the set of operations that you wish to allow is more easily defined by excluding
restricted operations. The access granted by a custom role is computed by subtracting the NotActions operations
from the Actions operations.
NOTE
If a user is assigned a role that excludes an operation in NotActions, and is assigned a second role that grants access to the
same operation, the user is allowed to perform that operation. NotActions is not a deny rule – it is simply a convenient way
to create a set of allowed operations when specific operations need to be excluded.
AssignableScopes
The AssignableScopes property of the custom role specifies the scopes (subscriptions, resource groups, or
resources) within which the custom role is available for assignment. You can make the custom role available for
assignment in only the subscriptions or resource groups that require it, and not clutter user experience for the rest
of the subscriptions or resource groups.
Examples of valid assignable scopes include:
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e”, “/subscriptions/e91d47c4-76f3-4271-a796-
21b4ecfe3624” - makes the role available for assignment in two subscriptions.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e” - makes the role available for assignment in a
single subscription.
“/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network” - makes the role
available for assignment only in the Network resource group.
NOTE
You must use at least one subscription, resource group, or resource ID.
See also
Role Based Access Control: Get started with RBAC in the Azure portal.
For a list of available operations, see Azure Resource Manager Resource Provider operations.
Learn how to manage access with:
PowerShell
Azure CLI
REST API
Built-in roles: Get details about the roles that come standard in RBAC.
Intro on role-based access control
12/11/2017 • 12 min to read • Edit Online
Role-based access control is an Azure portal only feature allowing the owners of a subscription to assign granular
roles to other users who can manage specific resource scopes in their environment.
RBAC allows better security management for large organizations and for SMBs working with external collaborators,
vendors or freelancers which need access to specific resources in your environment but not necessarily to the entire
infrastructure or any billing-related scopes. RBAC allows the flexibility of owning one Azure subscription managed
by the administrator account (service administrator role at a subscription level) and have multiple users invited to
work under the same subscription but without any administrative rights for it. From a management and billing
perspective, the RBAC feature proves to be a time and management efficient option for using Azure in various
scenarios.
Prerequisites
Using RBAC in the Azure environment requires:
Having a standalone Azure subscription assigned to the user as owner (subscription role)
Have the Owner role of the Azure subscription
Have access to the Azure portal
Make sure to have the following Resource Providers registered for the user subscription:
Microsoft.Authorization. For more information on how to register the resource providers, see Resource
Manager providers, regions, API versions and schemas.
NOTE
Office 365 subscriptions or Azure Active Directory licenses (for example: Access to Azure Active Directory) provisioned from
the Office 365 Admin center don't qualify for using RBAC.
By default, if the admin user has purchased the Azure subscription, the user will show up as Account Admin, this
being the subscription role. For more details on the Azure subscription roles, see Add or change Azure
administrator roles that manage the subscription or services.
In this example, the user "alflanigan@outlook.com" is the Owner of the "Free Trial" subscription in the AAD tenant
"Default tenant Azure". Since this user is the creator of the Azure subscription with the initial Microsoft Account
“Outlook” (Microsoft Account = Outlook, Live etc.) the default domain name for all other users added in this tenant
will be "@alflaniganuoutlook.onmicrosoft.com". By design, the syntax of the new domain is formed by putting
together the username and domain name of the user who created the tenant and adding the extension
".onmicrosoft.com". Furthermore, users can sign-in with a custom domain name in the tenant after adding and
verifying it for the new tenant. For more details on how to verify a custom domain name in an Azure Active
Directory tenant, see Add a custom domain name to your directory.
In this example, the "Default tenant Azure" directory contains only users with the domain name
"@alflanigan.onmicrosoft.com".
After selecting the subscription, the admin user must click Access Control (IAM) and then Add a new role.
The next step is to select the role to be assigned and the user whom the RBAC role will be assigned to. In the Role
dropdown menu the admin user sees only the built-in RBAC roles which are available in Azure. For more detailed
explanations of each role and their assignable scopes, see Built-in roles for Azure Role-Based Access Control.
The admin user then needs to add the email address of the external user. The expected behavior is for the external
user to not show up in the existing tenant. After the external user has been invited, he will be visible under
Subscriptions > Access Control (IAM) with all the current users which are currently assigned an RBAC role at the
Subscription scope.
The user "chessercarlton@gmail.com" has been invited to be an Owner for the “Free Trial” subscription. After
sending the invitation, the external user will receive an email confirmation with an activation link.
Being external to the organization, the new user does not have any existing attributes in the "Default tenant Azure"
directory. They will be created after the external user has given consent to be recorded in the directory which is
associated with the subscription which he has been assigned a role to.
The external user shows in the Azure Active Directory tenant from now on as external user and this can be viewed in
the Azure portal.
In the Users view, the external users can be recognized by the different icon type in the Azure portal.
However, granting Owner or Contributor access to an external user at the Subscription scope, does not allow the
access to the admin user's directory, unless the Global Admin allows it. In the user proprieties, the User Type
which has two common parameters, Member and Guest can be identified. A member is a user which is registered
in the directory while a guest is a user invited to the directory from an external source. For more information, see
How do Azure Active Directory admins add B2B collaboration users.
NOTE
Make sure that after entering the credentials in the portal, the external user selects the correct directory to sign-in to. The
same user can have access to multiple directories and can select either one of them by clicking the username in the top right-
hand side in the Azure portal and then choose the appropriate directory from the dropdown list.
While being a guest in the directory, the external user can manage all resources for the Azure subscription, but can't
access the directory.
Azure Active Directory and an Azure subscription don't have a child-parent relation like other Azure resources (for
example: virtual machines, virtual networks, web apps, storage etc.) have with an Azure subscription. All the latter is
created, managed and billed under an Azure subscription while an Azure subscription is used to manage the access
to an Azure directory. For more details, see How an Azure subscription is related to Azure AD.
From all the built-in RBAC roles, Owner and Contributor offer full management access to all resources in the
environment, the difference being that a Contributor can't create and delete new RBAC roles. The other built-in
roles like Virtual Machine Contributor offer full management access only to the resources indicated by the name,
regardless of the Resource Group they are being created into.
Assigning the built-in RBAC role of Virtual Machine Contributor at a subscription level, means that the user
assigned the role:
Can view all virtual machines regardless their deployment date and the resource groups they are part of
Has full management access to the virtual machines in the subscription
Can't view any other resource types in the subscription
Can't operate any changes from a billing perspective
Login-AzureRMAccount
A typical RBAC role is composed out of three main sections, Actions, NotActions and AssignableScopes.
In the Action section are listed all the permitted operations for this role. It's important to understand that each
action is assigned from a resource provider. In this case, for creating support tickets the Microsoft.Support
resource provider must be listed.
To be able to see all the resource providers available and registered in your subscription, you can use PowerShell.
Get-AzureRMResourceProvider
Additionally, you can check for the all the available PowerShell cmdlets to manage the resource providers.
To restrict all the actions for a particular RBAC role, resource providers are listed under the section NotActions.
Last, it's mandatory that the RBAC role contains the explicit subscription IDs where it is used. The subscription IDs
are listed under the AssignableScopes, otherwise you will not be allowed to import the role in your subscription.
After creating and customizing the RBAC role, it needs to be imported back the environment.
In this example, the custom name for this RBAC role is "Reader support tickets access level" allowing the user to
view everything in the subscription and also to open support requests.
NOTE
The only two built-in RBAC roles allowing the action of opening of support requests are Owner and Contributor. For a user
to be able to open support requests, he must be assigned an RBAC role only at the subscription scope, because all support
requests are created based on an Azure subscription.
This new custom role has been assigned to an user from the same directory.
The example has been further detailed to emphasize the limits of this custom RBAC role as follows:
Can create new support requests
Can't create new resource scopes (for example: virtual machine)
Can't create new resource groups
Create a custom RBAC role to open support requests using Azure CLI
Running on a Mac and without having access to PowerShell, Azure CLI is the way to go.
The steps to create a custom role are the same, with the sole exception that using CLI the role can't be downloaded
in a JSON template, but it can be viewed in the CLI.
For this example I have chosen the built-in role of Backup Reader.
Editing the role in Visual Studio after copying the proprieties in a JSON template, the Microsoft.Support resource
provider has been added in the Actions sections so that this user can open support requests while continuing to be
a reader for the backup vaults. Again it is necessary to add the subscription ID where this role will be used in the
AssignableScopes section.
As of the latest Build 2017, the Azure Cloud Shell is generally available. Azure Cloud Shell is a complement to IDE
and the Azure portal. With this service, you get a browser-based shell that is authenticated and hosted within Azure
and you can use it instead of CLI installed on your machine.
Create an access report for Role-Based Access
Control
12/11/2017 • 1 min to read • Edit Online
Any time someone grants or revokes access within your subscriptions, the changes get logged in Azure events. You
can create access change history reports to see all changes for the past 90 days.
PROPERTY DESCRIPTION
This example command lists all access changes in the subscription for the past seven days:
Export to a spreadsheet
To save the report, or manipulate the data, export the access changes into a .csv file. You can then view the report in
a spreadsheet for review.
Next steps
Work with Custom roles in Azure RBAC
Learn how to manage Azure RBAC with powershell
Manage Role-Based Access Control with the Azure
command-line interface
12/11/2017 • 4 min to read • Edit Online
You can use Role-Based Access Control (RBAC) in the Azure portal and Azure Resource Manager API to manage
access to your subscription and resources at a fine-grained level. With this feature, you can grant access for Active
Directory users, groups, or service principals by assigning some roles to them at a particular scope.
Before you can use the Azure command-line interface (CLI) to manage RBAC, you must have the following
prerequisites:
Azure CLI version 0.8.8 or later. To install the latest version and associate it with your Azure subscription, see
Install and Configure the Azure CLI.
Azure Resource Manager in Azure CLI. Go to Using the Azure CLI with the Resource Manager for more details.
List roles
List all available roles
To list all available roles, use:
The following example shows the actions of the Contributor and Virtual Machine Contributor roles.
List access
List role assignments effective on a resource group
To list the role assignments that exist in a resource group, use:
The following example shows the role assignments in the pharma-sales-projecforcast group.
You can also see role assignments that are inherited from groups by modifying the command:
The following example shows the role assignments that are granted to the sameert@aaddemo.com user. This
includes roles that are assigned directly to the user and roles that are inherited from groups.
azure role assignment create --objectId <group object id> --roleName <name of role> --subscription
<subscription> --scope <subscription/subscription id>
The following example assigns the Reader role to Christine Koch's Team at the subscription scope.
Assign a role to an application at the subscription scope
To assign a role to an application at the subscription scope, use:
azure role assignment create --objectId <applications object id> --roleName <name of role> --subscription
<subscription> --scope <subscription/subscription id>
The following example grants the Contributor role to an Azure AD application on the selected subscription.
azure role assignment create --signInName <user email address> --roleName "<name of role>" --resourceGroup
<resource group name>
The following example grants the Virtual Machine Contributor role to samert@aaddemo.com user at the Pharma-
Sales-ProjectForcast resource group scope.
Assign a role to a group at the resource scope
To assign a role to a group at the resource scope, use:
azure role assignment create --objectId <group id> --role "<name of role>" --resource-name <resource group
name> --resource-type <resource group type> --parent <resource group parent> --resource-group <resource group>
The following example grants the Virtual Machine Contributor role to an Azure AD group on a subnet.
Remove access
To remove a role assignment, use:
azure role assignment delete --objectId <object id to from which to remove role> --roleName "<role name>"
The following example removes the Virtual Machine Contributor role assignment from the
sammert@aaddemo.com user on the Pharma-Sales-ProjectForcast resource group. The example then removes
the role assignment from a group on the subscription.
The following example creates a custom role called Virtual Machine Operator. This custom role grants access to all
read operations of Microsoft.Compute, Microsoft.Storage, and Microsoft.Network resource providers and grants
access to start, restart, and monitor virtual machines. This custom role can be used in two subscriptions. This
example uses a JSON file as an input.
Modify a custom role
To modify a custom role, first use the azure role list command to retrieve role definition. Second, make the
desired changes to the role definition file. Finally, use azure role set to save the modified role definition.
The following example adds the Microsoft.Insights/diagnosticSettings/ operation to the Actions, and an Azure
subscription to the AssignableScopes of the Virtual Machine Operator custom role.
Delete a custom role
To delete a custom role, first use the azure role list command to determine the ID of the role. Then, use the
azure role delete command to delete the role by specifying the ID.
The following example removes the Virtual Machine Operator custom role.
azure role list --json | jq '.[] | if .properties.type == "CustomRole" then .properties.roleName else empty
end'
Next steps
Role Based Access Control
Manage access using Azure Powershell
Manage access using the Azure CLI
RBAC Built in Roles
Manage Role-Based Access Control with Azure
PowerShell
12/11/2017 • 6 min to read • Edit Online
You can use Role-Based Access Control (RBAC) in the Azure portal and Azure Resource Management API to
manage access to your subscription at a fine-grained level. With this feature, you can grant access for Active
Directory users, groups, or service principals by assigning some roles to them at a particular scope.
Before you can use PowerShell to manage RBAC, you need the following prerequisites:
Azure PowerShell version 0.8.8 or later. To install the latest version and associate it with your Azure
subscription, see how to install and configure Azure PowerShell.
Azure Resource Manager cmdlets. Install the Azure Resource Manager cmdlets in PowerShell.
List roles
List all available roles
To list RBAC roles that are available for assignment and to inspect the operations to which they grant access, use
Get-AzureRmRoleDefinition .
Get-AzureRmRoleAssignment -IncludeClassicAdministrators
Grant access
Search for object IDs
To assign a role, you need to identify both the object (user, group, or application) and the scope.
If you don't know the subscription ID, you can find it in the Subscriptions blade on the Azure portal. To learn how
to query for the subscription ID, see Get-AzureSubscription on MSDN.
To get the object ID for an Azure AD group, use:
New-AzureRmRoleAssignment -ObjectId <application id> -RoleDefinitionName <role name> -Scope <subscription id>
Assign a role to a user at the resource group scope
To grant access to a user at the resource group scope, use:
Remove-AzureRmRoleAssignment -ObjectId <object id> -RoleDefinitionName <role name> -Scope <scope such as
subscription id>
To add the role to the subscriptions, run the following PowerShell command:
In the following example, the Virtual Machine Operator custom role isn’t available in the Production4 subscription
because that subscription isn’t in the AssignableScopes of the role.
See also
Using Azure PowerShell with Azure Resource Manager * Role Based Access Control * Manage access using
Azure Powershell * Manage access using the Azure CLI * RBAC Built in Roles
Manage Role-Based Access Control with the REST API
12/11/2017 • 10 min to read • Edit Online
Role-Based Access Control (RBAC) in the Azure portal and Azure Resource Manager API helps you manage access to your subscription and
resources at a fine-grained level. With this feature, you can grant access for Active Directory users, groups, or service principals by assigning
some roles to them at a particular scope.
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version={api-version}&$filter={filter}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the role assignments. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {api-version} with 2015-07-01.
3. Replace {filter} with the condition that you wish to apply to filter the role assignment list:
List role assignments for only the specified scope, not including the role assignments at subscopes: atScope()
List role assignments for a specific user, group, or application: principalId%20eq%20'{objectId of user, group, or service principal}'
List role assignments for a specific user, including ones inherited from groups | assignedTo('{objectId of user}')
Response
Status code: 200
{
"value": [
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-
3385-48ef-bd42-f606fba81ae7",
"principalId": "2f9d4375-cbf1-48e8-83c9-2a0be4cb33fb",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e",
"createdOn": "2015-10-08T07:28:24.3905077Z",
"updatedOn": "2015-10-08T07:28:24.3905077Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleAssignments/baa6e199-ad19-4667-b768-
623fde31aedd",
"type": "Microsoft.Authorization/roleAssignments",
"name": "baa6e199-ad19-4667-b768-623fde31aedd"
}
],
"nextLink": null
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role-assignment-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the role assignments. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-assignment-id} with the GUID identifier of the role assignment.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/b24988ac-
6180-42a0-ab88-20f7382dd24c",
"principalId": "672f1afa-526a-4ef6-819c-975c7cd79022",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e",
"createdOn": "2015-10-05T08:36:26.4014813Z",
"updatedOn": "2015-10-05T08:36:26.4014813Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleAssignments/196965ae-6088-4121-a92a-
f1e33fdcc73e",
"type": "Microsoft.Authorization/roleAssignments",
"name": "196965ae-6088-4121-a92a-f1e33fdcc73e"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role-assignment-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope at which you wish to create the role assignments. When you create a role assignment at a parent scope, all
child scopes inherit the same role assignment. The following examples show how to specify the scope for different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-assignment-id} with a new GUID, which becomes the GUID identifier of the new role assignment.
3. Replace {api-version} with 2015-07-01.
For the request body, provide the values in the following format:
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-
4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-01/subnets/Devices-Engineering-
ProjectRND/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"principalId": "5ac84765-1c8c-4994-94b2-629461bd191b"
}
}
ELEMENT NAME REQUIRED TYPE DESCRIPTION
Response
Status code: 201
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-
c2be-4d73-94e8-173b1dc7cf3c",
"principalId": "5ac84765-1c8c-4994-94b2-629461bd191b",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-
VNET-01/subnets/Devices-Engineering-ProjectRND",
"createdOn": "2015-12-16T00:27:19.6447515Z",
"updatedOn": "2015-12-16T00:27:19.6447515Z",
"createdBy": null,
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-
01/subnets/Devices-Engineering-ProjectRND/providers/Microsoft.Authorization/roleAssignments/2e9e86c8-0e91-4958-b21f-20f51f27bab2",
"type": "Microsoft.Authorization/roleAssignments",
"name": "2e9e86c8-0e91-4958-b21f-20f51f27bab2"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{role-assignment-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope at which you wish to create the role assignments. The following examples show how to specify the scope
for different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-assignment-id} with the role assignment id GUID.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"properties": {
"roleDefinitionId": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-
c2be-4d73-94e8-173b1dc7cf3c",
"principalId": "5ac84765-1c8c-4994-94b2-629461bd191b",
"scope": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-
VNET-01/subnets/Devices-Engineering-ProjectRND",
"createdOn": "2015-12-17T23:21:40.8921564Z",
"updatedOn": "2015-12-17T23:21:40.8921564Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/resourceGroups/Network/providers/Microsoft.Network/virtualNetworks/EASTUS-VNET-
01/subnets/Devices-Engineering-ProjectRND/providers/Microsoft.Authorization/roleAssignments/5eec22ee-ea5c-431e-8f41-82c560706fd2",
"type": "Microsoft.Authorization/roleAssignments",
"name": "5eec22ee-ea5c-431e-8f41-82c560706fd2"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?api-version={api-version}&$filter={filter}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the roles. The following examples show how to specify the scope for different
levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {api-version} with 2015-07-01.
3. Replace {filter} with the condition that you wish to apply to filter the list of roles:
List roles available for assignment at the specified scope and any of its child scopes: atScopeAndBelow()
Search for a role using exact display name: roleName%20eq%20'{role-display-name}' . Use the URL encoded form of the exact display
name of the role. For instance, $filter=roleName%20eq%20'Virtual%20Machine%20Contributor' |
Response
Status code: 200
{
"value": [
{
"properties": {
"roleName": "Virtual Machine Contributor",
"type": "BuiltInRole",
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account
they\u2019re connected to.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": []
}
],
"createdOn": "2015-06-02T00:18:27.3542698Z",
"updatedOn": "2015-12-08T03:16:55.6170255Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-
173b1dc7cf3c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
}
],
"nextLink": null
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope for which you wish to list the role assignments. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with the GUID identifier of the role definition.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"value": [
{
"properties": {
"roleName": "Virtual Machine Contributor",
"type": "BuiltInRole",
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account
they\u2019re connected to.",
"assignableScopes": [
"/"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": []
}
],
"createdOn": "2015-06-02T00:18:27.3542698Z",
"updatedOn": "2015-12-08T03:16:55.6170255Z",
"createdBy": null,
"updatedBy": null
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-
173b1dc7cf3c",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c"
}
],
"nextLink": null
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the first AssignableScope of the custom role. The following examples show how to specify the scope for different
levels.
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with a new GUID, which becomes the GUID identifier of the new custom role.
3. Replace {api-version} with 2015-07-01.
For the request body, provide the values in the following format:
{
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7",
"properties": {
"roleName": "Virtual Machine Operator",
"description": "Lets you monitor virtual machines and restart them.",
"type": "CustomRole",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
]
}
}
Response
Status code: 201
{
"properties": {
"roleName": "Virtual Machine Operator",
"type": "CustomRole",
"description": "Lets you monitor virtual machines and restart them.",
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"createdOn": "2015-12-18T00:10:51.4662695Z",
"updatedOn": "2015-12-18T00:10:51.4662695Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/7c8c8ccd-9838-4e42-b38c-
60f0bbe9a9d7",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the first AssignableScope of the custom role. The following examples show how to specify the scope for different
levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with the GUID identifier of the custom role.
3. Replace {api-version} with 2015-07-01.
For the request body, provide the values in the following format:
{
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7",
"properties": {
"roleName": "Virtual Machine Operator",
"description": "Lets you monitor virtual machines and restart them.",
"type": "CustomRole",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
]
}
}
Response
Status code: 201
{
"properties": {
"roleName": "Virtual Machine Operator",
"type": "CustomRole",
"description": "Lets you monitor virtual machines and restart them.",
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"createdOn": "2015-12-18T00:10:51.4662695Z",
"updatedOn": "2015-12-18T00:10:51.4662695Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/7c8c8ccd-9838-4e42-b38c-
60f0bbe9a9d7",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "7c8c8ccd-9838-4e42-b38c-60f0bbe9a9d7"
}
https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions/{role-definition-id}?api-version={api-version}
Within the URI, make the following substitutions to customize your request:
1. Replace {scope} with the scope at which you wish to delete the role definition. The following examples show how to specify the scope for
different levels:
Subscription: /subscriptions/{subscription-id}
Resource Group: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1
Resource: /subscriptions/{subscription-id}/resourceGroups/myresourcegroup1/providers/Microsoft.Web/sites/mysite1
2. Replace {role-definition-id} with the GUID role definition id of the custom role.
3. Replace {api-version} with 2015-07-01.
Response
Status code: 200
{
"properties": {
"roleName": "Virtual Machine Operator",
"type": "CustomRole",
"description": "Lets you monitor virtual machines and restart them.",
"assignableScopes": [
"/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/*/read",
"Microsoft.Support/*",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action"
],
"notActions": []
}
],
"createdOn": "2015-12-16T00:07:02.9236555Z",
"updatedOn": "2015-12-16T00:07:02.9236555Z",
"createdBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e",
"updatedBy": "877f0ab8-9c5f-420b-bf88-a1c6c7e2643e"
},
"id": "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e/providers/Microsoft.Authorization/roleDefinitions/0bd62a70-e1b8-4e0b-a7c2-
75cab365c95b",
"type": "Microsoft.Authorization/roleDefinitions",
"name": "0bd62a70-e1b8-4e0b-a7c2-75cab365c95b"
}
Next steps
Role Based Access Control
Manage access using Azure Powershell
Manage access using the Azure CLI
RBAC Built in Roles
Elevate access as a tenant admin with Role-Based
Access Control
12/11/2017 • 3 min to read • Edit Online
Role-based Access Control helps tenant administrators get temporary elevations in access so that they can grant
higher permissions than normal. A tenant admin can elevate herself to the User Access Administrator role when
needed. That role gives the tenant admin permissions to grant herself or others roles at the "/" scope.
This feature is important because it allows the tenant admin to see all the subscriptions that exist in an organization.
It also allows for automation apps like invoicing and auditing to access all the subscriptions and provide an accurate
view of the state of the organization for billing or asset management.
IMPORTANT
When you choose Yes, assigns the User Access Administrator role at the Root "/" (Root Scope) for the user with
which you are currently logged into the Portal. This allows the user to see all other Azure Subscriptions.
NOTE
When you choose No, removes the User Access Administrator role at the Root "/" (Root Scope) for the user with
which you are currently logged into the Portal.
TIP
The impression is that this is a Global Property for Azure Active Directory, however, it functions on a per-user basis for the
currently logged on user. When you have Global Administrator rights in Azure Active Directory, you can invoke the
elevateAccess feature for the user which you are currently logged into Azure Active Directory Admin Center.
View role assignments at the "/" scope using PowerShell
To view the User Access Administrator assignment at the / scope, use the Get-AzureRmRoleAssignment PowerShell
cmdlet.
Get-AzureRmRoleAssignment* | where {$_.RoleDefinitionName -eq "User Access Administrator" -and $_SignInName -eq
"<username@somedomain.com>" -and $_.Scope -eq "/"}
Example output:
RoleAssignmentId : /providers/Microsoft.Authorization/roleAssignments/098d572e-c1e5-43ee-84ce-
8dc459c7e1f0
Scope : /
DisplayName : username
SignInName : username@somedomain.com
RoleDefinitionName : User Access Administrator
RoleDefinitionId : 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9
ObjectId : d65fd0e9-c185-472c-8f26-1dafa01f72cc
ObjectType : User
Delete the role assignment at "/" scope using Powershell:
You can delete the assignment using following PowerShell cmdlet:
POST https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01
2. Create a role assignment to assign any role at any scope. The following example shows the properties for
assigning the Reader role at "/" scope:
{ "properties":{
"roleDefinitionId":
"providers/Microsoft.Authorization/roleDefinitions/acdd72a7338548efbd42f606fba81ae7",
"principalId": "cbc5e050-d7cd-4310-813b-4870be8ef5bb",
"scope": "/"
},
"id": "providers/Microsoft.Authorization/roleAssignments/64736CA0-56D7-4A94-A551-973C2FE7888B",
"type": "Microsoft.Authorization/roleAssignments",
"name": "64736CA0-56D7-4A94-A551-973C2FE7888B"
}
3. While a User Access Admin, you can also delete role assignments at "/" scope.
4. Revoke your User Access Admin privileges until they're needed again.
Save the GUID from the name parameter, in this case 18d7d88d-d35e-4fb5-a5c3-7773c20a72d9.
2. You also need to list the role assignment for tenant admin at tenant scope. List all assignments at tenant
scope for the PrincipalId of the TenantAdmin who made the elevate access call. This will list all assignments
in the tenant for the ObjectID.
a. GET https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-
version=2015-07-01&$filter=principalId+eq+'{objectid}'
NOTE
A tenant admin should not have many assignments, if the query above returns too many assignments, you
can also query for all assignments just at tenant scope level, then filter the results: GET
https://management.azure.com/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-
01&$filter=atScope()
b. The above calls return a list of role assignments. Find the role assignment where the scope is "/" and
the RoleDefinitionId ends with the role name GUID you found in step 1 and PrincipalId matches the
ObjectId of the Tenant Admin. The role assignment looks like this:
{"value":[{"properties":{
"roleDefinitionId":"/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-
7773c20a72d9",
"principalId":"{objectID}",
"scope":"/",
"createdOn":"2016-08-17T19:21:16.3422480Z",
"updatedOn":"2016-08-17T19:21:16.3422480Z",
"createdBy":"93ce6722-3638-4222-b582-78b75c5c6d65",
"updatedBy":"93ce6722-3638-4222-b582-78b75c5c6d65"},
"id":"/providers/Microsoft.Authorization/roleAssignments/e7dd75bc-06f6-4e71-9014-ee96a929d099",
"type":"Microsoft.Authorization/roleAssignments",
"name":"e7dd75bc-06f6-4e71-9014-ee96a929d099"}],
"nextLink":null}
Again, save the GUID from the name parameter, in this case e7dd75bc-06f6-4e71-9014-
ee96a929d099.
c. Finally, Use the highlighted RoleAssignment ID to delete the assignment added by Elevate Access:
DELETE https://management.azure.com
/providers/Microsoft.Authorization/roleAssignments/e7dd75bc-06f6-4e71-9014-ee96a929d099?api-
version=2015-07-01
Next steps
Learn more about managing Role-Based Access Control with REST
Manage access assignments in the Azure portal
Troubleshooting Azure role-based access control
1/17/2018 • 2 min to read • Edit Online
This document article answers common questions about the specific access rights that are granted with roles, so
that you know what to expect when using the roles in the Azure portal and can troubleshoot access problems.
These three roles cover all resource types:
Owner
Contributor
Reader
Owners and contributors both have full access to the management experience, but a contributor can’t give access
to other users or groups. Things get a little more interesting with the reader role, so that’s where we'll spend some
time. See the Role-Based Access Control get-started article for details on how to grant access.
See more
Role Based Access Control: Get started with RBAC in the Azure portal.
Built-in roles: Get details about the roles that come standard in RBAC.
Custom roles in Azure RBAC: Learn how to create custom roles to fit your access needs.
Create an access change history report: Keep track of changing role assignments in RBAC.
Azure Resource Manager Resource Provider
operations
12/11/2017 • 77 min to read • Edit Online
This document lists the operations available for each Microsoft Azure Resource Manager resource provider. These
can be used in custom roles to provide granular Role-Based Access Control (RBAC) permissions to resources in
Azure. Please note this is not a comprehensive list and operations may be added or removed as each provider is
updated. Operation strings follow the format of Microsoft.<ProviderName>/<ChildResourceType>/<action> .
NOTE
For a comprehensive and current list please use Get-AzureRmProviderOperation (in PowerShell) or
az provider operation list (in Azure CLI v2) to list operations of Azure resource providers.
Microsoft.ADHybridHealthService
OPERATION DESCRIPTION
Microsoft.Advisor
OPERATION DESCRIPTION
Microsoft.AnalysisServices
OPERATION DESCRIPTION
/servers/checkNameAvailability Checks that given Analysis Server name is valid and not in use.
/action
Microsoft.ApiManagement
OPERATION DESCRIPTION
/service/getssotoken/action Gets SSO token that can be used to login into API
Management Service Legacy portal as an administrator
/service/users/generateSsoUrl/action Generate SSO URL. The URL can be used to access admin
portal
Microsoft.Authorization
OPERATION DESCRIPTION
/permissions/read Lists all the permissions the caller has at a given scope.
/providerOperations/read Get operations for all resource providers which can be used in
role definitions.
Microsoft.Automation
OPERATION DESCRIPTION
Microsoft.AzureActiveDirectory
This provider is not a full ARM provider and does not provide any ARM operations.
Microsoft.Batch
OPERATION DESCRIPTION
/register/action Registers the subscription for the Batch Resource Provider and
enables the creation of Batch accounts
Microsoft.Billing
OPERATION DESCRIPTION
Microsoft.BingMaps
OPERATION DESCRIPTION
Microsoft.Cache
OPERATION DESCRIPTION
/checknameavailability/action Checks if a name is available for use with a new Redis Cache
/redis/listKeys/action View the value of Redis Cache access keys in the management
portal
/redis/listUpgradeNotifications/read List the latest Upgrade Notifications for the cache tenant.
Microsoft.CertificateRegistration
OPERATION DESCRIPTION
Microsoft.ClassicCompute
OPERATION DESCRIPTION
/operatingSystems/read Lists the versions of the guest operating system that are
currently available in Microsoft Azure.
/domainNames/serviceCertificates/operationStatuses/read Reads the operation status for the domain names service
certificates.
/domainNames/extensions/operationStatuses/read Reads the operation status for the domain names extensions.
/domainNames/slots/operationStatuses/read Reads the operation status for the domain names slots.
/domainNames/slots/roles/extensionReferences/read Returns the extension reference for the deployment slot role.
/domainNames/slots/roles/extensionReferences/write Add or modify the extension reference for the deployment slot
role.
/domainNames/slots/roles/extensionReferences/delete Remove the extension reference for the deployment slot role.
/domainNames/slots/roles/extensionReferences/operationStat Reads the operation status for the domain names slots roles
uses/read extension references.
/domainNames/slots/roles/roleInstances/operationStatuses/re Reads the operation status for the domain names slots roles
ad role instances.
/domainNames/internalLoadBalancers/operationStatuses/read Reads the operation status for the domain names internal load
balancers.
/domainNames/loadBalancedEndpointSets/operationStatuses/r Reads the operation status for the domain names load
ead balanced endpoint sets.
/virtualMachines/networkInterfaces/ Gets the network security group associated with the network
associatedNetworkSecurityGroups/read interface.
/virtualMachines/networkInterfaces/ Reads the operation status for the virtual machines associated
associatedNetworkSecurityGroups/operationStatuses/read network security groups.
/virtualMachines/extensions/operationStatuses/read Reads the operation status for the virtual machines extensions.
/virtualMachines/associatedNetworkSecurityGroups/read Gets the network security group associated with the virtual
machine.
/virtualMachines/associatedNetworkSecurityGroups/delete Deletes the network security group associated with the virtual
machine.
/virtualMachines/associatedNetworkSecurityGroups/operation Reads the operation status for the virtual machines associated
Statuses/read network security groups.
Microsoft.ClassicNetwork
OPERATION DESCRIPTION
/virtualNetworks/subnets/ Gets the network security group associated with the subnet.
associatedNetworkSecurityGroups/read
/virtualNetworks/subnets/ Reads the operation status for the virtual network subnet
associatedNetworkSecurityGroups/operationStatuses/read associeted network security group.
/virtualNetworks/gateways/operationStatuses/read Reads the operation status for the virtual networks gateways.
/networkSecurityGroups/operationStatuses/read Reads the operation status for the network security group.
/networkSecurityGroups/securityRules/operationStatuses/read Reads the operation status for the network security group
security rules.
Microsoft.ClassicStorage
OPERATION DESCRIPTION
/storageAccounts/regenerateKey/action Regenerates the existing access keys for the storage account.
Microsoft.CognitiveServices
OPERATION DESCRIPTION
Microsoft.Commerce
OPERATION DESCRIPTION
/RateCard/read Returns offer data, resource/meter metadata and rates for the
given subscription.
Microsoft.Compute
OPERATION DESCRIPTION
/restorePointCollections/restorePoints/retrieveSasUris/action Get the properties of a restore point along with blob SAS URIs
/virtualMachineScaleSets/powerOff/action Powers off the instances of the virtual machine scale set
/virtualMachineScaleSets/deallocate/action Powers off and releases the compute resources for the
instances of the virtual machine scale set
/virtualMachineScaleSets/instanceView/read Gets the instance view of the virtual machine scale set
/virtualMachineScaleSets/skus/read Lists the valid SKUs for an existing virtual machine scale set
/virtualMachineScaleSets/virtualMachines/deallocate/action Powers off and releases the compute resources for a Virtual
Machine in a VM Scale Set.
/disks/beginGetAccess/action Get the SAS URI of the Disk for blob access
/virtualMachines/powerOff/action Powers off the virtual machine. Note that the virtual machine
will continue to be billed.
/virtualMachines/deallocate/action Powers off the virtual machine and releases the compute
resources
/virtualMachines/generalize/action Sets the virtual machine state to Generalized and prepares the
virtual machine for capture
/virtualMachines/capture/action Captures the virtual machine by copying virtual hard disks and
generates a template that can be used to create similar virtual
machines
/virtualMachines/instanceView/read Gets the detailed runtime status of the virtual machine and its
resources
OPERATION DESCRIPTION
/locations/usages/read Gets service limits and current usage quantities for the
subscription's compute resources in a location
Microsoft.ContainerRegistry
OPERATION DESCRIPTION
/registries/listCredentials/action Lists the login credentials for the specified container registry.
Microsoft.ContainerService
OPERATION DESCRIPTION
Microsoft.ContentModerator
OPERATION DESCRIPTION
Microsoft.CustomerInsights
OPERATION DESCRIPTION
/catalogs/write Creates catalog or updates the tags and properties for the
catalog.
Microsoft.DataFactory
OPERATION DESCRIPTION
Microsoft.DataLakeAnalytics
OPERATION DESCRIPTION
Microsoft.DataLakeStore
OPERATION DESCRIPTION
Microsoft.Devices
OPERATION DESCRIPTION
/register/action Register the subscription for the IotHub resource provider and
enables the creation of IotHub resources
Microsoft.DevTestLab
OPERATION DESCRIPTION
/labs/users/disks/Attach/action Attach and create the lease of the disk to the virtual machine.
/labs/users/disks/Detach/action Detach and break the lease of the disk attached to the virtual
machine.
/labs/artifactSources/artifacts/GenerateArmTemplate/action Generates an ARM template for the given artifact, uploads the
required files to a storage account, and validates the
generated artifact.
Microsoft.DocumentDB
OPERATION DESCRIPTION
Microsoft.DomainRegistration
OPERATION DESCRIPTION
Microsoft.DynamicsLcs
OPERATION DESCRIPTION
Microsoft.EventHub
OPERATION DESCRIPTION
Microsoft.Features
OPERATION DESCRIPTION
Microsoft.HDInsight
OPERATION DESCRIPTION
Microsoft.ImportExport
OPERATION DESCRIPTION
/jobs/read Gets the properties for the specified job or returns the list of
jobs.
/locations/read Gets the properties for the specified location or returns the list
of locations.
Microsoft.Insights
OPERATION DESCRIPTION
Microsoft.KeyVault
OPERATION DESCRIPTION
/checkNameAvailability/read Checks that a key vault name is valid and is not in use
OPERATION DESCRIPTION
Microsoft.Logic
OPERATION DESCRIPTION
Microsoft.MachineLearning
OPERATION DESCRIPTION
Microsoft.MarketplaceOrdering
OPERATION DESCRIPTION
Microsoft.Media
OPERATION DESCRIPTION
/mediaservices/read
/mediaservices/write
/mediaservices/delete
/mediaservices/regenerateKey/action
/mediaservices/listKeys/action
OPERATION DESCRIPTION
/mediaservices/syncStorageKeys/action
Microsoft.Network
OPERATION DESCRIPTION
/dnszones/read Get the DNS zone, in JSON format. The zone properties
include tags, etag, numberOfRecordSets, and
maxNumberOfRecordSets. Note that this command does not
retrieve the record sets contained within the zone.
/dnszones/delete Delete the DNS zone, in JSON format. The zone properties
include tags, etag, numberOfRecordSets, and
maxNumberOfRecordSets.
/dnszones/MX/read Get the record set of type ‘MX’, in JSON format. The record set
contains a list of records as well as the TTL, tags, and etag.
/dnszones/MX/write Create or update a record set of type ‘MX’ within a DNS zone.
The records specified will replace the current records in the
record set.
/dnszones/MX/delete Remove the record set of a given name and type ‘MX’ from a
DNS zone.
/dnszones/AAAA/read Get the record set of type ‘AAAA’, in JSON format. The record
set contains a list of records as well as the TTL, tags, and etag.
/dnszones/AAAA/delete Remove the record set of a given name and type ‘AAAA’ from
a DNS zone.
OPERATION DESCRIPTION
/dnszones/CNAME/read Get the record set of type ‘CNAME’, in JSON format. The
record set contains the TTL, tags, and etag.
/dnszones/CNAME/delete Remove the record set of a given name and type ‘CNAME’
from a DNS zone.
/dnszones/SRV/read Get the record set of type ‘SRV’, in JSON format. The record
set contains a list of records as well as the TTL, tags, and etag.
/dnszones/SRV/delete Remove the record set of a given name and type ‘SRV’ from a
DNS zone.
/dnszones/PTR/read Get the record set of type ‘PTR’, in JSON format. The record
set contains a list of records as well as the TTL, tags, and etag.
/dnszones/PTR/write Create or update a record set of type ‘PTR’ within a DNS zone.
The records specified will replace the current records in the
record set.
/dnszones/PTR/delete Remove the record set of a given name and type ‘PTR’ from a
DNS zone.
/dnszones/A/read Get the record set of type ‘A’, in JSON format. The record set
contains a list of records as well as the TTL, tags, and etag.
/dnszones/A/write Create or update a record set of type ‘A’ within a DNS zone.
The records specified will replace the current records in the
record set.
/dnszones/A/delete Remove the record set of a given name and type ‘A’ from a
DNS zone.
/dnszones/TXT/read Get the record set of type ‘TXT’, in JSON format. The record
set contains a list of records as well as the TTL, tags, and etag.
/dnszones/TXT/write Create or update a record set of type ‘TXT’ within a DNS zone.
The records specified will replace the current records in the
record set.
/dnszones/TXT/delete Remove the record set of a given name and type ‘TXT’ from a
DNS zone.
/networkInterfaces/loadBalancers/read Gets all the load balancers that the network interface is part of
/networkWatchers/securityGroupView/action View the configured and effective network security group rules
applied on a VM.
/trafficManagerProfiles/delete Delete the Traffic Manager profile. All settings associated with
the Traffic Manager profile will be lost, and the profile can no
longer be used to route traffic.
Microsoft.NotificationHubs
OPERATION DESCRIPTION
/Namespaces/NotificationHubs/pnsCredentials/action Get All Notification Hub PNS Credentials. This includes, WNS,
MPNS, APNS, GCM and Baidu credentials
Microsoft.OperationalInsights
OPERATION DESCRIPTION
/linkTargets/read Lists existing accounts that are not associated with an Azure
subscription. To link this Azure subscription to a workspace,
use a customer id returned by this operation in the customer
id property of the Create Workspace operation.
/workspaces/sharedKeys/action Retrieves the shared keys for the workspace. These keys are
used to connect Microsoft Operational Insights agents to the
workspace.
/workspaces/managementGroups/read Gets the names and metadata for System Center Operations
Manager management groups connected to this workspace.
/workspaces/schema/read Gets the search schema for the workspace. Search schema
includes the exposed fields and their types.
/workspaces/usages/read Gets usage data for a workspace including the amount of data
read by the workspace.
/workspaces/intelligencepacks/read Lists all intelligence packs that are visible for a given
worksapce and also lists whether the pack is enabled or
disabled for that workspace.
/workspaces/sharedKeys/read Retrieves the shared keys for the workspace. These keys are
used to connect Microsoft Operational Insights agents to the
workspace.
OPERATION DESCRIPTION
Microsoft.OperationsManagement
OPERATION DESCRIPTION
Microsoft.RecoveryServices
OPERATION DESCRIPTION
/Vaults/read The Get Vault operation gets an object representing the Azure
resource of type 'vault'
/vaults/replicationFabrics/renewcertificate/action
/vaults/replicationFabrics/replicationProtectionContainers/ Failover
replicationProtectedItems/unplannedFailover/action
/Vaults/registeredIdentities/read The Get Containers operation can be used get the containers
registered for a resource.
/Vaults/registeredIdentities/operationResults/read The Get Operation Results operation can be used get the
operation status and result for the asynchronously submitted
operation
/Vaults/vaultTokens/read The Vault Token operation can be used to get Vault Token for
vault level backend operations.
Microsoft.Relay
OPERATION DESCRIPTION
/register/action Registers the subscription for the Relay resource provider and
enables the creation of Relay resources
Microsoft.ResourceHealth
OPERATION DESCRIPTION
/AvailabilityStatuses/read Gets the availability statuses for all resources in the specified
scope
Microsoft.Scheduler
OPERATION DESCRIPTION
Microsoft.Search
OPERATION DESCRIPTION
/register/action Registers the subscription for the search resource provider and
enables the creation of search services.
Microsoft.Security
OPERATION DESCRIPTION
Microsoft.ServerManagement
OPERATION DESCRIPTION
Microsoft.ServiceBus
OPERATION DESCRIPTION
Microsoft.Sql
OPERATION DESCRIPTION
/servers/delete Delete a server and all contained databases and elastic pools
/servers/import/action Create a new database on the server and deploy schema and
data from a DacPac package
/servers/elasticPools/providers/Microsoft.Insights/ Return types of metrics that are available for elastic database
metricDefinitions/read pools
/servers/elasticPools/databases/read Retrieve list and details of databases that are part of elastic
database pool on a given server
/servers/auditingPolicies/write Change the default server table auditing for a given server
/servers/usages/read Return server DTU quota and current DTU consuption by all
databases within the server
/servers/elasticPoolEstimates/read Returns list of elastic pool estimates already created for this
server
OPERATION DESCRIPTION
/servers/auditingSettings/operationResults/read Retrieve result of the server blob auditing policy Set operation
/servers/databases/delete Delete a server and all contained databases and elastic pools
/servers/databases/export/action Create a new database on the server and deploy schema and
data from a DacPac package
/servers/importExportOperationResults/read Return the list with details for database import operations
from storage account on a given server
Microsoft.Storage
OPERATION DESCRIPTION
/storageAccounts/listkeys/action Returns the access keys for the specified storage account.
/storageAccounts/regeneratekey/action Regenerates the access keys for the specified storage account.
/storageAccounts/read Returns the list of storage accounts or gets the properties for
the specified storage account.
/storageAccounts/listAccountSas/action Returns the Account SAS token for the specified storage
account.
/usages/read Returns the limit and the current usage count for resources in
the specified subscription
Microsoft.StorSimple
OPERATION DESCRIPTION
/managers/clearAlerts/action Clear all the alerts associated with the device manager.
/Managers/read The Get Vault operation gets an object representing the Azure
resource of type 'vault'
Microsoft.StreamAnalytics
OPERATION DESCRIPTION
Microsoft.Support
OPERATION DESCRIPTION
Microsoft.Web
OPERATION DESCRIPTION
/validate/action Validate .
/sites/applySlotConfig/Action Apply web app slot configuration from target slot to the
current web app
/sites/slots/applySlotConfig/Action Apply web app slot configuration from target slot to the
current slot.
Next steps
Learn how to create a custom role.
Review the built in RBAC roles.
Learn how to manage access assignments by user or by resource
Learn how to View activity logs to audit actions on resources
Manage access to Azure resources with Privileged
Identity Management (Preview)
12/11/2017 • 1 min to read • Edit Online
To protect privileged accounts from malicious cyber-attacks, you can use Azure Active Directory Privileged Identity
Management (PIM) to lower the exposure time of privileges and increase your visibility into their use through
reports and alerts. PIM does this by limiting users to only taking on their privileges "just in time" (JIT), or by
assigning privileges for a shortened duration after which privileges are revoked automatically.
You can now use PIM with Azure Role-Based Access Control (RBAC) to manage, control, and monitor access to
Azure resources. PIM can manage the membership of built-in and custom roles to help you:
Enable on-demand, "just in time" access to Azure resources
Expire resource access automatically for assigned users and groups
Assign temporary access to Azure resources for quick tasks or on-call schedules
Get alerts when new users or groups are assigned resource access, and when they activate eligible assignments
For more information, see Overview of Role-Based Access Control in Azure PIM.
Manage access to Azure management with
conditional access
1/17/2018 • 1 min to read • Edit Online
Conditional access in Azure Active Directory (Azure AD) controls access to cloud apps based on specific conditions
that you specify. To allow access, you create conditional access policies that allow or block access based on whether
or not the requirements in the policy are met.
Typically, you use conditional access to control access to your cloud apps. You can also set up policies to control
access to Azure management based on certain conditions (such as sign-in risk, location, or device) and to enforce
requirements like multi-factor authentication.
To create a policy for Azure management, you select Microsoft Azure Management under Cloud apps when
choosing the app to which to apply the policy.
The policy you create applies to all Azure management endpoints, including classic Azure portal, Azure portal,
Azure Resource Manager provider, classic Service Management APIs, and Azure PowerShell.
Cau t i on
Make sure you understand how conditional access works before setting up a policy to manage access to Azure
management. Make sure you don't create conditions that could block your own access to the portal.
For more information on how to set up and use conditional access, see Conditional access in Azure Active
Directory.
Managed Service Identity (MSI) for Azure
resources
12/22/2017 • 5 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known
issues before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For
more information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
A common challenge when building cloud applications is how to manage the credentials that need to be in
your code for authenticating to cloud services. Keeping these credentials secure is an important task. Ideally,
they never appear on developer workstations or get checked into source control. Azure Key Vault provides a
way to securely store credentials and other keys and secrets, but your code needs to authenticate to Key Vault
to retrieve them. Managed Service Identity (MSI) makes solving this problem simpler by giving Azure services
an automatically managed identity in Azure Active Directory (Azure AD). You can use this identity to
authenticate to any service that supports Azure AD authentication, including Key Vault, without having any
credentials in your code.
Azure VM (Linux) Access Azure Data Lake Store with a Linux VM Managed
Service Identity
Azure App Service Use Managed Service Identity with Azure App Service or
Azure Functions
Azure Function Use Managed Service Identity with Azure App Service or
Azure Functions
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Managed Service Identity provides Azure services with an automatically managed identity in Azure Active
Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without
having credentials in your code.
In this article, you will learn how to enable and remove MSI for an Azure VM, using the Azure portal.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Next steps
Using the Azure portal, give an Azure VM's MSI access to another Azure resource.
Use the following comments section to provide feedback and help us refine and shape our content.
Configure a VM Managed Service Identity (MSI)
using PowerShell
12/11/2017 • 3 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Managed Service Identity provides Azure services with an automatically managed identity in Azure Active
Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without
having credentials in your code.
In this article, you learn how to enable and remove MSI for an Azure VM, using PowerShell.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Also, install the latest version of Azure PowerShell (version 4.3.1 or later) if you haven't already.
IMPORTANT
When you get to the "Create the VM" section, make a slight modification to the New-AzureRmVMConfig cmdlet
syntax. Be sure to add a -IdentityType "SystemAssigned" parameter to provision the VM with an MSI, for
example:
$vmConfig = New-AzureRmVMConfig -VMName myVM -IdentityType "SystemAssigned" ...
Login-AzureRmAccount
2. First retrieve the VM properties using the Get-AzureRmVM cmdlet. Then to enable MSI, use the -IdentityType
switch on the Update-AzureRmVM cmdlet:
3. Add the MSI VM extension using the -Type parameter on the Set-AzureRmVMExtension cmdlet. You can
pass either "ManagedIdentityExtensionForWindows" or "ManagedIdentityExtensionForLinux", depending on
the type of VM, and name it using the -Name parameter. The -Settings parameter specifies the port used
by the OAuth token endpoint for token acquisition. Be sure to specify the correct -Location parameter,
matching the location of the existing VM:
Login-AzureRmAccount
2. Use the -Name switch with the Remove-AzureRmVMExtension cmdlet, specifying the same name you used
when you added the extension:
Related content
Managed Service Identity overview
For the full Azure VM creation Quickstarts, see:
Create a Windows virtual machine with PowerShell
Create a Linux virtual machine with PowerShell
Use the following comments section to provide feedback and help us refine and shape our content.
Configure a VM Managed Service Identity (MSI)
using Azure CLI
12/11/2017 • 3 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Managed Service Identity provides Azure services with an automatically managed identity in Azure Active
Directory. You can use this identity to authenticate to any service that supports Azure AD authentication, without
having credentials in your code.
In this article, you will learn how to enable and remove MSI for an Azure VM, using Azure CLI.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
To run the CLI script examples, you have three options:
Use Azure Cloud Shell from the Azure portal (see next section).
Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
Install the latest version of CLI 2.0 (2.0.13 or later) if you prefer to use a local CLI console.
Click the Cloud Shell button on the menu in the upper right
of the Azure portal.
2. Create a resource group for containment and deployment of your VM and its related resources, using az
group create. You can skip this step if you already have resource group you would like to use instead:
3. Create a VM using az vm create. The following example creates a VM named myVM with an MSI, as
requested by the --assign-identity parameter. The --admin-username and --admin-password parameters
specify the administrative user name and password account for virtual machine sign-in. Update these values
as appropriate for your environment:
az login
2. Use az vm assign-identity with the --assign-identity parameter to add an MSI to an existing VM:
az login
Related content
Managed Service Identity overview
For the full Azure VM creation Quickstarts, see:
Create a Windows virtual machine with CLI
Create a Linux virtual machine with CLI
Use the following comments section to provide feedback and help us refine and shape our content.
Configure a VM Managed Service Identity by using a
template
12/11/2017 • 3 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Managed Service Identity (MSI) provides Azure services with an automatically managed identity in Azure Active
Directory (Azure AD). You can use this identity to authenticate to any service that supports Azure AD authentication,
without having credentials in your code.
In this article, you learn how to enable and remove MSI for an Azure VM, using an Azure Resource Manager
deployment template.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
3. Add the "identity" property at the same level as the "type": "Microsoft.Compute/virtualMachines"
property. Use the following syntax:
"identity": {
"type": "systemAssigned"
},
4. Then add the VM MSI extension as a resources element. Use the following syntax:
NOTE
The following example assumes a Windows VM extension ( ManagedIdentityExtensionForWindows ) is being
deployed. You can also configure for Linux by using ManagedIdentityExtensionForLinux instead, for the "name"
and "type" elements.
{
"type": "Microsoft.Compute/virtualMachines/extensions",
"name": "[concat(variables('vmName'),'/ManagedIdentityExtensionForWindows')]",
"apiVersion": "2016-03-30",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Compute/virtualMachines/', variables('vmName'))]"
],
"properties": {
"publisher": "Microsoft.ManagedIdentity",
"type": "ManagedIdentityExtensionForWindows",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true,
"settings": {
"port": 50342
},
"protectedSettings": {}
}
}
5. When you're done, your template should look similar to the following:
Related content
For a broader perspective about MSI, read the Managed Service Identity overview.
Configure a VM Managed Service Identity (MSI)
using an Azure SDK
12/11/2017 • 1 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Managed Service Identity provides Azure services with an automatically managed identity in Azure Active Directory
(AD). You can use this identity to authenticate to any service that supports Azure AD authentication, without having
credentials in your code.
In this article, you learn how to enable and remove MSI for an Azure VM, using an Azure SDK.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
SDK SAMPLE
Next steps
See related articles under "Configure MSI for an Azure VM", to learn how you can also use the Azure portal,
PowerShell, CLI, and resource templates.
Use the following comments section to provide feedback and help us refine and shape our content.
Assign a Managed Service Identity access to a
resource by using the Azure portal
12/11/2017 • 2 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
After you've configured an Azure resource with a Managed Service Identity (MSI), you can give the MSI access to
another resource, just like any security principal. This article shows you how to give an Azure virtual machine's MSI
access to an Azure storage account, by using the Azure portal.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Troubleshooting
If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled
correctly. In our case, we can go back to the Azure VM, and check the following:
Look at the Configuration page and ensure that the value for MSI enabled is Yes.
Look at the Extensions page and ensure that the MSI extension deployed successfully.
If either is incorrect, you might need to redeploy the MSI on your resource again, or troubleshoot the deployment
failure.
Related content
For an overview of MSI, see Managed Service Identity overview.
To enable MSI on an Azure VM, see Configure an Azure VM Managed Service Identity (MSI) using the Azure
portal.
Assign a Managed Service Identity (MSI) access to a
resource using PowerShell
12/11/2017 • 1 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Once you've configured an Azure resource with an MSI, you can give the MSI access to another resource, just like
any security principal. This example shows you how to give an Azure virtual machine's MSI access to an Azure
storage account, using PowerShell.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Also, install Azure PowerShell version 4.3.1 if you haven't already.
Login-AzureRmAccount
2. In this example, we are giving an Azure VM access to a storage account. First we use Get-AzureRMVM to get
the service principal for the VM named "myVM", which was created when we enabled MSI. Then, we use
New-AzureRmRoleAssignment to give the VM "Reader" access to a storage account called "myStorageAcct":
Troubleshooting
If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled
correctly. In our case, we can go back to the Azure VM in the Azure portal and:
Look at the "Configuration" page and ensure MSI enabled = "Yes."
Look at the "Extensions" page and ensure the MSI extension deployed successfully.
If either is incorrect, you may need to redeploy the MSI on your resource again, or troubleshoot the deployment
failure.
Related content
For an overview of MSI, see Managed Service Identity overview.
To enable MSI on an Azure VM, see Configure an Azure VM Managed Service Identity (MSI) using PowerShell.
Use the following comments section to provide feedback and help us refine and shape our content.
Assign a Managed Service Identity (MSI) access to a
resource using Azure CLI
12/11/2017 • 2 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Once you've configured an Azure resource with an MSI, you can give the MSI access to another resource, just like
any security principal. This example shows you how to give an Azure virtual machine's MSI access to an Azure
storage account, using Azure CLI.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
To run the CLI script examples, you have three options:
Use Azure Cloud Shell from the Azure portal (see next section).
Use the embedded Azure Cloud Shell via the "Try It" button, located in the top right corner of each code block.
Install the latest version of CLI 2.0 (2.0.13 or later) if you prefer to use a local CLI console.
Click the Cloud Shell button on the menu in the upper right
of the Azure portal.
2. In this example, we are giving an Azure VM access to a storage account. First we use az resource list to get
the service principal for the VM named "myVM", which was created when we enabled MSI on the VM:
3. Once we have the service principal ID, we use az role assignment create to give the VM "Reader" access to a
storage account called "myStorageAcct":
Troubleshooting
If the MSI for the resource does not show up in the list of available identities, verify that the MSI has been enabled
correctly. In our case, we can go back to the Azure VM in the Azure portal and:
Look at the "Configuration" page and ensure MSI enabled = "Yes."
Look at the "Extensions" page and ensure the MSI extension deployed successfully.
If either is incorrect, you may need to redeploy the MSI on your resource again, or troubleshoot the deployment
failure.
Related content
For an overview of MSI, see Managed Service Identity overview.
To enable MSI on an Azure VM, see Configure an Azure VM Managed Service Identity (MSI) using Azure CLI.
Use the following comments section to provide feedback and help us refine and shape our content.
How to use an Azure VM Managed Service Identity
(MSI) for token acquisition
1/12/2018 • 9 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues before
you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more information about
previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This article provides various code and script examples for token acquisition, as well as guidance on important topics
such as handling token expiration and HTTP errors.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
If you plan to use the Azure PowerShell examples in this article, be sure to install the latest version of Azure PowerShell.
IMPORTANT
All sample code/script in this article assumes the client is running on an MSI-enabled Virtual Machine. Use the VM "Connect"
feature in the Azure portal, to remotely connect to your VM. For details on enabling MSI on a VM, see Configure a VM
Managed Service Identity (MSI) using the Azure portal, or one of the variant articles (using PowerShell, CLI, a template, or an
Azure SDK).
Overview
A client application can request an MSI app-only access token for accessing a given resource. The token is based on the
MSI service principal. As such, there is no need for the client to register itself to obtain an access token under its own
service principal. The token is suitable for use as a bearer token in service-to-service calls requiring client credentials.
Get a token using HTTP Protocol details for the MSI token endpoint
Get a token using C# Example of using the MSI REST endpoint from a C# client
Get a token using Go Example of using the MSI REST endpoint from a Go client
Get a token using Azure PowerShell Example of using the MSI REST endpoint from a PowerShell client
Get a token using CURL Example of using the MSI REST endpoint from a Bash/CURL
client
Error handling Guidance for handling HTTP errors returned from the MSI token
endpoint
Resource IDs for Azure services Where to get resource IDs for supported Azure services
ELEMENT DESCRIPTION
GET The HTTP verb, indicating you want to retrieve data from the
endpoint. In this case, an OAuth access token.
http://localhost:50342/oauth2/token The MSI endpoint, where 50342 is the default port and is
configurable.
Sample response:
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": "eyJ0eXAi...",
"refresh_token": "",
"expires_in": "3599",
"expires_on": "1506484173",
"not_before": "1506480273",
"resource": "https://management.azure.com/",
"token_type": "Bearer"
}
ELEMENT DESCRIPTION
access_token The requested access token. When calling a secured REST API,
the token is embedded in the Authorization request header
field as a "bearer" token, allowing the API to authenticate the
caller.
expires_on The timespan when the access token expires. The date is
represented as the number of seconds from "1970-01-
01T0:0:0Z UTC" (corresponds to the token's exp claim).
not_before The timespan when the access token takes effect, and can be
accepted. The date is represented as the number of seconds
from "1970-01-01T0:0:0Z UTC" (corresponds to the token's
nbf claim).
resource The resource the access token was requested for, which matches
the resource query string parameter of the request.
token_type The type of token, which is a "Bearer" access token, which means
the resource can give access to the bearer of this token.
try
{
// Call /token endpoint
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
import (
"fmt"
"io/ioutil"
"net/http"
"net/http"
"net/url"
"encoding/json"
)
func main() {
// Create HTTP request for MSI token to access Azure Resource Manager
var msi_endpoint *url.URL
msi_endpoint, err := url.Parse("http://localhost:50342/oauth2/token")
if err != nil {
fmt.Println("Error creating URL: ", err)
return
}
msi_parameters := url.Values{}
msi_parameters.Add("resource", "https://management.azure.com/")
msi_endpoint.RawQuery = msi_parameters.Encode()
req, err := http.NewRequest("GET", msi_endpoint.String(), nil)
if err != nil {
fmt.Println("Error creating HTTP request: ", err)
return
}
req.Header.Add("Metadata", "true")
Error handling
The MSI endpoint signals errors via the status code field of the HTTP response message header, as either 4xx or 5xx
errors:
4xx Error in request. One or more of the request parameters Do not retry. Examine the error details for
was incorrect. more information. 4xx errors are design-
time errors.
5xx Transient error from service. The MSI sub-system or Azure Active It is safe to retry after waiting for at least
Directory returned a transient error. 1 second. If you retry too quickly or too
often, Azure AD may return a rate limit
error (429).
If an error occurs, the corresponding HTTP response body contains JSON with the error details:
ELEMENT DESCRIPTION
400 Bad Request bad_request_102 Required metadata header Either the Metadata request
not specified header field is missing from
your request, or is formatted
incorrectly. The value must be
specified as true , in all lower
case. See the "Sample
request" in the preceding
REST section for an example.
401 Unauthorized unknown_source Unknown Source <URI> Verify that your HTTP GET
request URI is formatted
correctly. The
scheme:host/resource-
path
portion must be specified as
http://localhost:50342/oauth2/token
. See the "Sample request" in
the preceding REST section for
an example.
500 Internal server error unknown Failed to retrieve token from Verify that MSI has been
the Active directory. For enabled on the VM. See
details see logs in <file path> Configure a VM Managed
Service Identity (MSI) using
the Azure portal if you need
assistance with VM
configuration.
Related content
To enable MSI on an Azure VM, see Configure a VM Managed Service Identity (MSI) using the Azure portal.
Use the following comments section to provide feedback and help us refine and shape our content.
How to use an Azure VM Managed Service Identity
(MSI) for sign in
1/5/2018 • 3 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This article provides PowerShell and CLI script examples for sign-in using an MSI service principal, and guidance on
important topics such as error handling.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
If you plan to use the Azure PowerShell or Azure CLI examples in this article, be sure to install the latest version of
Azure PowerShell or Azure CLI 2.0.
IMPORTANT
All sample script in this article assumes the command-line client is running on an MSI-enabled Virtual Machine. Use the
VM "Connect" feature in the Azure portal, to remotely connect to your VM. For details on enabling MSI on a VM, see
Configure a VM Managed Service Identity (MSI) using the Azure portal, or one of the variant articles (using PowerShell,
CLI, a template, or an Azure SDK).
To prevent errors during resource access, the VM's MSI must be given at least "Reader" access at the appropriate scope
(the VM or higher) to allow Azure Resource Manager operations on the VM. See Assign a Managed Service Identity (MSI)
access to a resource using the Azure portal for details.
Overview
An MSI provides a service principal, which is created upon enabling MSI on the VM. The service principal can be
given access to Azure resources, and used as an identity by script/command-line clients for sign in and resource
access. Traditionally, in order to access secured resources under its own identity, a script client would need to:
be registered and consented with Azure AD as a confidential/web client application
sign in under its service principal, using the app's credentials (which are likely embedded in the script)
With MSI, your script client no longer needs to do either, as it can sign in under the MSI service principal.
Azure CLI
The following script demonstrates how to:
1. Sign in to Azure AD under the VM's MSI service principal
2. Call Azure Resource Manager and get the VM's service principal ID. CLI takes care of managing token
acquisition/use for you automatically. Be sure to substitute your virtual machine name for <VM-NAME> .
az login --msi
Azure PowerShell
The following script demonstrates how to:
1. Acquire an MSI access token for the VM.
2. Use the access token to sign in to Azure AD, under the corresponding MSI service principal.
3. Call an Azure Resource Manager cmdlet to get information about the VM. PowerShell takes care of
managing token use for you automatically.
# Use the access token to sign in under the MSI service principal. -AccountID can be any string to
identify the session.
Login-AzureRmAccount -AccessToken $access_token -AccountId "MSI@50342"
# Call Azure Resource Manager to get the service principal ID for the VM's MSI.
$vmInfoPs = Get-AzureRMVM -ResourceGroupName <RESOURCE-GROUP> -Name <VM-NAME>
$spID = $vmInfoPs.Identity.PrincipalId
echo "The MSI service principal ID is $spID"
Related content
To enable MSI on an Azure VM, see Configure a VM Managed Service Identity (MSI) using PowerShell, or
Configure a VM Managed Service Identity (MSI) using Azure CLI
Use the following comments section to provide feedback and help us refine and shape our content.
How to use an Azure VM Managed Service Identity
(MSI) with Azure SDKs
1/12/2018 • 1 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This article provides a list of SDK samples, which demonstrate use of their respective Azure SDK's support for MSI.
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
IMPORTANT
All sample code/script in this article assumes the client is running on an MSI-enabled Virtual Machine. Use the VM
"Connect" feature in the Azure portal, to remotely connect to your VM. For details on enabling MSI on a VM, see
Configure a VM Managed Service Identity (MSI) using the Azure portal, or one of the variant articles (using PowerShell,
CLI, a template, or an Azure SDK).
.NET Core Call Azure services from a Linux VM using Managed Service
Identity
Related content
See Azure SDKs for the full list of Azure SDK resources, including library downloads, documentation, and more.
To enable MSI on an Azure VM, see Configure a VM Managed Service Identity (MSI) using the Azure portal.
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Windows VM Managed Service Identity (MSI)
to access Azure Data Lake Store
12/11/2017 • 8 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to use a Managed Service Identity (MSI) for a Windows virtual machine (VM) to access
an Azure Data Lake Store. Managed Service Identities are automatically managed by Azure and enable you to
authenticate to services that support Azure AD authentication, without needing to insert credentials into your code.
You learn how to:
Enable MSI on a Windows VM
Grant your VM access to an Azure Data Lake Store
Get an access token using the VM identity and use it to access an Azure Data Lake Store
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
5. If you wish to check and verify which extensions are on this VM, click Extensions. If MSI is enabled, then
ManagedIdentityExtensionforWindows appears in the list.
Get an access token using the VM MSI and use it to call the Azure Data
Lake Store filesystem
Azure Data Lake Store natively supports Azure AD authentication, so it can directly accept access tokens obtained
using MSI. To authenticate to the Data Lake Store filesystem you send an access token issued by Azure AD to your
Data Lake Store filesystem endpoint, in an Authorization header in the format "Bearer <ACCESS_TOKEN_VALUE>".
To learn more about Data Lake Store support for Azure AD authentication, read Authentication with Data Lake
Store using Azure Active Directory
NOTE
The Data Lake Store filesystem client SDKs do not yet support Managed Service Identity. This tutorial will be updated when
support is added to the SDK.
In this tutorial, you authenticate to the Data Lake Store filesystem REST API using PowerShell to make REST
requests. To use the VM MSI for authentication, you need to make the requests from the VM.
1. In the portal, navigate to Virtual Machines, go to your Windows VM, and in the Overview click Connect.
2. Enter in your Username and Password for which you added when you created the Windows VM.
3. Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the
remote session.
4. Using PowerShell’s Invoke-WebRequest , make a request to the local MSI endpoint to get an access token for
Azure Data Lake Store. The resource identifier for Data Lake Store is "https://datalake.azure.net/". Data Lake
does an exact match on the resource identifier and the trailing slash is important.
$AccessToken = $content.access_token
5. Using PowerShell's `Invoke-WebRequest', make a request to your Data Lake Store's REST endpoint to list the
folders in the root folder. This is a simple way to check everything is configured correctly. It is important the
string "Bearer" in the Authorization header has a capital "B". You can find the name of your Data Lake Store
in the Overview section of the Data Lake Store blade in the Azure portal.
6. Now you can try uploading a file to your Data Lake Store. First, create a file to upload.
7. Using PowerShell's Invoke-WebRequest , make a request to your Data Lake Store's REST endpoint to upload
the file to the folder you created earlier. This request takes two steps. In the first step, you make a request
and get a redirection to where the file should be uploaded. In the second step, you actually upload the file.
Remember to set the name of the folder and file appropriately if you used different values than in this
tutorial.
If you inspect the value of $HdfsRedirectResponse it should look like the following response:
PS C:\> $HdfsRedirectResponse
StatusCode :
307
StatusDescription :
Temporary Redirect
Content :
{}
RawContent :
HTTP/1.1 307 Temporary Redirect
Pragma: no-cache
x-ms-request-id: b7ab492f-b514-4483-aada-4aa0611d12b3
ContentLength: 0
x-ms-webhdfs-version: 17.04.22.00
Status: 0x0
X-Content-Type-Options: nosn...
Headers : {[Pragma, no-cache], [x-ms-request-id, b7ab492f-b514-4483-aada-4aa0611d12b3],
[ContentLength, 0], [x-ms-webhdfs-version, 17.04.22.00]...}
RawContentLength : 0
StatusCode :
201
StatusDescription :
Created
Content :
{}
RawContent :
HTTP/1.1 201 Created
Pragma: no-cache
x-ms-request-id: 1e70f36f-ead1-4566-acfa-d0c3ec1e2307
ContentLength: 0
x-ms-webhdfs-version: 17.04.22.00
Status: 0x0
X-Content-Type-Options: nosniff
Strict...
Headers : {[Pragma, no-cache], [x-ms-request-id, 1e70f36f-ead1-4566-acfa-d0c3ec1e2307],
[ContentLength, 0], [x-ms-webhdfs-version, 17.04.22.00]...}
RawContentLength : 0
Using other Data Lake Store filesystem APIs you can append to files, download files, and more.
Congratulations! You've authenticated to the Data Lake Store filesystem using a VM MSI.
Related content
For an overview of MSI, see Managed Service Identity overview.
For management operations Data Lake Store uses Azure Resource Manager. For more information on using a
VM MSI to authenticate to Resource Manager, read Use a Linux VM Managed Service Identity (MSI) to access
Resource Manager.
Learn more about Authentication with Data Lake Store using Azure Active Directory.
Learn more about Filesystem operations on Azure Data Lake Store using REST API or the WebHDFS FileSystem
APIs.
Learn more about Access Control in Data Lake Store.
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Linux VM Managed Service Identity (MSI) to
access Azure Data Lake Store
12/11/2017 • 7 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to use a Managed Service Identity (MSI) for a Linux virtual machine (VM) to access an
Azure Data Lake Store. Managed Service Identities are automatically managed by Azure and enable you to
authenticate to services that support Azure AD authentication, without needing to insert credentials into your code.
You learn how to:
Enable MSI on a Linux VM
Grant your VM access to an Azure Data Lake Store
Get an access token using the VM identity and use it to access an Azure Data Lake Store
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
Get an access token using the VM MSI and use it to call the Azure Data
Lake Store filesystem
Azure Data Lake Store natively supports Azure AD authentication, so it can directly accept access tokens obtained
using MSI. To authenticate to the Data Lake Store filesystem you send an access token issued by Azure AD to your
Data Lake Store filesystem endpoint, in an Authorization header in the format "Bearer <ACCESS_TOKEN_VALUE>".
To learn more about Data Lake Store support for Azure AD authentication, read Authentication with Data Lake
Store using Azure Active Directory
In this tutorial, you authenticate to the Data Lake Store filesystem REST API using CURL to make REST requests.
NOTE
The Data Lake Store filesystem client SDKs do not yet support Managed Service Identity. This tutorial will be updated when
support is added to the SDK.
To complete these steps, you need an SSH client. If you are using Windows, you can use the SSH client in the
Windows Subsystem for Linux. If you need assistance configuring your SSH client's keys, see How to Use SSH keys
with Windows on Azure, or How to create and use an SSH public and private key pair for Linux VMs in Azure.
1. In the portal, navigate to your Linux VM and in the Overview, click Connect.
2. Connect to the VM with the SSH client of your choice.
3. In the terminal window, using CURL, make a request to the local MSI endpoint to get an access token for the
Data Lake Store filesystem. The resource identifier for Data Lake Store is "https://datalake.azure.net/." It is
important to include the trailing slash in the resource identifier.
A successful response returns the access token you use to authenticate to Data Lake Store:
{"access_token":"eyJ0eXAiOiJ...",
"refresh_token":"",
"expires_in":"3599",
"expires_on":"1508119757",
"not_before":"1508115857",
"resource":"https://datalake.azure.net/",
"token_type":"Bearer"}
4. Using CURL, make a request to your Data Lake Store filesystem REST endpoint to list the folders in the root
folder. This is a simple way to check everything is configured correctly. Copy the value of the access token
from the previous step. It is important the string "Bearer" in the Authorization header has a capital "B". You
can find the name of your Data Lake Store in the Overview section of the Data Lake Store blade in the Azure
portal.
{"FileStatuses":{"FileStatus":
[{"length":0,"pathSuffix":"TestFolder","type":"DIRECTORY","blockSize":0,"accessTime":1507934941392,"modi
ficationTime":1508105430590,"replication":0,"permission":"770","owner":"bd0e76d8-ad45-4fe1-8941-
04a7bf27f071","group":"bd0e76d8-ad45-4fe1-8941-04a7bf27f071"}]}}
5. Now you can try uploading a file to your Data Lake Store. First, create a file to upload.
6. Using CURL, make a request to your Data Lake Store filesystem REST endpoint to upload the file to the
folder you created earlier. The upload involves a redirect, and CURL follows the redirect automatically.
Using other Data Lake Store filesystem APIs you can append to files, download files, and more.
Congratulations! You've authenticated to the Data Lake Store filesystem using a VM MSI.
Related content
For an overview of MSI, see Managed Service Identity overview.
For management operations Data Lake Store uses Azure Resource Manager. For more information on using a
VM MSI to authenticate to Resource Manager, read Use a Linux VM Managed Service Identity (MSI) to access
Resource Manager.
Learn more about Authentication with Data Lake Store using Azure Active Directory.
Learn more about Filesystem operations on Azure Data Lake Store using REST API or the WebHDFS FileSystem
APIs.
Learn more about Access Control in Data Lake Store.
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Windows VM Managed Service Identity (MSI)
to access Resource Manager
12/11/2017 • 4 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Windows virtual machine (VM). You
can then use that identity to access the Azure Resource Manager API. Managed Service Identities are automatically
managed by Azure and enable you to authenticate to services that support Azure AD authentication without
needing to insert credentials into your code. You learn how to:
Enable MSI on a Windows VM
Grant your VM access to a Resource Group in Azure Resource Manager
Get an access token using the VM identity and use it to call Azure Resource Manager
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
5. If you wish to check and verify which extensions are on this VM, click Extensions. If MSI is enabled, then
ManagedIdentityExtensionforWindows will appear in the list.
NOTE
The value of the "resource" parameter must be an exact match for what is expected by Azure AD. When using the
Azure Resource Manager resource ID, you must include the trailing slash on the URI.
Next, extract the full response, which is stored as a JavaScript Object Notation (JSON) formatted string in the
$response object.
$ArmToken = $content.access_token
Finally, call Azure Resource Manager using the access token. In this example, we're also using PowerShell's
Invoke-WebRequest to make the call to Azure Resource Manager, and include the access token in the
Authorization header.
NOTE
The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the
Resource Group, and the uppercase "G" in "resourceGroups."
{"id":"/subscriptions/98f51385-2edc-4b79-bed9-
7718de4cb861/resourceGroups/DevTest","name":"DevTest","location":"westus","properties":
{"provisioningState":"Succeeded"}}
Related content
For an overview of MSI, see Managed Service Identity overview.
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Linux VM Managed Service Identity (MSI) to
access Azure Resource Manager
12/11/2017 • 4 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Linux Virtual Machine, and then use
that identity to access the Azure Resource Manager API. Managed Service Identities are automatically managed by
Azure and enable you to authenticate to services that support Azure AD authentication without needing to insert
credentials into your code. You learn how to:
Enable MSI on a Linux Virtual Machine
Grant your VM access to a Resource Group in Azure Resource Manager
Get an access token using the VM identity and use it to call Azure Resource Manager
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
NOTE
The value of the “resource” parameter must be an exact match for what is expected by Azure AD. In the case of the
Resource Manager resource ID, you must include the trailing slash on the URI.
The response includes the access token you need to access Azure Resource Manager.
Response:
{"access_token":"eyJ0eXAiOi...",
"refresh_token":"",
"expires_in":"3599",
"expires_on":"1504130527",
"not_before":"1504126627",
"resource":"https://management.azure.com",
"token_type":"Bearer"}
You can use this access token to access Azure Resource Manager, for example to read the details of the
Resource Group to which you previously granted this VM access. Replace the values of <SUBSCRIPTION
ID>, <RESOURCE GROUP>, and <ACCESS TOKEN> with the ones you created earlier.
NOTE
The URL is case-sensitive, so ensure if you are using the exact same case as you used earlier when you named the
Resource Group, and the uppercase “G” in “resourceGroup”.
{"id":"/subscriptions/98f51385-2edc-4b79-bed9-
7718de4cb861/resourceGroups/DevTest","name":"DevTest","location":"westus","properties":
{"provisioningState":"Succeeded"}}
Related content
For an overview of MSI, see Managed Service Identity overview.
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Windows VM Managed Service Identity (MSI)
to access Azure SQL
12/11/2017 • 9 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to use a Managed Service Identity (MSI) for a Windows virtual machine (VM) to access
an Azure SQL server. Managed Service Identities are automatically managed by Azure and enable you to
authenticate to services that support Azure AD authentication, without needing to insert credentials into your code.
You learn how to:
Enable MSI on a Windows VM
Grant your VM access to an Azure SQL server
Get an access token using the VM identity and use it to query an Azure SQL server
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
5. If you wish to check and verify which extensions are on this VM, click Extensions. If MSI is enabled, then
ManagedIdentityExtensionforWindows appears in the list.
NOTE
Normally you would create a contained user that maps directly to the VM's MSI. Currently, Azure SQL does not allow the
Azure AD Service Principal that represents the VM MSI to be mapped to a contained user. As a supported workaround, you
make the VM MSI a member of an Azure AD group, then create a contained user in the database that represents the group.
Create a group in Azure AD and make the VM MSI a member of the group
You can use an existing Azure AD group, or create a new one using Azure AD PowerShell.
First, install the Azure AD PowerShell module. Then sign in using Connect-AzureAD , and run the following command
to create the group, and save it in a variable:
$Group = New-AzureADGroup -DisplayName "VM MSI access to SQL" -MailEnabled $false -SecurityEnabled $true -
MailNickName "NotSet"
The output looks like the following, which also examines the value of the variable:
$Group = New-AzureADGroup -DisplayName "VM MSI access to SQL" -MailEnabled $false -SecurityEnabled $true -
MailNickName "NotSet"
$Group
ObjectId DisplayName Description
-------- ----------- -----------
6de75f3c-8b2f-4bf4-b9f8-78cc60a18050 VM MSI access to SQL
Next, add the VM's MSI to the group. You need the MSI's ObjectId, which you can get using Azure PowerShell.
First, download Azure PowerShell. Then sign in using Login-AzureRmAccount , and run the following commands to:
Ensure your session context is set to the desired Azure subscription, if you have multiple ones.
List the available resources in your Azure subscription, in verify the correct resource group and VM names.
Get the MSI VM's properties, using the appropriate values for <RESOURCE-GROUP> and <VM-NAME> .
The output looks like the following, which also examines the service principal Object ID of the VM's MSI:
Now add the VM MSI to the group. You can only add a service principal to a group using Azure AD PowerShell. Run
this command:
If you also examine the group membership afterward, the output looks as follows:
The command should complete successfully, creating the contained user for the group.
11. Clear the query window, enter the following line, and click Execute in the toolbar:
The command should complete successfully, granting the contained user the ability to read the entire
database.
Code running in the VM can now get a token from MSI and use the token to authenticate to the SQL server.
Get an access token using the VM identity and use it to call Azure SQL
Azure SQL natively supports Azure AD authentication, so it can directly accept access tokens obtained using MSI.
You use the access token method of creating a connection to SQL. This is part of Azure SQL's integration with
Azure AD, and is different from supplying credentials on the connection string.
Here's a .Net code example of opening a connection to SQL using an access token. This code must run on the VM to
be able to access the VM MSI endpoint. .Net Framework 4.6 or higher is required to use the access token method.
Replace the values of AZURE-SQL-SERVERNAME and DATABASE accordingly. Note the resource ID for Azure SQL is
"https://database.windows.net/".
using System.Net;
using System.IO;
using System.Data.SqlClient;
using System.Web.Script.Serialization;
//
// Get an access token for SQL.
//
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("http://localhost:50342/oauth2/token?
resource=https://database.windows.net/");
request.Headers["Metadata"] = "true";
request.Method = "GET";
string accessToken = null;
try
{
// Call MSI endpoint.
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
//
// Open a connection to the SQL server using the access token.
//
if (accessToken != null) {
string connectionString = "Data Source=<AZURE-SQL-SERVERNAME>; Initial Catalog=<DATABASE>;";
SqlConnection conn = new SqlConnection(connectionString);
conn.AccessToken = accessToken;
conn.Open();
}
Alternatively, a quick way to test the end to end setup without having to write and deploy an app on the VM is
using PowerShell.
1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click
Connect.
2. Enter in your Username and Password for which you added when you created the Windows VM.
3. Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the
remote session.
4. Using PowerShell’s Invoke-WebRequest , make a request to the local MSI endpoint to get an access token for
Azure SQL.
$AccessToken = $content.access_token
5. Open a connection to the SQL server. Remember to replace the values for AZURE-SQL-SERVERNAME and
DATABASE.
Next, create and send a query to the server. Remember to replace the value for TABLE.
Examine the value of $DataSet.Tables[0] to view the results of the query. Congratulations, you've queried the
database using a VM MSI and without needing to supply credentials!
Related content
For an overview of MSI, see Managed Service Identity overview.
Learn more about Azure SQL support for Azure AD authentication.
Learn more about configuring Azure SQL support for Azure AD authentication.
Learn more about authentication and access in SQL server.
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Windows VM Managed Service Identity to
access Azure Storage via access key
12/11/2017 • 7 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Windows Virtual Machine, then use
that identity to retrieve storage account access keys. You can use storage access keys as usual when doing storage
operations, for example when using the Storage SDK. For this tutorial, we upload and download blobs using Azure
Storage PowerShell. You will learn how to:
Enable MSI on a Windows Virtual Machine
Grant your VM access to storage account access keys in Resource Manager
Get an access token using your VM's identity, and use it to retrieve the storage access keys from Resource
Manager
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
NOTE
The value of the "resource" parameter must be an exact match for what is expected by Azure AD. When using the
Azure Resource Manager resource ID, you must include the trailing slash on the URI.
Next, extract the "Content" element, which is stored as a JavaScript Object Notation (JSON) formatted string
in the $response object.
$ArmToken = $content.access_token
NOTE
The URL is case-sensitive, so ensure you use the exact same case used earlier, when you named the Resource Group,
including the uppercase "G" in "resourceGroups."
Next we create a file called "test.txt". Then use the storage access key to authenticate with the
New-AzureStorageContent cmdlet, upload the file to our blob container, then download the file.
echo "This is a test text file." > test.txt
Be sure to install the Azure Storage cmdlets first, using Install-Module Azure.Storage . Then upload the blob you
just created, using the Set-AzureStorageBlobContent PowerShell cmdlet:
Response:
ICloudBlob : Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob
BlobType : BlockBlob
Length : 56
ContentType : application/octet-stream
LastModified : 9/13/2017 6:14:25 PM +00:00
SnapshotTime :
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Storage.AzureStorageContext
Name : testblob
You can also download the blob you just uploaded, using the Get-AzureStorageBlobContent PowerShell cmdlet:
Response:
ICloudBlob : Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob
BlobType : BlockBlob
Length : 56
ContentType : application/octet-stream
LastModified : 9/13/2017 6:14:25 PM +00:00
SnapshotTime :
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Storage.AzureStorageContext
Name : testblob
Related content
For an overview of MSI, see Managed Service Identity overview.
To learn how to do this same tutorial using a storage SAS credential, see Use a Windows VM Managed Service
Identity to access Azure Storage via a SAS credential
For more information about the Azure Storage account SAS feature, see:
Using shared access signatures (SAS)
Constructing a Service SAS
Use the following comments section to provide feedback and help us refine and shape our content
Use a Windows VM Managed Service Identity to
access Azure Storage via a SAS credential
12/11/2017 • 8 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Windows Virtual Machine, then use the
MSI to obtain a storage Shared Access Signature (SAS) credential. Specifically, a Service SAS credential.
A Service SAS provides the ability to grant limited access to objects in a storage account, for limited time and a
specific service (in our case, the blob service), without exposing an account access key. You can use a SAS credential
as usual when doing storage operations, for example when using the Storage SDK. For this tutorial, we
demonstrate uploading and downloading a blob using Azure Storage PowerShell. You will learn how to:
Enable MSI on a Windows Virtual Machine
Grant your VM access to a storage account SAS in Resource Manager
Get an access token using your VM's identity, and use it to retrieve the SAS from Resource Manager
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
NOTE
The value of the "resource" parameter must be an exact match for what is expected by Azure AD. When using the
Azure Resource Manager resource ID, you must include the trailing slash on the URI.
Next, extract the "Content" element, which is stored as a JavaScript Object Notation (JSON) formatted string
in the $response object.
$ArmToken = $content.access_token
{
"canonicalizedResource":"/blob/<STORAGE ACCOUNT NAME>/<CONTAINER NAME>",
"signedResource":"c", // The kind of resource accessible with the SAS, in this case a
container (c).
"signedPermission":"rcw", // Permissions for this SAS, in this case (r)ead, (c)reate, and
(w)rite. Order is important.
"signedProtocol":"https", // Require the SAS be used on https protocol.
"signedExpiry":"<EXPIRATION TIME>" // UTC expiration time for SAS in ISO 8601 format, for example 2017-09-
22T00:06:00Z.
}
These parameters are included in the POST body of the request for the SAS credential. For more information on the
parameters for creating a SAS credential, see the List Service SAS REST reference.
First, convert the parameters to JSON, then call the storage listServiceSas endpoint to create the SAS credential:
$params = @{canonicalizedResource="/blob/<STORAGE-ACCOUNT-NAME>/<CONTAINER-
NAME>";signedResource="c";signedPermission="rcw";signedProtocol="https";signedExpiry="2017-09-23T00:00:00Z"}
$jsonParams = $params | ConvertTo-Json
NOTE
The URL is case-sensitive, so ensure you use the exact same case used earlier, when you named the Resource Group,
including the uppercase "G" in "resourceGroups."
If you inspect the SAS cred you'll see something like this:
PS C:\> $sasCred
sv=2015-04-05&sr=c&spr=https&se=2017-09-
23T00%3A00%3A00Z&sp=rcw&sig=JVhIWG48nmxqhTIuN0uiFBppdzhwHdehdYan1W%2F4O0E%3D
Next we create a file called "test.txt". Then use the SAS credential to authenticate with the New-AzureStorageContent
cmdlet, upload the file to our blob container, then download the file.
Be sure to install the Azure Storage cmdlets first, using Install-Module Azure.Storage . Then upload the blob you
just created, using the Set-AzureStorageBlobContent PowerShell cmdlet:
Response:
ICloudBlob : Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob
BlobType : BlockBlob
Length : 56
ContentType : application/octet-stream
LastModified : 9/21/2017 6:14:25 PM +00:00
SnapshotTime :
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Storage.AzureStorageContext
Name : testblob
You can also download the blob you just uploaded, using the Get-AzureStorageBlobContent PowerShell cmdlet:
ICloudBlob : Microsoft.WindowsAzure.Storage.Blob.CloudBlockBlob
BlobType : BlockBlob
Length : 56
ContentType : application/octet-stream
LastModified : 9/21/2017 6:14:25 PM +00:00
SnapshotTime :
ContinuationToken :
Context : Microsoft.WindowsAzure.Commands.Storage.AzureStorageContext
Name : testblob
Related content
For an overview of MSI, see Managed Service Identity overview.
To learn how to do this same tutorial using a storage account key, see Use a Windows VM Managed Service
Identity to access Azure Storage
For more information about the Azure Storage account SAS feature, see:
Using shared access signatures (SAS)
Constructing a Service SAS
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Linux VM Managed Service Identity to access
Azure Storage via access key
12/11/2017 • 7 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Linux Virtual Machine and then use that
identity to retrieve storage account access keys. You can use a storage access key as usual when doing storage
operations, for example when using the Storage SDK. For this tutorial, we upload and download blobs using Azure
CLI. You will learn how to:
Enable MSI on a Linux Virtual Machine
Grant your VM access to storage account access keys in Resource Manager
Get an access token using your VM's identity, and use it to retrieve the storage access keys from Resource
Manager
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
NOTE
In the previous request, the value of the "resource" parameter must be an exact match for what is expected by Azure
AD. When using the Azure Resource Manager resource ID, you must include the trailing slash on the URI. In the
following response, the access_token element as been shortened for brevity.
{"access_token":"eyJ0eXAiOiJ...",
"refresh_token":"",
"expires_in":"3599",
"expires_on":"1504130527",
"not_before":"1504126627",
"resource":"https://management.azure.com",
"token_type":"Bearer"}
NOTE
The text in the prior URL is case sensitive, so ensure if you are using upper-lowercase for your Resource Groups to reflect it
accordingly. Additionally, it’s important to know that this is a POST request not a GET request and ensure you pass a value to
capture a length limit with -d that can be NULL.
{"keys":[{"keyName":"key1","permissions":"Full","value":"iqDPNt..."},
{"keyName":"key2","permissions":"Full","value":"U+uI0B..."}]}
Create a sample blob file to upload to your blob storage container. On a Linux VM you can do this with the
following command.
Next, authenticate with the CLI az storage command using the storage access key, and upload the file to the blob
container. For this step, you will need to install the latest Azure CLI on your VM, if you haven't already.
az storage blob upload -c <CONTAINER NAME> -n test.txt -f test.txt --account-name <STORAGE ACCOUNT NAME> --
account-key <STORAGE ACCOUNT KEY>
Response:
Finished[#############################################################] 100.0000%
{
"etag": "\"0x8D4F9929765C139\"",
"lastModified": "2017-09-12T03:58:56+00:00"
}
Additionally, you can download the file using the Azure CLI and authenticating with the storage access key.
Request:
az storage blob download -c <CONTAINER NAME> -n test.txt -f test-download.txt --account-name <STORAGE ACCOUNT
NAME> --account-key <STORAGE ACCOUNT KEY>
Response:
{
"content": null,
"metadata": {},
"name": "test.txt",
"properties": {
"appendBlobCommittedBlockCount": null,
"blobType": "BlockBlob",
"contentLength": 21,
"contentRange": "bytes 0-20/21",
"contentSettings": {
"cacheControl": null,
"contentDisposition": null,
"contentEncoding": null,
"contentLanguage": null,
"contentMd5": "LSghAvpnElYyfUdn7CO8aw==",
"contentType": "text/plain"
},
"copy": {
"completionTime": null,
"id": null,
"progress": null,
"source": null,
"status": null,
"statusDescription": null
},
"etag": "\"0x8D5067F30D0C283\"",
"lastModified": "2017-09-28T14:42:49+00:00",
"lease": {
"duration": null,
"state": "available",
"status": "unlocked"
},
"pageBlobSequenceNumber": null,
"serverEncrypted": false
},
"snapshot": null
}
Next steps
For an overview of MSI, see Managed Service Identity overview.
To learn how to do this same tutorial using a storage SAS credential, see Use a Linux VM Managed Service
Identity to access Azure Storage via a SAS credential
For more information about the Azure Storage account SAS feature, see:
Using shared access signatures (SAS)
Constructing a Service SAS
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Linux VM Managed Service Identity to access
Azure Storage via a SAS credential
12/11/2017 • 8 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Linux Virtual Machine, then use the MSI
to obtain a storage Shared Access Signature (SAS) credential. Specifically, a Service SAS credential.
A Service SAS provides the ability to grant limited access to objects in a storage account, for a limited time and a
specific service (in our case, the blob service), without exposing an account access key. You can use a SAS credential
as usual when doing storage operations, for example when using the Storage SDK. For this tutorial, we
demonstrate uploading and downloading a blob using Azure Storage CLI. You will learn how to:
Enable MSI on a Linux Virtual Machine
Grant your VM access to a storage account SAS in Resource Manager
Get an access token using your VM's identity, and use it to retrieve the SAS from Resource Manager
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
NOTE
In the previous request, the value of the "resource" parameter must be an exact match for what is expected by Azure
AD. When using the Azure Resource Manager resource ID, you must include the trailing slash on the URI. In the
following response, the access_token element as been shortened for brevity.
{"access_token":"eyJ0eXAiOiJ...",
"refresh_token":"",
"expires_in":"3599",
"expires_on":"1504130527",
"not_before":"1504126627",
"resource":"https://management.azure.com",
"token_type":"Bearer"}
{
"canonicalizedResource":"/blob/<STORAGE ACCOUNT NAME>/<CONTAINER NAME>",
"signedResource":"c", // The kind of resource accessible with the SAS, in this case a
container (c).
"signedPermission":"rcw", // Permissions for this SAS, in this case (r)ead, (c)reate, and
(w)rite. Order is important.
"signedProtocol":"https", // Require the SAS be used on https protocol.
"signedExpiry":"<EXPIRATION TIME>" // UTC expiration time for SAS in ISO 8601 format, for example 2017-09-
22T00:06:00Z.
}
These parameters are included in the POST body of the request for the SAS credential. For more information on the
parameters for creating a SAS credential, see the List Service SAS REST reference.
Use the following CURL request to get the SAS credential. Be sure to replace the <SUBSCRIPTION ID> ,
<RESOURCE GROUP> , <STORAGE ACCOUNT NAME> , <CONTAINER NAME> , and <EXPIRATION TIME> parameter values with your
own values. Replace the <ACCESS TOKEN> value with the access token you retrieved earlier:
curl https://management.azure.com/subscriptions/<SUBSCRIPTION ID>/resourceGroups/<RESOURCE
GROUP>/providers/Microsoft.Storage/storageAccounts/<STORAGE ACCOUNT NAME>/listServiceSas/?api-version=2017-06-
01 -X POST -d "{\"canonicalizedResource\":\"/blob/<STORAGE ACCOUNT NAME>/<CONTAINER
NAME>\",\"signedResource\":\"c\",\"signedPermission\":\"rcw\",\"signedProtocol\":\"https\",\"signedExpiry\":\"
<EXPIRATION TIME>\"}" -H "Authorization: Bearer <ACCESS TOKEN>"
NOTE
The text in the prior URL is case sensitive, so ensure if you are using upper-lowercase for your Resource Groups to reflect it
accordingly. Additionally, it’s important to know that this is a POST request not a GET request.
{"serviceSasToken":"sv=2015-04-05&sr=c&spr=https&st=2017-09-22T00%3A10%3A00Z&se=2017-09-
22T02%3A00%3A00Z&sp=rcw&sig=QcVwljccgWcNMbe9roAJbD8J5oEkYoq%2F0cUPlgriBn0%3D"}
Create a sample blob file to upload to your blob storage container. On a Linux VM you can do this with the
following command.
Next, authenticate with the CLI az storage command using the SAS credential, and upload the file to the blob
container. For this step, you will need to install the latest Azure CLI on your VM, if you haven't already.
Response:
Finished[#############################################################] 100.0000%
{
"etag": "\"0x8D4F9929765C139\"",
"lastModified": "2017-09-21T03:58:56+00:00"
}
Additionally, you can download the file using the Azure CLI and authenticating with the SAS credential.
Request:
Response:
{
"content": null,
"metadata": {},
"name": "testblob",
"properties": {
"appendBlobCommittedBlockCount": null,
"blobType": "BlockBlob",
"contentLength": 16,
"contentRange": "bytes 0-15/16",
"contentSettings": {
"cacheControl": null,
"contentDisposition": null,
"contentEncoding": null,
"contentLanguage": null,
"contentMd5": "Aryr///Rb+D8JQ8IytleDA==",
"contentType": "text/plain"
},
"copy": {
"completionTime": null,
"id": null,
"progress": null,
"source": null,
"status": null,
"statusDescription": null
},
"etag": "\"0x8D4F9929765C139\"",
"lastModified": "2017-09-21T03:58:56+00:00",
"lease": {
"duration": null,
"state": "available",
"status": "unlocked"
},
"pageBlobSequenceNumber": null,
"serverEncrypted": false
},
"snapshot": null
}
Next steps
For an overview of MSI, see Managed Service Identity overview.
To learn how to do this same tutorial using a storage account key, see Use a Linux VM Managed Service Identity
to access Azure Storage
For more information about the Azure Storage account SAS feature, see:
Using shared access signatures (SAS)
Constructing a Service SAS
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Windows VM Managed Service Identity (MSI)
to access Azure Key Vault
12/11/2017 • 5 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Windows Virtual Machine, then use that
identity to access Azure Key Vault. Serving as a bootstrap, Key Vault makes it possible for your client application to
then use the secret to access resources not secured by Azure Active Directory (AD). Managed Service Identities are
automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication,
without needing to insert credentials into your code.
You learn how to:
Enable Managed Service Identity on a Windows Virtual Machine
Grant your VM access to a secret stored in a Key Vault
Get an access token using the VM identity and use it to retrieve the secret from Key Vault
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
Get an access token using the VM identity and use it to retrieve the
secret from the Key Vault
If you don’t have PowerShell 4.3.1 or greater installed, you'll need to download and install the latest version.
First, we use the VM’s MSI to get an access token to authenticate to Key Vault:
1. In the portal, navigate to Virtual Machines and go to your Windows virtual machine and in the Overview, click
Connect.
2. Enter in your Username and Password for which you added when you created the Windows VM.
3. Now that you have created a Remote Desktop Connection with the virtual machine, open PowerShell in the
remote session.
4. In PowerShell, invoke the web request on the tenant to get the token for the local host in the specific port for
the VM.
The PowerShell request:
Next, extract the full response which is stored as a JavaScript Object Notation (JSON) formatted string in the
$response object.
Finally, use PowerShell’s Invoke-WebRequest command to retrieve the secret you created earlier in the Key
Vault, passing the access token in the Authorization header. You’ll need the URL of your Key Vault, which is
in the Essentials section of the Overview page of the Key Vault.
{"value":"p@ssw0rd!","id":"https://mytestkeyvault.vault.azure.net/secrets/MyTestSecret/7c2204c6093c4d859
bc5b9eff8f29050","attributes":
{"enabled":true,"created":1505088747,"updated":1505088747,"recoveryLevel":"Purgeable"}}
Once you’ve retrieved the secret from the Key Vault, you can use it to authenticate to a service that requires a name
and password.
Related content
For an overview of MSI, see Managed Service Identity overview.
Use the following comments section to provide feedback and help us refine and shape our content.
Use a Linux VM Managed Service Identity (MSI) to
access Azure Key Vault
12/11/2017 • 5 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
This tutorial shows you how to enable Managed Service Identity (MSI) for a Linux Virtual Machine, then use that
identity to access Azure Key Vault. Serving as a bootstrap, Key Vault makes it possible for your client application to
then use the secret to access resources not secured by Azure Active Directory (AD). Managed Service Identities are
automatically managed by Azure and enable you to authenticate to services that support Azure AD authentication,
without needing to insert credentials into your code.
You learn how to:
Enable MSI on a Linux Virtual Machine
Grant your VM access to a secret stored in a Key Vault
Get an access token using the VM identity and use it to retrieve the secret from the Key Vault
Prerequisites
If you're unfamiliar with MSI, check out the Managed Service Identity overview. If you don't already have an Azure
account, sign up for a free account before continuing.
Your account needs to be given "Owner" permissions at the appropriate scope (your Subscription or Resource
Group), to perform the required resource creation and role management. See Use Role-Based Access Control to
manage access to your Azure subscription resources if you need assistance with role assignment.
Sign in to Azure
Sign in to the Azure portal at https://portal.azure.com.
Get an access token using the VM's identity and use it to retrieve the
secret from the Key Vault
To complete these steps, you need an SSH client. If you are using Windows, you can use the SSH client in the
Windows Subsystem for Linux. If you need assistance configuring your SSH client's keys, see How to Use SSH keys
with Windows on Azure, or How to create and use an SSH public and private key pair for Linux VMs in Azure.
1. In the portal, navigate to your Linux VM and in the Overview, click Connect.
2. Connect to the VM with the SSH client of your choice.
3. In the terminal window, using CURL, make a request to the local MSI endpoint to get an access token for
Azure Key Vault.
The CURL request for the access token is below.
The response includes the access token you need to access Resource Manager.
Response:
{"access_token":"eyJ0eXAi...",
"refresh_token":"",
"expires_in":"3599",
"expires_on":"1504130527",
"not_before":"1504126627",
"resource":"https://vault.azure.net",
"token_type":"Bearer"}
You can use this access token to authenticate to Azure Key Vault. The next CURL request shows how to read
a secret from Key Vault using CURL and the Key Vault REST API. You’ll need the URL of your Key Vault, which
is in the Essentials section of the Overview page of the Key Vault. You will also need the access token you
obtained on the previous call.
{"value":"p@ssw0rd!","id":"https://mytestkeyvault.vault.azure.net/secrets/MyTestSecret/7c2204c6093c4d859
bc5b9eff8f29050","attributes":
{"enabled":true,"created":1505088747,"updated":1505088747,"recoveryLevel":"Purgeable"}}
Once you’ve retrieved the secret from the Key Vault, you can use it to authenticate to a service that requires a name
and password.
Related content
For an overview of MSI, see Managed Service Identity overview.
Use the following comments section to provide feedback and help us refine and shape our content.
FAQs and known issues with Managed Service
Identity (MSI) for Azure Active Directory
12/22/2017 • 3 min to read • Edit Online
Managed Service Identity (MSI) is a public preview feature of Azure Active Directory. Make sure you review the known issues
before you begin. If you would like to be considered for enrollment in the private preview, visit our sign-up page. For more
information about previews, see Supplemental Terms of Use for Microsoft Azure Previews.
Set-AzureRmVMExtension -Name <extension name> -Type <extension Type> -Location <location> -Publisher
Microsoft.ManagedIdentity -VMName <vm name> -ResourceGroupName <resource group name> -ForceRerun <Any string
different from any last value used>
Where:
Extension name and type for Windows is: ManagedIdentityExtensionForWindows
Extension name and type for Linux is: ManagedIdentityExtensionForLinux
Known issues
"Automation script" fails when attempting schema export for MSI extension
When Managed Service Identity is enabled on a VM, the following error is shown when attempting to use the
“Automation script” feature for the VM, or its resource group:
The Managed Service Identity VM extension does not currently support the ability to export its schema to a resource
group template. As a result, the generated template does not show configuration parameters to enable Managed
Service Identity on the resource. These sections can be added manually by following the examples in Configure a
VM Managed Service Identity by using a template.
When the schema export functionality becomes available for the MSI VM extension, it will be listed in Exporting
Resource Groups that contain VM extensions.
Configuration blade does not appear in the Azure portal
If the VM Configuration blade does not appear on your VM, then MSI has not been enabled in the portal in your
region yet. Check again later. You can also enable MSI for your VM using PowerShell or the Azure CLI.
Cannot assign access to virtual machines in the Access Control (IAM ) blade
If Virtual Machine does not appear in the Azure portal as a choice for Assign access to in Access Control (IAM)
> Add permissions, then Managed Service Identity has not been enabled in the portal in your region yet. Check
again later. You can still select the Managed Service Identity for the role assignment by searching for the MSI’s
Service Principal. Enter the name of the VM in the Select field, and the Service Principal appears in the search result.
VM fails to start after being moved from resource group or subscription
If you move a VM in the running state, it continues to run during the move. However, after the move, if the VM is
stopped and restarted, it will fail to start. This issue happens because the VM is not updating the reference to the
MSI identity and continues to point to it in the old resource group.
Workaround
Trigger an update on the VM so it can get correct values for the MSI. You can do a VM property change to update
the reference to the MSI identity. For example, you can set a new tag value on the VM with the following command:
This command sets a new tag "fixVM" with a value of 1 on the VM.
By setting this property, the VM updates with the correct MSI resource URI, and then you should be able to start the
VM.
Once the VM is started, the tag can be removed by using following command:
Using Azure Active Directory (Azure AD), you can designate separate administrators to serve different functions.
Administrators have access to various features in the Azure portal and, depending on their role, can create or
edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage
domains, among other things. A user who is assigned an admin role will have the same permissions across all of
the cloud services to which your organization has subscribed to, regardless of whether you assign the role in the
Office 365 portal, or in the Azure portal, or by using the Azure AD module for Windows PowerShell.
The following administrator roles are available:
Billing Administrator: Makes purchases, manages subscriptions, manages support tickets, and monitors
service health.
Compliance Administrator:Users with this role have management permissions within in the Office 365
Security & Compliance Center and Exchange Admin Center. More information at “About Office 365
admin roles.”
Conditional Access Administrator: Users with this role have the ability to manage Azure Active
Directory conditional access settings.
NOTE
To deploy Exchange ActiveSync conditional access policy in Azure, the user must also be Global Administrator.
CRM Service Administrator: Users with this role have global permissions within Microsoft CRM Online,
when the service is present, as well as the ability to manage support tickets and monitor service health.
More information at About Office 365 admin roles.
Device Administrators: Users with this role become local machine administrators on all Windows 10
devices that are joined to Azure Active Directory. They do not have the ability to manage devices objects
in Azure Active Directory.
Directory Readers: This is a legacy role that is to be assigned to applications that do not support the
Consent Framework. It should not be assigned to any users.
Directory Synchronization Accounts: Do not use. This role is automatically assigned to the Azure AD
Connect service, and is not intended or supported for any other use.
Directory Writers: This is a legacy role that is to be assigned to applications that do not support the
Consent Framework. It should not be assigned to any users.
Exchange Service Administrator: Users with this role have global permissions within Microsoft
Exchange Online, when the service is present. More information at About Office 365 admin roles.
Global Administrator / Company Administrator: Users with this role have access to all administrative
features in Azure Active Directory, as well as services that federate to Azure Active Directory like Exchange
Online, SharePoint Online, and Skype for Business Online. The person who signs up for the Azure Active
Directory tenant becomes a global administrator. Only global administrators can assign other
administrator roles. There can be more than one global administrator at your company. Global admins
can reset the password for any user and all other administrators.
NOTE
In Microsoft Graph API, Azure AD Graph API, and Azure AD PowerShell, this role is identified as "Company
Administrator". It is "Global Administrator" in the Azure portal.
Guest Inviter: Users in this role can manage Azure Active Directory B2B guest user invitations when the
“Members can invite” user setting is set to No. More information about B2B collaboration at About the
Azure AD B2B collaboration preview. It does not include any other permissions.
Intune Service Administrator: Users with this role have global permissions within Microsoft Intune
Online, when the service is present. Additionally, this role contains the ability to manage users and
devices in order to associate policy, as well as create and manage groups.
Mailbox Administrator: This role is only used as part of Exchange Online email support for RIM
Blackberry devices. If your organization does not use Exchange Online email on RIM Blackberry devices,
do not use this role.
Partner Tier 1 Support: Do not use. This role has been deprecated and will be removed from Azure AD
in the future. This role is intended for use by a small number of Microsoft resale partners, and is not
intended for general use.
Partner Tier 2 Support: Do not use. This role has been deprecated and will be removed from Azure AD
in the future. This role is intended for use by a small number of Microsoft resale partners, and is not
intended for general use.
Password Administrator / Helpdesk Administrator: Users with this role can reset passwords, manage
service requests, and monitor service health. Password administrators can reset passwords only for users
and other password administrators.
NOTE
In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Helpdesk
Administrator". It is "Password Administrator" in the Azure portal.
Power BI Service Administrator: Users with this role have global permissions within Microsoft Power
BI, when the service is present, as well as the ability to manage support tickets and monitor service health.
More information at About Office 365 admin roles.
Privileged Role Administrator: Users with this role can manage role assignments in Azure Active
Directory, as well as within Azure AD Privileged Identity Management. In addition, this role allows
management of all aspects of Privileged Identity Management.
Security Administrator: Users with this role have all of the read-only permissions of the Security reader
role, plus the ability to manage configuration for security-related services: Azure Active Directory Identity
Protection, Azure Information Protection, Privileged Identity Management, and Office 365 Security &
Compliance Center. More information about Office 365 permissions is available at Permissions in the
Office 365 Security & Compliance Center.
Security Reader: Users with this role have global read-only access, including all information in Azure
Active Directory, Identity Protection, Privileged Identity Management, as well as the ability to read Azure
Active Directory sign-in reports and audit logs. The role also grants read-only permission in Office 365
Security & Compliance Center. More information about Office 365 permissions is available at
Permissions in the Office 365 Security & Compliance Center.
Service Support Administrator: Users with this role can open support requests with Microsoft for
Azure and Office 365 services, and views the service dashboard and message center in the Azure portal
and Office 365 admin portal. More information at About Office 365 admin roles.
SharePoint Service Administrator: Users with this role have global permissions within Microsoft
SharePoint Online, when the service is present, as well as the ability to manage support tickets and
monitor service health. More information at About Office 365 admin roles.
Skype for Business / Lync Service Administrator: Users with this role have global permissions within
Microsoft Skype for Business, when the service is present, as well as manage Skype-specific user
attributes in Azure Active Directory. Additionally, this role grants the ability to manage support tickets and
monitor service health. More information at About Office 365 admin roles.
NOTE
In Microsoft Graph API, Azure AD Graph API and Azure AD PowerShell, this role is identified as "Lync Service
Administrator". It is "Skype for Business Service Administrator" in the Azure portal.
User Account Administrator: Users with this role can create and manage all aspects of users and
groups. Additionally, this role includes the ability to manage support tickets and monitors service health.
Some restrictions apply. For example, this role does not allow deleting a global administrator, and while it
does allow changing passwords for non-admins, it does not allow changing passwords for global
administrators or other privileged administrators.
Administrator permissions
Billing administrator
CAN DO CANNOT DO
Global administrator
CAN DO CANNOT DO
Password administrator
CAN DO CANNOT DO
CAN DO CANNOT DO
View company and user information Perform billing and purchasing operations for Office
products
Manage Office support tickets
Create and manage user views
Reset user passwords
Create, edit, and delete users and groups, and manage
Reset other administrator’s passwords user licenses
Manage domains
Manage company information
Delegate administrative roles to others
Use directory synchronization
View reports
Service administrator
CAN DO CANNOT DO
User administrator
CAN DO CANNOT DO
View company and user information Perform billing and purchasing operations for Office
products
Manage Office support tickets
Manage domains
Reset user passwords, with limitations.
Manage company information
Reset other administrator’s passwords
Delegate administrative roles to others
Reset other users' passwords
Use directory synchronization
Create and manage user views
Enable or disable multi-factor authentication
Create, edit, and delete users and groups, and manage
user licenses, with limitations. He or she cannot delete a View audit logs
global administrator or create other administrators.
Security Reader
IN CAN DO
Identity Protection Center Read all security reports and settings information for security
features
Anti-spam
Encryption
Data loss prevention
Anti-malware
Advanced threat protection
Anti-phishing
Mailflow rules
Privileged Identity Management Has read-only access to all information surfaced in Azure
AD PIM: Policies and reports for Azure AD role
assignments, security reviews and in the future read
access to policy data and reports for scenarios besides
Azure AD role assignment.
Cannot sign up for Azure AD PIM or make any changes
to it. In PIM's portal or via PowerShell, someone in this
role can activate additional roles (for example, Global
Admin or Privileged Role Administrator), if the user is a
candidate for them.
Security Administrator
IN CAN DO
Monitor Office 365 Service Health All permissions of the Security Reader role.
Can configure all settings in the Advanced Threat
Office 365 Security & Compliance Center Protection feature (malware & virus protection,
malicious URL config, URL tracing, etc.).
Deprecated roles
The following roles should not be used. They been deprecated and will be removed from Azure AD in the future.
AdHoc License Administrator
Email Verified User Creator
Device Join
Device Managers
Device Users
Workplace Device Join
Next steps
To learn more about how to change administrators for an Azure subscription, see How to add or change
Azure administrator roles
To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource
access in Azure
For more information on how Azure Active Directory relates to your Azure subscription, see How Azure
subscriptions are associated with Azure Active Directory
Manage users
Manage passwords
Manage groups
Assign a user to administrator roles in Azure Active
Directory
1/9/2018 • 1 min to read • Edit Online
This article explains how to assign an administrative role to a user in Azure Active Directory (Azure AD). For
information about adding new users in your organization, see Add new users to Azure Active Directory. Added
users don't have administrator permissions by default, but you can assign roles to them at any time.
Next steps
Quickstart: Add or delete users in Azure Active Directory
Manage user profiles
Add guest users from another directory
Assign a user to a role in your Azure AD
Restore a deleted user
Administrative units management in Azure AD -
public preview
12/11/2017 • 1 min to read • Edit Online
This article describes administrative units – a new Azure Active Directory container of resources that can be used
for delegating administrative permissions over subsets of users and applying policies to a subset of users. In Azure
Active Directory, administrative units enable central administrators to delegate permissions to regional
administrators or to set policy at a granular level.
This is useful in organizations with independent divisions, for example, a large university that is made up of many
autonomous schools (Business school, Engineering school, and so on) which are independent from each other.
Such divisions have their own IT administrators who control access, manage users, and set policies specifically for
their division. Central administrators want to be able grant these divisional administrators permissions over the
users in their particular divisions. More specifically, using this example, a central administrator can, for instance,
create an administrative unit for a particular school (Business school) and populate it with only the Business school
users. Then a central administrator can add the Business school IT staff to a scoped role, in other words, grant the IT
staff of Business school administrative permissions only over the Business school administrative unit.
IMPORTANT
You can assign administrative unit-scoped admin roles only if you enable Azure Active Directory Premium. For more
information, see Getting started with Azure AD Premium.
From the central administrator’s point of view, an administrative unit is a directory object that can be created and
populated with resources. In this preview release, these resources can be only users. Once created and
populated, the administrative unit can be used as a scope to restrict the granted permission only over resources
contained in the administrative unit.
Next steps
Azure Active Directory editions
Configurable token lifetimes in Azure Active Directory
(Public Preview)
12/11/2017 • 21 min to read • Edit Online
You can specify the lifetime of a token issued by Azure Active Directory (Azure AD). You can set token lifetimes for all
apps in your organization, for a multi-tenant (multi-organization) application, or for a specific service principal in your
organization.
NOTE
This capability currently is in Public Preview. Be prepared to revert or remove any changes. The feature is available in any Azure
Active Directory subscription during Public Preview. However, when the feature becomes generally available, some aspects of the
feature might require an Azure Active Directory Premium subscription.
In Azure AD, a policy object represents a set of rules that are enforced on individual applications or on all applications in
an organization. Each policy type has a unique structure, with a set of properties that are applied to objects to which
they are assigned.
You can designate a policy as the default policy for your organization. The policy is applied to any application in the
organization, as long as it is not overridden by a policy with a higher priority. You also can assign a policy to specific
applications. The order of priority varies by policy type.
Token types
You can set token lifetime policies for refresh tokens, access tokens, session tokens, and ID tokens.
Access tokens
Clients use access tokens to access a protected resource. An access token can be used only for a specific combination of
user, client, and resource. Access tokens cannot be revoked and are valid until their expiry. A malicious actor that has
obtained an access token can use it for extent of its lifetime. Adjusting the lifetime of an access token is a trade-off
between improving system performance and increasing the amount of time that the client retains access after the
user’s account is disabled. Improved system performance is achieved by reducing the number of times a client needs to
acquire a fresh access token.
Refresh tokens
When a client acquires an access token to access a protected resource, the client receives both a refresh token and an
access token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires.
A refresh token is bound to a combination of user and client. A refresh token can be revoked, and the token's validity is
checked every time the token is used.
It's important to make a distinction between confidential clients and public clients. For more information about different
types of clients, see RFC 6749.
Token lifetimes with confidential client refresh tokens
Confidential clients are applications that can securely store a client password (secret). They can prove that requests are
coming from the client application and not from a malicious actor. For example, a web app is a confidential client
because it can store a client secret on the web server. It is not exposed. Because these flows are more secure, the default
lifetimes of refresh tokens issued to these flows is until-revoked , cannot be changed by using policy, and will not be
revoked on voluntary password resets.
Token lifetimes with public client refresh tokens
Public clients cannot securely store a client password (secret). For example, an iOS/Android app cannot obfuscate a
secret from the resource owner, so it is considered a public client. You can set policies on resources to prevent refresh
tokens from public clients older than a specified period from obtaining a new access/refresh token pair. (To do this, use
the Refresh Token Max Inactive Time property.) You also can use policies to set a period beyond which the refresh
tokens are no longer accepted. (To do this, use the Refresh Token Max Age property.) You can adjust the lifetime of a
refresh token to control when and how often the user is required to reenter credentials, instead of being silently
reauthenticated, when using a public client application.
ID tokens
ID tokens are passed to websites and native clients. ID tokens contain profile information about a user. An ID token is
bound to a specific combination of user and client. ID tokens are considered valid until their expiry. Usually, a web
application matches a user’s session lifetime in the application to the lifetime of the ID token issued for the user. You
can adjust the lifetime of an ID token to control how often the web application expires the application session, and how
often it requires the user to be reauthenticated with Azure AD (either silently or interactively).
Single sign-on session tokens
When a user authenticates with Azure AD, a single sign-on session (SSO) is established with the user’s browser and
Azure AD. The SSO token, in the form of a cookie, represents this session. Note that the SSO session token is not bound
to a specific resource/client application. SSO session tokens can be revoked, and their validity is checked every time
they are used.
Azure AD uses two kinds of SSO session tokens: persistent and nonpersistent. Persistent session tokens are stored as
persistent cookies by the browser. Nonpersistent session tokens are stored as session cookies. (Session cookies are
destroyed when the browser is closed.) Usually, a nonpersistent session token is stored. But, when the user selects the
Keep me signed in check box during authentication, a persistent session token is stored.
Nonpersistent session tokens have a lifetime of 24 hours. Persistent tokens have a lifetime of 180 days. Any time an
SSO session token is used within its validity period, the validity period is extended another 24 hours or 180 days,
depending on the token type. If an SSO session token is not used within its validity period, it is considered expired and
is no longer accepted.
You can use a policy to set the time after the first session token was issued beyond which the session token is no longer
accepted. (To do this, use the Session Token Max Age property.) You can adjust the lifetime of a session token to control
when and how often a user is required to reenter credentials, instead of being silently authenticated, when using a web
application.
Token lifetime policy properties
A token lifetime policy is a type of policy object that contains token lifetime rules. Use the properties of the policy to
control specified token lifetimes. If no policy is set, the system enforces the default lifetime value.
Configurable token lifetime properties
POLICY PROPERTY
PROPERTY STRING AFFECTS DEFAULT MINIMUM MAXIMUM
1365 days is the maximum explicit length that can be set for these attributes.
2If MaxAgeSessionSingleFactor is not set, this value takes the MaxAgeSingleFactor value. If neither parameter is
set, the property takes the default value (until-revoked).
3If MaxAgeSessionMultiFactor is not set, this value takes the MaxAgeMultiFactor value. If neither parameter is
Refresh Token Max Age (issued for Refresh tokens (issued for federated users 12 hours
federated users who have insufficient who have insufficient revocation
revocation information1 ) information1 )
Refresh Token Max Inactive Time (issued Refresh tokens (issued for confidential 90 days
for confidential clients) clients)
Refresh Token Max Age (issued for Refresh tokens (issued for confidential Until-revoked
confidential clients) clients)
1Federated users who have insufficient revocation information include any users who do not have the
"LastPasswordChangeTimestamp" attribute synced. These users are given this short Max Age because AAD is unable
to verify when to revoke tokens that are tied to an old credential (such as a password that has been changed) and
must check back in more frequently to ensure that the user and associated tokens are still in good standing. To
improve this experience, tenant admins must ensure that they are syncing the “LastPasswordChangeTimestamp”
attribute (this can be set on the user object using Powershell or through AADSync).
Policy evaluation and prioritization
You can create and then assign a token lifetime policy to a specific application, to your organization, and to service
principals. Multiple policies might apply to a specific application. The token lifetime policy that takes effect follows these
rules:
If a policy is explicitly assigned to the service principal, it is enforced.
If no policy is explicitly assigned to the service principal, a policy explicitly assigned to the parent organization of the
service principal is enforced.
If no policy is explicitly assigned to the service principal or to the organization, the policy assigned to the application
is enforced.
If no policy has been assigned to the service principal, the organization, or the application object, the default values
is enforced. (See the table in Configurable token lifetime properties.)
For more information about the relationship between application objects and service principal objects, see Application
and service principal objects in Azure Active Directory.
A token’s validity is evaluated at the time the token is used. The policy with the highest priority on the application that is
being accessed takes effect.
NOTE
Here's an example scenario.
A user wants to access two web applications: Web Application A and Web Application B.
Factors:
Both web applications are in the same parent organization.
Token Lifetime Policy 1 with a Session Token Max Age of eight hours is set as the parent organization’s default.
Web Application A is a regular-use web application and isn’t linked to any policies.
Web Application B is used for highly sensitive processes. Its service principal is linked to Token Lifetime Policy 2, which has a
Session Token Max Age of 30 minutes.
At 12:00 PM, the user starts a new browser session and tries to access Web Application A. The user is redirected to Azure AD and
is asked to sign in. This creates a cookie that has a session token in the browser. The user is redirected back to Web Application A
with an ID token that allows the user to access the application.
At 12:15 PM, the user tries to access Web Application B. The browser redirects to Azure AD, which detects the session cookie.
Web Application B’s service principal is linked to Token Lifetime Policy 2, but it's also part of the parent organization, with default
Token Lifetime Policy 1. Token Lifetime Policy 2 takes effect because policies linked to service principals have a higher priority than
organization default policies. The session token was originally issued within the last 30 minutes, so it is considered valid. The user
is redirected back to Web Application B with an ID token that grants them access.
At 1:00 PM, the user tries to access Web Application A. The user is redirected to Azure AD. Web Application A is not linked to any
policies, but because it is in an organization with default Token Lifetime Policy 1, that policy takes effect. The session cookie that
was originally issued within the last eight hours is detected. The user is silently redirected back to Web Application A with a new ID
token. The user is not required to authenticate.
Immediately afterward, the user tries to access Web Application B. The user is redirected to Azure AD. As before, Token Lifetime
Policy 2 takes effect. Because the token was issued more than 30 minutes ago, the user is prompted to reenter their sign-in
credentials. A brand-new session token and ID token are issued. The user can then access Web Application B.
Connect-AzureAD -Confirm
3. To see all policies that have been created in your organization, run the following command. Run this command
after most operations in the following scenarios. Running the command also helps you get the ** ** of your
policies.
Get-AzureADPolicy
@('{
"TokenLifetimePolicy":
{
"Version":1,
"MaxAgeSingleFactor":"until-revoked"
}
}')
c. To see your new policy, and to get the policy's ObjectId, run the following command:
Get-AzureADPolicy
b. To see your new policy, and to get the policy ObjectId, run the following command:
Get-AzureADPolicy
2. Assign the policy to your service principal. You also need to get the ObjectId of your service principal.
a. To see all your organization's service principals, you can query Microsoft Graph. Or, in Azure AD Graph
Explorer, sign in to your Azure AD account.
b. When you have the ObjectId of your service principal, run the following command:
Example: Create a policy for a native app that calls a web API
In this example, you create a policy that requires users to authenticate less frequently. The policy also lengthens the
amount of time a user can be inactive before the user must reauthenticate. The policy is applied to the web API. When
the native app requests the web API as a resource, this policy is applied.
1. Create a token lifetime policy.
a. To create a strict policy for a web API, run the following command:
New-AzureADPolicy -Definition @('{"TokenLifetimePolicy":
{"Version":1,"MaxInactiveTime":"30.00:00:00","MaxAgeMultiFactor":"until-
revoked","MaxAgeSingleFactor":"180.00:00:00"}}') -DisplayName "WebApiDefaultPolicyScenario" -
IsOrganizationDefault $false -Type "TokenLifetimePolicy"
b. To see your new policy, and to get the policy ObjectId, run the following command:
Get-AzureADPolicy
2. Assign the policy to your web API. You also need to get the ObjectId of your application. The best way to find
your app's ObjectId is to use the Azure portal.
When you have the ObjectId of your app, run the following command:
```PowerShell
Add-AzureADApplicationPolicy -Id <ObjectId of the Application> -RefObjectId <ObjectId of the Policy>
```
b. To see your new policy, and to get the policy's ObjectId, run the following command:
Get-AzureADPolicy
```PowerShell
Add-AzureADServicePrincipalPolicy -Id <ObjectId of the ServicePrincipal> -RefObjectId <ObjectId of
the Policy>
```
You now have the original policy linked to your service principal, and the new policy is set as your organization
default policy. It's important to remember that policies applied to service principals have priority over
organization default policies.
Cmdlet reference
Manage policies
You can use the following cmdlets to manage policies.
New-AzureADPolicy
Creates a new policy.
New-AzureADPolicy -Definition <Array of Rules> -DisplayName <Name of Policy> -IsOrganizationDefault <boolean> -Type
<Policy Type>
Get-AzureADPolicy
Gets all Azure AD policies or a specified policy.
Get-AzureADPolicy
Id [Optional] ObjectId (Id) of the policy you want. -Id <ObjectId of Policy>
Get-AzureADPolicyAppliedObject
Gets all apps and service principals that are linked to a policy.
Set-AzureADPolicy
Updates an existing policy.
Definition [Optional] Array of stringified JSON that contains all -Definition @('{"TokenLifetimePolicy":
the policy's rules. {"Version":1,"MaxInactiveTime":"20:00:00"}}')
Type [Optional] Type of policy. For token lifetimes, always -Type "TokenLifetimePolicy"
use "TokenLifetimePolicy."
Remove-AzureADPolicy
Deletes the specified policy.
Application policies
You can use the following cmdlets for application policies.
Add-AzureADApplicationPolicy
Links the specified policy to an application.
Get-AzureADApplicationPolicy
Gets the policy that is assigned to an application.
Remove-AzureADApplicationPolicy
Removes a policy from an application.
Get-AzureADServicePrincipalPolicy
Gets any policy linked to the specified service principal.
Remove-AzureADServicePrincipalPolicy
Removes the policy from the specified service principal.
For most day-to-day activities, global administrator rights are not needed by your users. Users should not be
permanently assigned to the role, because they might inadvertently perform a task that requires higher
permissions than they should have. When users don't need to act as a global administrator, they should activate the
role assignment by using Azure Active Directory (Azure AD) Privileged Identity Management (PIM), on either their
own account or an alternate administrative account.
In addition to users' taking on administrative access rights for themselves, you need to prevent being inadvertently
locked out of the administration of your Azure AD tenant because you can neither sign in nor activate an existing
individual user's account as an administrator. You can mitigate the impact of inadvertent lack of administrative
access by storing two or more emergency access accounts in your tenant.
Emergency access accounts can help organizations restrict privileged access within an existing Azure Active
Directory environment. Such accounts are highly privileged, and they are not assigned to specific individuals.
Emergency access accounts are limited to emergency or 'break glass' scenarios, situations where normal
administrative accounts cannot be used. Organizations must maintain a goal of restricting the emergency account's
usage to only that time during which it is necessary.
An organization might need to use an emergency access account in the following situations:
The user accounts are federated, and federation is currently unavailable because of a cell-network break or an
identity-provider outage. For example, if the identity provider host in your environment has gone down, users
might be unable to sign in when Azure AD redirects to their identity provider.
The administrators are registered through Azure Multi-Factor Authentication, and all their individual devices are
unavailable. Users might be unable to complete Multi-Factor Authentication to activate a role. For example, a cell
network outage is preventing them from answering phone calls or receiving text messages, the only two
authentication mechanisms that they registered for their device.
The person with the most recent global administrative access has left the organization. Azure AD prevents the
last global administrator account from being deleted, but it does not prevent the account from being deleted or
disabled on-premises. Either situation might make the organization unable to recover the account.
Initial configuration
Create two or more emergency access accounts. These should be cloud-only accounts that use the
*.onmicrosoft.com domain and that are not federated or synchronized from an on-premises environment.
The accounts should not be associated with any individual user in the organization. Organizations need to ensure
that the credentials for these accounts are kept secure and known only to individuals who are authorized to use
them.
NOTE
An account password for an emergency access account is usually separated into two or three parts, written on separate
pieces of paper, and stored in secure, fireproof safes that are in secure, separate locations.
Make sure that your emergency access accounts are not connected with any employee-supplied mobile phones, hardware
tokens that travel with individual employees, or other employee-specific credentials. This precaution covers instances where
an individual employee is unreachable when the credential is needed.
Ongoing monitoring
Monitor the Azure AD sign-in and audit logs for any sign-ins and audit activity from the emergency-access
accounts. Normally those accounts should not be signing in and should not be making changes, so use of them is
likely to be anomalous and require security investigation.
Next steps
Add a cloud-based user and assign the new user to the global administrator role.
Sign up for Azure Active Directory Premium, if you haven’t signed up already.
Require Azure Multi-Factor Authentication for individual users assigned as administrators.
Configure additional protections for global administrators in Office 365, if you are using Office 365.
Perform an access review of global administrators and transition existing global administrators to more specific
administrator roles.
Azure AD access reviews (preview)
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships
and access to enterprise applications.
Next steps
Manage user access with Azure AD access reviews
Manage guest access with Azure AD access reviews
Manage programs and controls for Azure AD access reviews
Create an access review for members of a group or access to an application
Create an access review of users in an Azure AD administrative role
Complete an access review of members of a group or
users' access to an application in Azure AD
12/11/2017 • 2 min to read • Edit Online
Administrators can use Azure Active Directory (Azure AD) to create an access review for group members or users
assigned to an application. Azure AD automatically sends reviewers an email that prompts them to review access.
If a user didn't get an email, you can send them the instructions in Review your access. After the access review
period is over or if an administrator stops the access review, follow the steps in this article to see and apply the
results.
IMPORTANT
There's no warning before deletion occurs, so be sure that you want to delete the review.
Next steps
Manage user access with Azure AD access reviews
Manage guest access with Azure AD access reviews
Manage programs and controls for Azure AD access reviews
Create an access review for members of a group or access to an application
Create an access review of users in an Azure AD administrative role
Create an access review of group members or
application access with Azure AD
12/11/2017 • 2 min to read • Edit Online
Access assignments become "stale" when users have access they don't need any more. To reduce the risk
associated with stale access assignments, administrators can use Azure Active Directory (Azure AD) to create an
access review for group members or users assigned to an application. For more information on these scenarios,
see Manage user access and Manage guest access.
Next steps
When an access review has started, Azure AD automatically sends reviewers an email that prompts them to
review access. If a user didn't get an email, you can send them the instructions for how to review access.
After the access review period is over or the administrator stops the access review, follow the steps in Complete
an access review to see and apply the results.
Review access with Azure AD access reviews
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory (Azure AD) simplifies how enterprises manage access to applications and members of
groups in Azure AD and other Microsoft Online Services with a feature called access reviews. Perhaps you
received an email from Microsoft that asks you to review access for members of a group or users with access to
an application.
Next steps
A user's denied access isn't removed immediately. It can be removed when the review is finished or when an
administrator stops the review. If you want to change your answer and approve a previously denied user or deny
a previously approved user, select the row, reset the response, and select a new response. You can do this step
until the access review is finished.
Review your access
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory (Azure AD) simplifies how enterprises manage access to applications and members of
groups in Azure AD and other Microsoft Online Services with a feature called access reviews. Perhaps you received
an email from Microsoft that asks you to review access for members of a group or users with access to an
application.
Next steps
Denied access isn't removed immediately. If you want to change your answer and approve, reset the response and
select a new response. You can do this step until the access review is finished.
Manage guest access with Azure AD access reviews
12/11/2017 • 6 min to read • Edit Online
With Azure Active Directory (Azure AD), you can easily enable collaboration across organizational boundaries by
using the Azure AD B2B feature. Guest users from other tenants can be invited by administrators or by other users.
This capability also applies to social identities such as Microsoft accounts.
You also can easily ensure that guest users have appropriate access. You can ask the guests themselves or a
decision maker to participate in an access review and recertify (or attest) to the guests' access. The reviewers can
give their input on each user's need for continued access, based on suggestions from Azure AD. When an access
review is finished, you can then make changes and remove access for guests who no longer need it.
NOTE
This document focuses on reviewing guest users' access. If you want to review all users' access, not just guests, see Manage
user access with access reviews. If you want to review users' membership in administrative roles, such as global
administrator, see Start an access review in Azure AD Privileged Identity Management.
Prerequisites
Access reviews are available with the Premium P2 edition of Azure AD, which is included in Microsoft Enterprise
Mobility + Security, E5. For more information, see Azure Active Directory editions. Each user who interacts with
this feature to create a review, access a review, or apply a review requires a license.
If you plan to ask guest users to review their own access, read about guest user licensing. For more information,
see Azure AD B2B collaboration licensing.
NOTE
Earlier versions of the Azure portal didn't permit administrative access by users with the UserType of Guest. In some cases,
an administrator in your directory might have changed a guest's UserType value to Member by using PowerShell. If this
change previously occurred in your directory, the previous query might not include all guest users who historically had
administrative access rights. In this case, you need to either change the guest's UserType or manually include the guest in
the group membership.
1. Create a security group in Azure AD with the guests as members, if a suitable group doesn't already exist.
For example, you can create a group with a manually maintained membership of guests. Or, you can create
a dynamic group with a name such as "Guests of Contoso" for users in the Contoso tenant who have the
UserType attribute value of Guest.
2. To start an access review for that group, select the reviewers to be the members themselves. For more
information, see Create an access review.
3. Ask each guest to review their own membership. By default, each guest who accepted an invitation receives
an email from Azure AD with a link to the access review in your organization's access panel. Azure AD has
instructions for guests on how to review their access.
4. After the reviewers give input, stop the access review. For more information, see Complete an access
review.
5. Remove guest access for guests who were denied, didn't complete the review, or didn't previously accept
their invitation. If some of the guests are contacts who were selected to participate in the review because
they didn't previously accept an invitation, you can disable their accounts by using the Azure portal or
PowerShell. If the guest no longer needs access and isn't a contact, you can remove their user object from
your directory by using the Azure portal or PowerShell.
Next steps
Create an access review for members of a group or access to an application
Manage user access with Azure AD access reviews
12/11/2017 • 1 min to read • Edit Online
With Azure Active Directory (Azure AD), you can easily ensure that users have appropriate access. You can ask the
users themselves or a decision maker to participate in an access review and recertify (or attest) to users' access.
The reviewers can give their input on each user's need for continued access based on suggestions from Azure AD.
When an access review is finished, you can then make changes and remove access from users who no longer need
it.
NOTE
If you want to review only guest users' access and not review all types of users' access, see Manage guest user access with
access reviews. If you want to review users' membership in administrative roles such as global administrator, see Start an
access review in Azure AD Privileged Identity Management.
Prerequisites
Access reviews are available with the Premium P2 edition of Azure AD, which is included in Microsoft Enterprise
Mobility + Security, E5. For more information, see Azure Active Directory editions. Each user who interacts with
this feature to create a review, access a review, or apply a review requires a license.
Next steps
Create an access review for members of a group or access to an application
Manage programs and their controls
12/11/2017 • 1 min to read • Edit Online
Azure Active Directory (Azure AD) includes access reviews of group members and application access. These
examples of controls ensure oversight for who has access to your organization's group memberships and
applications. Organizations can use these controls to efficiently address their governance, risk management, and
compliance requirements.
Next steps
Create an access review for members of a group or access to an application
Conditional access in Azure Active Directory
12/22/2017 • 9 min to read • Edit Online
In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and
services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and
3rd party SaaS apps, IT professionals are faced with two opposing goals:
Empower the end users to be productive wherever and whenever
Protect the corporate assets at any time
To improve productivity, Azure Active Directory provides your users with a broad range of options to access
your corporate assets. With application access management, Azure Active Directory enables you to ensure
that only the right people can access your applications. What if you want to have more control over how the
right people are accessing your resources under certain conditions? What if you even have conditions under
which you want to block access to certain apps even for the right people? For example, it might be OK for you
if the right people are accessing certain apps from a trusted network; however, you might not want them to
access these apps from a network you don't trust. You can address these questions using conditional access.
Conditional access is a capability of Azure Active Directory that enables you to enforce controls on the access
to apps in your environment based on specific conditions. With controls, you can either tie additional
requirements to the access or you can block it. The implementation of conditional access is based on policies.
A policy-based approach simplifies your configuration experience because it follows the way you think about
your access requirements.
Typically, you define your access requirements using statements that are based on the following pattern:
When you replace the two occurrences of “this” with real-world information, you have an example for a
policy statement that probably looks familiar to you:
When contractors are trying to access our cloud apps from networks that are not trusted, then block access.
The policy statement above highlights the power of conditional access. While you can enable contractors to
basically access your cloud apps (who), with conditional access, you can also define conditions under which
the access is possible (how).
In the context of Azure Active Directory conditional access,
"When this happens" is called condition statement
"Then do this" is called controls
The combination of a condition statement with your controls represents a conditional access policy.
Controls
In a conditional access policy, controls define what it is that should happen when a condition statement has
been satisfied.
With controls, you can either block access or allow access with additional requirements. When you configure
a policy that allows access, you need to select at least one requirement.
There are two types of controls:
Grant controls - Grant controls govern whether or not a user can complete authentication and reach
the resource that they’re attempting to sign-in to. If you have multiple controls selected, you can
configure whether all of them are required when your policy is processed. The current implementation
of Azure Active Directory enables you to configure the following grant control requirements:
Session controls - Session controls enable limiting experience within a cloud app. The session
controls are enforced by cloud apps and rely on additional information provided by Azure AD to the
app about the session.
For more information, see controls in Azure Active Directory Conditional Access.
Condition Statement
The previous section has introduced you to supported options to block or restrict access to your resources in
form of controls. In a conditional access policy, you define the criteria that need to be met for your controls to
be applied in form of a condition statement.
You can include the following assignments into your condition statement:
Who?
When you configure a conditional access policy, you need to select the users or groups your policy applies to.
In many cases, you want your controls to be applied to a specific set of users. In a condition statement, you
can define this set by selecting the required users and groups your policy applies to. If necessary, you can
also explicitly exclude a set of users from your policy by exempting them.
What?
When you configure a conditional access policy, you need to select the cloud apps your policy applies to.
Typically, there are certain apps in your environment requiring, from a protection perspective, more attention
than others. This affects, for example, apps that have access to sensitive data. By selecting cloud apps, you
define the scope of cloud apps your policy applies to. If necessary, you can also explicitly exclude a set of apps
from your policy.
For a complete list of the cloud apps you can use in your conditional access policy, see the Azure Active
Directory Conditional Access technical reference.
How?
As long as access to your apps is performed under conditions you can control, there might be no need for
imposing additional controls on how your cloud apps are accessed by your users. However, things might
look different if access to your cloud apps is performed, for example, from networks that are not trusted or
devices that are not compliant. In a condition statement, you can define certain access conditions that have
additional requirements for how access to your apps is performed.
Conditions
In the current implementation of Azure Active Directory, you can define conditions for the following areas:
Sign-in risk
Device platforms
Locations
Client apps
Sign-in risk
A sign-in risk is an object that is used by Azure Active Directory to track the likelihood that a sign-in attempt
was not performed by the legitimate owner of a user account. In this object, the likelihood (High, Medium, or
Low) is stored in form of an attribute called sign-in risk level. This object is generated during a sign-in of a
user if sign-in risks have been detected by Azure Active Directory. For more information, see Risky sign-ins.
You can use the calculated sign-in risk level as condition in a conditional access policy.
Device platforms
The device platform is characterized by the operating system that is running on your device: You can define
the device platforms that are included as well as device platforms that are exempted from a policy.
To use device platforms in the policy, first change the configure toggles to Yes, and then select all or
individual device platforms the policy applies to. If you select individual device platforms, the policy has only
an impact on these platforms. In this case, sign-ins to other supported platforms are not impacted by the
policy.
For a complete list of the supported device platforms, see device platform condition.
Locations
With locations, you have the option to define conditions that are based on where a connection attempt was
initiated from. The entries in the locations list are either named locations or MFA trusted IPs.
Named locations is a feature of Azure Active Directory that allows you to define labels for the locations
connection attempts were made from. To define a location, you can either configure an IP address ranges or
you select a country / region.
Additionally, you can mark a named location as trusted location. For a conditional access policy, the trusted
location is another filter option that enables you to select All trusted locations in your locations condition.
Named locations are also important in the context of the detection of risk events to reduce the number of
false-positives for the impossible travel to atypical locations risk event.
The number of named locations you can configure is constrained by the size of the related object in Azure
AD. You can configure:
One named location with up to 500 IP ranges
A maximum of 60 named locations (preview) with one IP range assigned to each of them
For more information, see named locations in Azure Active Directory.
MFA trusted IPs is a feature of multi-factor authentication that enables you to define trusted IP address
ranges representing your organization's local intranet. When you configure a location condition, Trusted IPs
enables you to distinguish between connections made from your organization's network and all other
locations. For more information, see trusted IPs.
In your conditional access policy, you can:
Include
Any location
All trusted locations
Selected locations
Exclude
All trusted locations
Selected locations
Client apps
The client app can be either on a generic level the app (web browser, mobile app, desktop client) you have
used to connect to Azure Active Directory or you can specifically select Exchange Active Sync.
Legacy authentication refers to clients using basic authentication such as older Office clients that don’t use
modern authentication. Conditional access is currently not supported with legacy authentication.
For a complete list of the client apps you can use in your conditional access policy, see the Azure Active
Directory Conditional Access technical reference.
Common scenarios
Requiring multi-factor authentication for apps
Many environments have apps requiring a higher level of protection than the others. This is, for example, the
case for apps that have access to sensitive data. If you want to add another layer of protection to these apps,
you can configure a conditional access policy that requires multi-factor authentication when users are
accessing these apps.
Requiring multi-factor authentication for access from networks that are not trusted
This scenario is similar to the previous scenario because it adds a requirement for multi-factor authentication.
However, the main difference is the condition for this requirement.
While the focus of the previous scenario was on apps with access to sensitive data, the focus of this scenario
is on trusted locations.
In other words, you might have a requirement for multi-factor authentication if an app is accessed by a user
from a network you don't trust.
Only trusted devices can access Office 365 services
If you are using Intune in your environment, you can immediately start using the conditional access policy
interface in the Azure console.
Many Intune customers are using conditional access to ensure that only trusted devices can access Office 365
services. This means that mobile devices are enrolled with Intune and meet compliance policy requirements,
and that Windows PCs are joined to an on-premises domain. A key improvement is that you do not have to
set the same policy for each of the Office 365 services. When you create a new policy, configure the Cloud
apps to include each of the O365 apps that you wish to protect with Conditional Access.
Switching a device from corporate -owned to Bring Your Own Device (BYOD)
If you want to block enrolled devices by changing the device ownership from corporate to personal, you can
accomplish this using Azure Active Directory (AAD) conditional access. You must first create a conditional
access policy where Block access is selected from the access controls Grant blade. Next, create a Dynamic
Device group by setting the deviceOwnership property to Personal. Then, target the above policy to the
new group.
Next steps
If you want to know how to configure a conditional access policy, see Get started with conditional
access in Azure Active Directory.
If you are ready to configure conditional access policies for your environment, see the best practices
for conditional access in Azure Active Directory.
Controls in Azure Active Directory conditional access
12/11/2017 • 5 min to read • Edit Online
With Azure Active Directory (Azure AD) conditional access, you can control how authorized users access your cloud
apps. In a conditional access policy, you define the response ("do this") to a specific condition ("when this
happens"). In the context of conditional access,
"When this happens" is called condition statement
"Then do this" is called controls
The combination of a condition statement with your controls represents a conditional access policy.
Each control is either a requirement that must be fulfilled by the person or system signing in, or a restriction on
what the user can do after signing in.
There are two types of controls:
Grant controls - To gate access
Session controls - To restrict access within a session
This topic explains the various controls that are available in Azure AD conditional access.
Grant controls
With grant controls, you can either block access altogether or allow access with additional requirements by
selecting the desired controls. For multiple controls, you can require:
All selected controls to be fulfilled (AND)
One selected control to be fulfilled (OR)
Multi-factor authentication
You can use this control to require multi-factor authentication to access the specified cloud app. This control
supports the following multi-factor providers:
Azure Multi-Factor Authentication
An on-premises multi-factor authentication provider, combined with Active Directory Federation Services
(AD FS).
Using multi-factor authentication helps protect resources from being accessed by an unauthorized user who might
have gained access to the primary credentials of a valid user.
Compliant device
You can configure conditional access policies that are device-based. The objective of a device-based conditional
access policy is to grant access to the configured resources only from trusted devices. Requiring a compliant device
is one option you have to define what a trusted device is. For more information, see set up Azure Active Directory
device-based conditional access policies.
Domain-joined device
Requiring a domain-joined device is another option you have to configure device-based conditional access policies.
This requirement refers to Windows desktops, laptops, and enterprise tablets that are joined to an on-premises
Active Directory. For more information, see set up Azure Active Directory device-based conditional access policies.
Approved client app
Because your employees use mobile devices for both personal and work tasks, you might want to have the ability
to protect company data accessed using devices even in the case where they are not managed by you. You can use
Intune app protection policies to help protect your company’s data independent of any mobile-device management
(MDM) solution.
With approved client apps, you can require a client app that attempts to access your cloud apps to support Intune
app protection policies. For example, you can restrict access to Exchange Online to the Outlook app. A conditional
access policy that requires approved client apps is also known as app-based conditional access policy. For a list of
supported approved client apps, see approved client app requirement.
Terms of Use
You can require a user in your tenant to consent to the terms of use before being granted access to a resource. As
an administrator, you can configure and customize terms of use by uploading a PDF document. If a user falls in
scope of this control access to an application is only granted if the terms of use have been agreed.
Custom controls
You can create custom controls in Conditional Access that redirect your users to a compatible service to satisfy
further requirements outside of Azure Active Directory. This allows you to use certain external multi-factor
authentication and verification providers to enforce Conditional Access rules, or to build your own custom service.
To satisfy this control, a user’s browser is redirected to the external service, performs any required authentication
or validation activities, and is then redirected back to Azure Active Directory. If the user was successfully
authenticated or validated, the user continues in the Conditional Access flow.
Custom controls
Custom controls are a capability of the Azure Active Directory Premium P2 edition. When using custom controls,
your users are redirected to a compatible service to satisfy further requirements outside of Azure Active Directory.
To satisfy this control, a user’s browser is redirected to the external service, performs any required authentication
or validation activities, and is then redirected back to Azure Active Directory. Azure Active Directory verifies the
response and, if the user was successfully authenticated or validated, the user continues in the conditional access
flow.
These controls allow the use of certain external or custom services as conditional access controls, and generally
extend the capabilities of Conditional Access.
Providers currently offering a compatible service include:
Duo Security
RSA
Trusona
For more information on those services, contact the providers directly.
Creating custom controls
To create a custom control, you should first contact the provider that you wish to utilize. Each non-Microsoft
provider has its own process and requirements to sign up, subscribe, or otherwise become a part of the service,
and to indicate that you wish to integrate with conditional access. At that point, the provider will provide you with a
block of data in JSON format. This data allows the provider and conditional access to work together for your
tenant, creates the new control and defines how conditional access can tell if your users have successfully
performed verification with the provider.
Copy the JSON data and then paste it into the related textbox. Do not make any changes to the JSON unless you
explicitly understand the change you’re making. Making any change could break the connection between the
provider and Microsoft and potentially lock you and your users out of your accounts.
The option to create a custom control is in the Manage section of the Conditional access page.
Clicking New custom control, opens a blade with a textbox for the JSON data of your control.
Session controls
Session controls enable limited experience within a cloud app. The session controls are enforced by cloud apps and
rely on additional information provided by Azure AD to the app about the session.
Use app enforced restrictions
You can use this control to require Azure AD to pass the device information to the cloud app. This helps the cloud
app know if the user is coming from a compliant device or domain joined device. This control is currently only
supported with SharePoint as the cloud app. SharePoint uses the device information to provide users a limited or
full experience depending on the device state. To learn more about how to require limited access with SharePoint,
see control access from unmanaged devices.
Next steps
If you want to know how to configure a conditional access policy, see get started with conditional access in
Azure Active Directory.
If you are ready to configure conditional access policies for your environment, see the best practices for
conditional access in Azure Active Directory.
Location conditions in Azure Active Directory
conditional access
1/11/2018 • 6 min to read • Edit Online
With Azure Active Directory (Azure AD) conditional access, you can control how authorized users can access your
cloud apps. The location condition of a conditional access policy enables you to tie access controls settings to the
network locations of your users.
This article provides you with the information you need to configure the location condition.
Locations
Azure AD enables single sign on to devices, apps, and services from anywhere on the public internet. With the
location condition, you can control access to your cloud apps based on the network location of a user. Common use
cases for the location condition are:
Requiring multi-factor authentication for users accessing a service when they are off the corporate network
Blocking access for users accessing a service from specific countries or regions.
A location is a label for a network location that either represents a named location or multi-factor authentication
trusted IPs.
Named locations
With named locations, you can create logical groupings of IP address ranges, countries and regions.
A name location has the following components:
Trusted IPs
You can also configure IP address ranges representing your organization's local intranet in the multi-factor
authentication service settings. This feature enables you to configure up to 50 IP address ranges. The IP address
ranges are in CIDR format. For more information, see trusted IPs.
If you have trusted IPs configured, they show up as MFA Trusted IPS in the list of locations for the location
condition.
Skipping multi-factor authentication
On the multi-factor authentication service settings page, you can identify corporate intranet users by selecting Skip
multi-factor authentication for requests from federated users on my intranet. This setting indicates that the
inside corporate network claim, which is issued by AD FS, should be trusted and used to identify the user as being
on the corporate network. For more information, see Enable the Trusted IPs feature by using conditional access.
After checking this option, including the named location MFA Trusted IPS will apply to any policies with this
selected.
For mobile and desktop applications, which have long lived session lifetimes, conditional access is periodically re-
evaluated. The default is once an hour. When the inside corporate network claim is and only issued at the time of
the initial authentication, Azure AD may not have a list of trusted IP ranges. In this case, it is more difficult to
determine if the user is still on the corporate network:
1. Check if the user’s IP address is in one of the trusted IP ranges.
2. Check whether the first three octets of the user’s IP address match the first 3 octets of the IP address of the
initial authentication. The IP address is compared with the initial authentication because this is when the
inside corporate network claim was originally issued and the user location was validated.
If both steps fail, a user is considered to be no longer on a trusted IP.
Next steps
If you want to know how to configure a conditional access policy, see Get started with conditional access in
Azure Active Directory.
If you are ready to configure conditional access policies for your environment, see the best practices for
conditional access in Azure Active Directory.
Get started with conditional access in Azure Active
Directory
1/16/2018 • 2 min to read • Edit Online
Conditional access is a capability of Azure Active Directory that enables you to define conditions under which
authorized users can access your apps.
This topic provides you with instructions for testing a conditional access based on a location condition in your
environment.
Scenario description
One common requirement in many organizations is to only require multi-factor authentication for access to
apps that is not performed from the corporate intranet. With Azure Active Directory, you can easily accomplish
this goal by configuring a location-based conditional access policy. This topic provides you with detailed
instructions for configuring a related policy. The policy leverages Trusted IPs to distinguish between access
attempts made from the corporate's intranet and all other locations.
Prerequisites
The scenario outlined in this topic assumes that you are familiar with the concepts outlined in Azure Active
Directory conditional access.
To test this scenario, you need to:
Create a test user
Assign an Azure AD Premium license to the test user
Configure a managed app and assign your test user to it
Configure trusted IPs
If you need more details about Trusted IPs, see Trusted IPs.
3. On the Conditional Access blade, to open the New blade, in the toolbar on the top, click Add.
4. On the New blade, in the Name textbox, type a name for your policy.
5. In the Assignment section, click Users and groups.
10. On the Conditions blade, to open the Locations blade, click Locations.
d. Click Done.
12. On the Conditions blade, click Done.
13. On the New blade, to open the Grant blade, in the Controls section, click Grant.
Next steps
If you would like to learn more about conditional access, see Azure Active Directory conditional access.
Best practices for conditional access in Azure Active
Directory
12/12/2017 • 3 min to read • Edit Online
This topic provides you with information about things you should know and what it is you should avoid doing
when configuring conditional access policies. Before reading this topic, you should familiarize yourself with the
concepts and the terminology outlined in Conditional access in Azure Active Directory
Cloud apps You need to select one or more apps. The goal of a conditional access policy
is to enable you to fine-tune how
authorized users can access your apps.
Users and groups You need to select at least one user or A conditional access policy that has no
group that is authorized to access the users and groups assigned, is never
cloud apps you have selected. triggered.
Access controls You need to select at least one access Your policy processor needs to know
control. what to do if your conditions are
satisfied.
In addition to these basic requirements, in many cases, you should also configure a condition. While a policy
would also work without a configured condition, conditions are the driving factor for fine-tuning access to your
apps.
How are assignments evaluated?
All assignments are logically ANDed. If you have more than one assignment configured, to trigger a policy, all
assignments must be satisfied.
If you need to configure a location condition that applies to all connections made from outside your
organization's network, you can accomplish this by:
Including All locations
Excluding All trusted IPs
What happens if you have policies in the Azure classic portal and Azure portal configured?
Both policies are enforced by Azure Active Directory and the user gets access only when all requirements are met.
What happens if you have policies in the Intune Silverlight portal and the Azure Portal?
Both policies are enforced by Azure Active Directory and the user gets access only when all requirements are met.
What happens if I have multiple policies for the same user configured?
For every sign-in, Azure Active Directory evaluates all policies and ensures that all requirements are met before
granted access to the user.
Does conditional access work with Exchange ActiveSync?
Yes, you can use Exchange ActiveSync in a conditional access policy.
Policy migration
You should consider migrating the policies you have not created in the Azure portal because:
You can now address scenarios you could not handle before.
You can reduce the number of policies you have to manage by consolidating them.
You can manage all your conditional access policies in one central location.
The Azure classic portal will be retired.
For more information, see Migrate classic policies in the Azure portal.
Next steps
If you want to know how to configure a conditional access policy, see Get started with conditional access in Azure
Active Directory.
Active Directory conditional access device policies for
Office 365 services
12/11/2017 • 3 min to read • Edit Online
Conditional access requires multiple pieces to work. It involves a multi-factor authenticated user, an authenticated
device, and a compliant device, among other factors. In this article, we primarily focus on device-based conditions
that your organization can use to help you control access to Office 365 services.
Corporate users want to access Office 365 services like Exchange and SharePoint Online at work or school from
their personal devices. You want the access to be secure. You can provision conditional access device policies to
help make corporate resources more secure, while granting access to services for users who are using compliant
devices. You can set conditional access policies to Office 365 in the Microsoft Intune conditional access portal.
Azure Active Directory (Azure AD) enforces conditional access policies to help secure access to Office 365 services.
You can create a conditional access policy that blocks a user who is using a noncompliant device from accessing an
Office 365 service. The user must conform to the company’s device policies before access to the service is granted.
Alternately, you can create a policy that requires users to enroll their devices to gain access to an Office 365 service.
Policies can be applied to all users in an organization, or limited to a few target groups. You can add more target
groups to a policy over time.
A prerequisite for enforcing device policies is that users must register their devices with the Azure AD device
registration service. You can opt to turn on multi-factor authentication for devices that register with the Azure AD
device registration service. Multi-factor authentication is recommended for the Azure Active Directory device
registration service. When multi-factor authentication is turned on, users who register their devices with the Azure
AD device registration service are challenged for second-factor authentication.
Deployment considerations
You must use the Azure AD device registration service to register devices.
When on-premises users are about to be authenticated, Active Directory Federation Services (AD FS) (version 1.0
and later versions) is required. Multi-factor authentication for Workplace Join fails when the identity provider is not
capable of multi-factor authentication. For example, you can't use multi-factor authentication with AD FS 2.0.
Ensure that the on-premises AD FS works with multi-factor authentication, and that a valid multi-factor
authentication method is in place before you turn on multi-factor authentication for the Azure AD device
registration service. For example, AD FS on Windows Server 2012 R2 has multi-factor authentication capabilities.
You also must set an additional valid authentication (multi-factor authentication) method on the AD FS server
before you turn on multi-factor authentication for the Azure AD device registration service. For more information
about supported multi-factor authentication methods in AD FS, see Configure additional authentication methods
for AD FS.
Next steps
For answers to common questions, see Azure Active Directory conditional access FAQs.
Migrate classic policies in the Azure portal
12/12/2017 • 4 min to read • Edit Online
Conditional access is a capability of Azure Active directory (Azure AD) that enables you to control how authorized
users access your cloud apps. While the purpose is still the same, the release of the new Azure portal has
introduced significant improvements to how conditional access works.
You should consider migrating the policies you have not created in the Azure portal because:
You can now address scenarios you could not handle before.
You can reduce the number of policies you have to manage by consolidating them.
You can manage all your conditional access policies in one central location.
The Azure classic portal will be retired.
This article explains what you need to know to migrate your existing conditional access policies to the new
framework.
Classic policies
In the Azure portal, the Conditional access - Policies page is your entry point to your conditional access polices.
However, in your environment, you might also have conditional access policies you have not created using this
page. These policies are known as classic policies. Classic policies are conditional access policies, you have created
in:
The Azure classic portal
The Intune classic portal
The Intune App Protection portal
On the Conditional access page, you can access your classic policies by clicking Classic policies (preview) in
the Manage section.
If you have disabled a classic policy, you can't revert this step anymore. This is why you can modify the group
membership in a classic policy using the Details view.
By either changing the selected groups or by excluding specific groups, you can test the effect of a disabled classic
policy for a few test users before disabling the policy for all included users and groups.
Migration considerations
In this article, Azure AD conditional access policies are also referred to as new policies. Your classic policies
continue to work side by side with your new policies until you disable or delete them.
The following aspects are important in the context of a policy consolidation:
While classic policies are tied to a specific cloud app, you can select as many cloud apps as you need to in a
new policy.
Controls of a classic policy and a new policy for a cloud app require all controls (AND) to be fulfilled.
In a new policy, you can:
Combine multiple conditions if required by your scenario.
Select several grant requirements as access control and combine them with a logical OR (require one
of the selected controls) or with a logical AND (require all of the selected controls).
A consolidation into one new policy is also not possible if your classic policies contain several conditions. A new
policy that has Exchange Active Sync as client apps condition configured does not support other conditions:
If you have a new policy that has Exchange Active Sync as client apps condition configured, you need to make
sure that all other conditions are not configured.
App-based classic policies for Office 365 Exchange Online that include Exchange Active Sync as client apps
condition allow supported and unsupported device platforms. While you can't configure individual device
platforms in a related new policy, you can limit the support to supported device platforms only.
You can consolidate multiple classic policies that include Exchange Active Sync as client apps condition if they
have:
Only Exchange Active Sync as condition
Several requirements for granting access configured
One common scenario is the consolidation of:
A device-based classic policy from the Azure classic portal
An app-based classic policy in the Intune app protection portal
In this case, you can consolidate your classic policies into one new policy that has both requirements selected.
Device platforms
Classic policies with app-based controls are pre-configured with iOS and Android as the device platform condition.
In a new policy, you need to select the device platforms you want to support individually.
Next steps
If you want to know how to configure a conditional access policy, see Get started with conditional access in
Azure Active Directory.
If you are ready to configure conditional access policies for your environment, see the best practices for
conditional access in Azure Active Directory.
Azure Active Directory conditional access what if tool
- preview
1/17/2018 • 3 min to read • Edit Online
Conditional access is a capability of Azure Active Directory (Azure AD) that enables you to control how authorized
users access your cloud apps. How do you know what to expect form the conditional access policies in your
environment? To answer this question, you can use the conditional access what if tool.
This article explains how you can use this tool to test your conditional access policies.
What it is
The conditional access what if policy tool allows you to understand the impact of your conditional access
policies on your environment. Instead of test driving your policies by performing multiple sign-ins manually, this
tool enables you to evaluate a simulated sign-in of a user. The simulation estimates the impact this sign-in has on
your policies and generates a simulation report. The report does not only list the applied conditional access policies
but also classic policies if they exist.
The what if tools also provides a way to quickly determine the policies that apply to a specific user. You can use the
information, for example, if you need to troubleshoot an issue.
How it works
In the conditional access what if tool, you first need to configure the settings of the sign-in scenario you want to
simulate. These settings include:
The user you want to test
The cloud apps the user would attempt to access
The conditions under which access to the configures cloud apps is performed
As a next step, you can initiate a simulation run that evaluates your settings. Only policies that are enabled are part
of an evaluation run.
When the evaluation has finished, the tool generates a report of the affected policies.
Settings
This section provides you with information about the settings of simulation run.
User
You can only select one user. This is the only required field.
Cloud apps
The default for this setting is All cloud apps. The default setting performs an evaluation of all available policies in
your environment. You can narrow down the scope to policies affecting specific cloud apps.
IP address
The IP address is a single IPv4 address to mimic the location condition. The address represents Internet facing
address of the device used by your user to sign in. You can verify the IP address of a device by, for example,
navigating to What is my IP address.
Device platforms
This setting mimics the device platforms condition and represents the equivalent of All platforms (including
unsupported).
Client apps
This setting mimics the client apps condition. By default, this setting causes an evaluation of all policies having
Browser or Mobile apps and desktop clients either individually or both selected. It also detects policies that
enforce Exchange ActiveSync (EAS). You can narrow this setting down by selecting:
Browser to evaluate all policies having at least Browser selected.
Mobile apps and desktop clients to evaluate all policies having at least Mobile apps and desktop
clients selected.
Sign-in risk
This setting mimics the sign-in risk condition.
Evaluation
You start an evaluation by clicking What if. The evaluation result provides you with a report that consists of:
Next steps
If you want to know how to configure a conditional access policy, see get started with conditional access in
Azure Active Directory.
If you are ready to configure conditional access policies for your environment, see the best practices for
conditional access in Azure Active Directory.
if you want to migrate classic policies, see Migrate classic policies in the Azure portal
Migrate a classic policy that requires multi-factor
authentication in the Azure portal
12/12/2017 • 2 min to read • Edit Online
This article shows how to migrate a classic policy that requires multi-factor authentication for a cloud app.
Although it is not a prerequisite, we recommend that you read Migrate classic policies in the Azure portal before
you start migrating your classic policies.
Overview
The scenario in this article shows how to migrate a classic policy that requires multi-factor authentication for a
cloud app.
2. On the Azure Active Directory page, in the Manage section, click Conditional access.
3. On the Conditional Access page, to open the New page, in the toolbar on the top, click Add.
4. On the New page, in the Name textbox, type a name for your policy.
a. If you have all users selected in your classic policy, click All users.
b. If you have groups selected in your classic policy, click Select users and groups, and then select the
required users and groups.
c. If you have the excluded groups, click the Exclude tab, and then select the required users and groups.
6. On the New page, to open the Cloud apps page, in the Assignment section, click Cloud apps.
b. On the Grant page, click Grant access, and then click Require multi-factor authentication.
c. Click Select.
9. Click On to enable your policy.
With Azure Active Directory (Azure AD) conditional access, you can fine-tune how authorized users can access
your resources. For example, you limit the access to certain resources to trusted devices. A conditional access
policy that requires a trusted device is also known as device-based conditional access policy.
This topic provides you with information on how to configure device-based conditional access policies for Azure
AD-connected applications.
Trusted devices
In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services
from anywhere. For certain resources in your environment, granting access to the right users might not be good
enough. In addition to the right users, you might also require a trusted device to be used to access a resource. In
your environment, you can define what a trusted device is based on the following components:
The device platforms on a device
Whether a device is compliant
Whether a device is domain-joined
The device platforms is characterized by the operating system that is running on your device. In your device-based
conditional access policy, you can limit access to certain resources to specific device platforms.
In a device-based conditional access policy, you can require trusted devices to be marked as compliant.
If you have an on-premises Active Directory (AD) footprint, you might consider devices that are not connected to
Azure AD but joined to your AD to be trusted.
Next steps
Before configuring a device-based conditional access policy in your environment, you should take a look at the
best practices for conditional access in Azure Active Directory.
Azure Active Directory app-based conditional access
1/11/2018 • 8 min to read • Edit Online
Your employees use mobile devices for both personal and work tasks. While making sure your employees can be
productive, you also want to prevent data loss. With Azure Active Directory (Azure AD) app-based conditional
access, you can restrict access to your cloud apps to client apps that can protect your corporate data.
This topic explains how to configure Azure AD app-based conditional access.
Overview
With Azure AD conditional access, you can fine-tune how authorized users can access your resources. For
example, you can limit the access to your cloud apps to trusted devices.
You can use Intune app protection policies to help protect your company’s data. Intune app protection policies
don't require mobile-device management (MDM) solution, which enables you to protect your company’s data
with or without enrolling devices in a device management solution.
Azure Active Directory app-based conditional access enables you limit access to your cloud apps to client apps
that support Intune app protection policies. For example, you can restrict access to Exchange Online to the Outlook
app.
In the conditional access terminology, these client apps are known as approved client apps.
For a list of approved client apps, see approved client app requirement.
You can combine app-based conditional access policies with other policies such as device-based conditional
access policies to provide flexibility in how to protect data for both personal and corporate devices.
4. Conditions: As Conditions, you need to configure Device platforms and Client apps:
a. As Device platforms, select Android and iOS.
b. As Client apps, select Mobile apps and desktop apps.
5. As Access controls, you need to have Require approved client app (preview) selected.
Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)
For the conditional access policy in this step, you need to configure the following components:
1. The Name of your conditional access policy.
2. Users and groups: Each conditional access policy must have at least one user or group selected.
3. Cloud apps: As cloud apps, you need to select Office 365 Exchange Online.
Step 3 - Configure Intune app protection policy for iOS and Android client applications
See Protect apps and data with Microsoft Intune for more information.
5. As Access controls, you need to have Require approved client app (preview) selected.
Step 2 - Configure an Azure AD conditional access policy for Exchange Online with Active Sync (EAS)
For the conditional access policy in this step, you need to configure the following components:
b. As Access controls, you need to have Require approved client app (preview) selected.
Step 3 - Configure Intune app protection policy for iOS and Android client applications
See Protect apps and data with Microsoft Intune for more information.
4. Conditions: As Conditions, you need to configure Device platforms and Client apps.
a. As Device platforms, select Android and iOS.
b. As Client apps, select Mobile apps and desktop apps.
5. As Access controls, you need to have Require approved client app (preview) selected.
Step 3 - Configure Intune app protection policy for iOS and Android client applications
See Protect apps and data with Microsoft Intune for more information.
4. Conditions: As Conditions, you need to configure Device platforms and Client apps.
a. As Device platforms, select Android and iOS.
See Protect apps and data with Microsoft Intune for more information.
Next steps
If you want to know how to configure a conditional access policy, see Get started with conditional access in Azure
Active Directory.
If you are ready to configure conditional access policies for your environment, see the best practices for
conditional access in Azure Active Directory.
Azure Active Directory Terms of Use feature (Preview)
12/15/2017 • 5 min to read • Edit Online
Azure AD Terms of Use provides a simple method organizations can use to present information to end users. This
ensures users see relevant disclaimers for legal or compliance requirements.
Azure AD Terms of Use uses the pdf format to present content. This pdf can be any content, such as existing
contract documents, allowing you to collect end user agreements during user sign-in. You can use the terms of use
for applications, groups of users, or if you have multiple terms of use for different purposes.
The remainder of this document describes how to get going with Azure AD Terms of Use.
Prerequisites
Use the following steps to configure Azure AD Terms of Use:
1. Sign in to Azure AD using a global administrator, security administrator, or a conditional access administrator
for the directory you want to configure Azure AD Terms of Use.
2. Ensure that the directory has an Azure AD Premium P1, P2, EMS E3, or EMS E5 subscription. If you do not Get
Azure AD Premium or start a trial.
3. View the Azure AD Terms of User dashboard at https://aka.ms/catou.
IMPORTANT
Conditional access policy controls (including terms of use) do not support enforcement on service accounts. We recommend
excluding all service accounts from the conditional access policy.
3. On the Azure AD audit logs screen, you can filter the information using the provided drops downs to target
specific audit log information.
4. You can also download the information in a .csv file for use locally.
4. From there you can review the terms of use you have accepted.
Additional information
The following information is something to be aware of and can assist with using terms of use.
Users in scope will need to sign-out and sign-in in order to satisfy a new policy if:
a conditional access policy is enabled on a terms of use
or a second terms of use is created
This is because conditional access policies take effect immediately. When this happens the admin will start to see
“sad clouds” or "Azure AD token issues". The admin must sign-out and sign-in again in order to satisfy the new
policy.
With Azure Active Directory (Azure AD) conditional access, you can fine-tune how authorized users access your
resources. With Azure AD conditional access for virtual private network (VPN) connectivity, you can help protect
your VPN connections.
To configure conditional access for VPN connectivity, you need to complete the following steps:
1. Configure your VPN server.
2. Configure your VPN client.
3. Configure your conditional access policy.
Prerequisites
To configure Azure Active Directory conditional access for VPN connectivity, you need to have a VPN server
configured.
In the Azure portal, you can create two certificates to manage the transition when one certificate is about to expire.
When you create a certificate, you can choose whether it is the primary certificate, which is used during the
authentication to sign the certificate for the connection.
To create a VPN certificate:
1. Sign in to your Azure portal as a global administrator.
2. On the left menu, click Azure Active Directory.
3. On the Azure Active Directory page, in the Manage section, click Conditional access.
4. On the Conditional access page, in the Manage section, click VPN connectivity (preview).
5. On the VPN connectivity page, click New certificate.
2. On the New page, in the Name box, type a name for your policy. For example, type VPN policy.
Next steps
To gain insights into how Microsoft implements this feature, see Enhancing remote access in Windows 10 with an
automatic VPN profile.
Set up SharePoint Online and Exchange Online for
Azure Active Directory conditional access
1/16/2018 • 3 min to read • Edit Online
With Azure Active Directory (Azure AD) conditional access, you can control how users access your cloud apps. If you
want to use conditional access to control access to SharePoint and Exchange online, you need to:
Review whether your conditional access scenario is supported
Prevent client apps from bypassing the enforcement of your conditional access policies.
This article explains, how you can address both cases.
To effectively protect access to Exchange Online from Exchange ActiveSync, you can:
Configure a supported conditional access policy by following these steps:
a. Select just Office 365 Exchange Online as cloud app.
b. Select Exchange Active Sync as client app, and then select Apply policy only to supported
platforms.
Block Exchange ActiveSync by using Active Directory Federation Services (AD FS) rules.
Set up AD FS rules
You can use the following issuance authorization rules to enable or block traffic at the AD FS level.
Block legacy traffic from the extranet
By applying the following three rules:
You enable access for:
Exchange ActiveSync traffic
Browser traffic
Modern authentication traffic
You block access for:
Legacy client apps from the extranet
Rule 1:
@RuleName = "Allow all intranet traffic"
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
Rule 2:
Rule 3:
@RuleName = "Allow all intranet traffic only for browser and modern authentication clients"
c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] &&
c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~
"(/adfs/ls)|(/adfs/oauth2)"]
=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "true");
Ru l e 2
Ru l e 3
Next steps
For more information, see Conditional access in Azure Active Directory
You can't get there from here on a Windows device
1/16/2018 • 4 min to read • Edit Online
During an attempt to, for example, access your organization's SharePoint Online intranet you might run into a page
that states that you can't get there from here. You are seeing this page, because your administrator has configured
a conditional access policy that prevents access to your organization's resources under certain conditions. While it
might be necessary to contact helpdesk or your administrator to get this problem solved, there are a few things you
can try out yourself, first.
If you are using a Windows device, you should check the following:
Are you using a supported browser?
Are you running a supported version of Windows on your device?
Is your device compliant?
Supported browser
If your administrator has configured a conditional access policy, you can only access your organization's resources
by using a supported browser. On a Windows device, only Internet Explorer and Edge are supported.
You can easily identify whether you can't access a resource due to an unsupported browser by looking at the details
section of the error page:
The only remediation is to use a browser that the application supports for your device platform. For a complete list
of supported browsers, see supported browsers.
Next steps
Azure Active Directory conditional access
Azure Active Directory conditional access settings
reference
12/22/2017 • 4 min to read • Edit Online
You can use Azure Active Directory (Azure AD) conditional access to control how authorized users can access your
resources.
This article provides you with support information for the following configuration options in a conditional access
policy:
Cloud applications assignments
Device platform condition
Client applications condition
Approved client application requirement
If this is not the information you are looking for, please leave a comment at the end of this article.
Supported browsers
In your conditional access policy, you can select Browsers as client app.
This setting works with all browsers. However, to satisfy a device policy, like a compliant device requirement, the
following operating systems and browsers are supported:
OS BROWSERS SUPPORT
NOTE
For Chrome support, you must use Windows 10 Creators Update (version 1703) or later.
You can install this extension.
These browsers support device authentication, allowing the device to be identified and validated against a policy.
The device check fails if the browser is running in private mode.
Supported mobile applications and desktop clients
In your conditional access policy, you can select Mobile apps and desktop clients as client app.
This setting has an impact on access attempts made from the following mobile apps and desktop clients:
Azure Remote app Azure Remote App service Windows 10, Windows 8.1, Windows 7,
iOS, Android, and Mac OS X
Dynamics CRM app Dynamics CRM Windows 10, Windows 8.1, Windows 7,
iOS, and Android
MFA and location policy for apps. Any My Apps app service Android and iOS
Device based policies are not supported.
Microsoft Teams Services - this controls Microsoft Teams Windows 10, Windows 8.1, Windows 7,
all services that support Microsoft iOS, Android and macOS
Teams and all its Client Apps - Windows
Desktop, iOS, Android, WP, and web
client
CLIENT APPS TARGET SERVICE PLATFORM
Office 2016 apps, Office 2013 (with Office 365 SharePoint Online Windows 8.1, Windows 7
modern authentication), OneDrive sync
client (see notes)
Office 2016 apps, Universal Office apps, Office 365 SharePoint Online Windows 10
Office 2013 (with modern
authentication), OneDrive sync client
(see notes), Office Groups support is
planned for the future, SharePoint app
support is planned for the future
Office 2016 for macOS (Word, Excel, Office 365 SharePoint Online Mac OS X
PowerPoint, OneNote only). OneDrive
for Business support planned for the
future
Office Yammer app Office 365 Yammer Windows 10, iOS, Android
Outlook 2016 (Office for macOS) Office 365 Exchange Online Mac OS X
Outlook 2016, Outlook 2013 (with Office 365 Exchange Online Windows 8.1, Windows 7
modern authentication), Skype for
Business (with modern authentication)
PowerBI app. The Power BI app for PowerBI service Windows 10, Windows 8.1, Windows 7,
Android does not currently support and iOS
device-based conditional access.
Visual Studio Team Services app Visual Studio Team Services Windows 10, Windows 8.1, Windows 7,
iOS, and Android
Next steps
For an overview of conditional access, see conditional access in Azure Active Directory.
If you are ready to configure conditional access policies in your environment, see the recommended practices for
conditional access in Azure Active Directory.
Azure Active Directory conditional access FAQs
1/16/2018 • 2 min to read • Edit Online
The current methods of authentication with passwords alone are not sufficient to keep users safe. Users reuse and
forget passwords. Passwords are breachable, phishable, prone to cracks, and guessable. They also get difficult to
remember and prone to attacks like “pass the hash”.
Additional information
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Enable Microsoft Windows Hello for Business in your
organization
1/16/2018 • 3 min to read • Edit Online
After connecting Windows 10 domain-joined devices with Azure Active Directory, do the following to enable
Microsoft Windows Hello for Business in your organization:
1. Deploy System Center Configuration Manager
2. Configure policy settings
3. Configure the certificate profile
2. In the toolbar on the top, click Create Windows Hello for business Profile.
Next steps
Windows 10 for the enterprise: Ways to use devices for work
Extending cloud capabilities to Windows 10 devices through Azure Active Directory Join
Authenticate without passwords
Learn about usage scenarios for Azure AD Join
Connect domain-joined devices to Azure AD for Windows 10 experiences
Set up Azure AD Join
Azure Active Directory certificate-based
authentication on Android
1/16/2018 • 2 min to read • Edit Online
Certificate-based authentication (CBA) enables you to be authenticated by Azure Active Directory with a client
certificate on a Windows, Android or iOS device when connecting your Exchange online account to:
Office mobile applications such as Microsoft Outlook and Microsoft Word
Exchange ActiveSync (EAS) clients
Configuring this feature eliminates the need to enter a username and password combination into certain mail and
Microsoft Office applications on your mobile device.
This topic provides you with the requirements and the supported scenarios for configuring CBA on an iOS(Android)
device for users of tenants in Office 365 Enterprise, Business, Education, US Government, China, and Germany
plans.
This feature is available in preview in Office 365 US Government Defense and Federal plans.
Microsoft Teams
OneNote
OneDrive
Outlook
Power BI
Yammer
Implementation requirements
The device OS version must be Android 5.0 (Lollipop) and above.
A federation server must be configured.
For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:
http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>
(The serial number of the client certificate)
http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>
(The string for the issuer of the client certificate)
Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other
SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
As a best practice, you should update the ADFS error pages with instructions on how to get a user certificate.
For more details, see Customizing the AD FS Sign-in Pages.
Some Office apps (with modern authentication enabled) send ‘prompt=login’ to Azure AD in their request. By
default, Azure AD translates this in the request to ADFS to ‘wauth=usernamepassworduri’ (asks ADFS to do U/P
auth) and ‘wfresh=0’ (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable
certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Just set the
‘PromptLoginBehavior’ in your federated domain settings to ‘Disabled‘. You can use the
MSOLDomainFederationSettings cmdlet to perform this task:
Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled
Next steps
If you want to configure certificate-based authentication in your environment, see Get started with certificate-based
authentication on Android for instructions.
Azure Active Directory certificate-based
authentication on iOS
1/16/2018 • 2 min to read • Edit Online
Certificate-based authentication (CBA) enables you to be authenticated by Azure Active Directory with a client
certificate on a Windows, Android or iOS device when connecting your Exchange online account to:
Office mobile applications such as Microsoft Outlook and Microsoft Word
Exchange ActiveSync (EAS) clients
Configuring this feature eliminates the need to enter a username and password combination into certain mail and
Microsoft Office applications on your mobile device.
This topic provides you with the requirements and the supported scenarios for configuring CBA on an iOS(Android)
device for users of tenants in Office 365 Enterprise, Business, Education, US Government, China, and Germany
plans.
This feature is available in preview in Office 365 US Government Defense and Federal plans.
Microsoft Teams
OneNote
OneDrive
Outlook
Power BI
Yammer
Requirements
The device OS version must be iOS 9 and above
A federation server must be configured.
Microsoft Authenticator is required for Office applications on iOS.
For Azure Active Directory to revoke a client certificate, the ADFS token must have the following claims:
http://schemas.microsoft.com/ws/2008/06/identity/claims/<serialnumber>
(The serial number of the client certificate)
http://schemas.microsoft.com/2012/12/certificatecontext/field/<issuer>
(The string for the issuer of the client certificate)
Azure Active Directory adds these claims to the refresh token if they are available in the ADFS token (or any other
SAML token). When the refresh token needs to be validated, this information is used to check the revocation.
As a best practice, you should update the ADFS error pages with the following:
The requirement for installing the Microsoft Authenticator on iOS
Instructions on how to get a user certificate.
For more details, see Customizing the AD FS Sign-in Pages.
Some Office apps (with modern authentication enabled) send ‘prompt=login’ to Azure AD in their request. By
default, Azure AD translates this in the request to ADFS to ‘wauth=usernamepassworduri’ (asks ADFS to do U/P
auth) and ‘wfresh=0’ (asks ADFS to ignore SSO state and do a fresh authentication). If you want to enable
certificate-based authentication for these apps, you need to modify the default Azure AD behavior. Just set the
‘PromptLoginBehavior’ in your federated domain settings to ‘Disabled‘. You can use the
MSOLDomainFederationSettings cmdlet to perform this task:
Set-MSOLDomainFederationSettings -domainname <domain> -PromptLoginBehavior Disabled
Next steps
If you want to configure certificate-based authentication in your environment, see Get started with certificate-based
authentication on Android for instructions.
Get started with certificate-based authentication in
Azure Active Directory
1/16/2018 • 5 min to read • Edit Online
Certificate-based authentication enables you to be authenticated by Azure Active Directory with a client certificate
on a Windows, Android or iOS device when connecting your Exchange online account to:
Microsoft mobile applications such as Microsoft Outlook and Microsoft Word
Exchange ActiveSync (EAS) clients
Configuring this feature eliminates the need to enter a username and password combination into certain mail and
Microsoft Office applications on your mobile device.
This topic:
Provides you with the steps to configure and utilize certificate-based authentication for users of tenants in
Office 365 Enterprise, Business, Education, and US Government plans. This feature is available in preview in
Office 365 China, US Government Defense, and US Government Federal plans.
Assumes that you already have a public key infrastructure (PKI) and AD FS configured.
Requirements
To configure certificate-based authentication, the following must be true:
Certificate-based authentication (CBA) is only supported for Federated environments for browser
applications or native clients using modern authentication (ADAL). The one exception is Exchange Active
Sync (EAS) for EXO which can be used for both, federated and managed accounts.
The root certificate authority and any intermediate certificate authorities must be configured in Azure Active
Directory.
Each certificate authority must have a certificate revocation list (CRL) that can be referenced via an Internet
facing URL.
You must have at least one certificate authority configured in Azure Active Directory. You can find related
steps in the Configure the certificate authorities section.
For Exchange ActiveSync clients, the client certificate must have the user’s routable email address in
Exchange online in either the Principal Name or the RFC822 Name value of the Subject Alternative Name
field. Azure Active Directory maps the RFC822 value to the Proxy Address attribute in the directory.
Your client device must have access to at least one certificate authority that issues client certificates.
A client certificate for client authentication must have been issued to your client.
class TrustedCAsForPasswordlessAuth
{
CertificateAuthorityInformation[] certificateAuthorities;
}
class CertificateAuthorityInformation
{
CertAuthorityType authorityType;
X509Certificate trustedCertificate;
string crlDistributionPoint;
string deltaCrlDistributionPoint;
string trustedIssuer;
string trustedIssuerSKI;
}
enum CertAuthorityType
{
RootAuthority = 0,
IntermediateAuthority = 1
}
For the configuration, you can use the Azure Active Directory PowerShell Version 2:
1. Start Windows PowerShell with administrator privileges.
2. Install the Azure AD module. You need to install Version 2.0.0.33 or higher.
As a first configuration step, you need to establish a connection with your tenant. As soon as a connection to your
tenant exists, you can review, add, delete and modify the trusted certificate authorities that are defined in your
directory.
Connect
To establish a connection with your tenant, use the Connect-AzureAD cmdlet:
Connect-AzureAD
Retrieve
To retrieve the trusted certificate authorities that are defined in your directory, use the Get-
AzureADTrustedCertificateAuthority cmdlet.
Get-AzureADTrustedCertificateAuthority
Add
To create a trusted certificate authority, use the New-AzureADTrustedCertificateAuthority cmdlet and set the
crlDistributionPoint attribute to a correct value:
Remove
To remove a trusted certificate authority, use the Remove-AzureADTrustedCertificateAuthority cmdlet:
$c=Get-AzureADTrustedCertificateAuthority
Remove-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c[2]
Modfiy
To modify a trusted certificate authority, use the Set-AzureADTrustedCertificateAuthority cmdlet:
$c=Get-AzureADTrustedCertificateAuthority
$c[0].AuthorityType=1
Set-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $c[0]
$msolcred = get-credential
connect-msolservice -credential $msolcred
3. Configure a new StsRefreshTokensValidFrom value for the user equal to the current timestamp:
The date you set must be in the future. If the date is not in the future, the StsRefreshTokensValidFrom property is
not set. If the date is in the future, StsRefreshTokensValidFrom is set to the current time (not the date indicated
by Set-MsolUser command).
Azure Active Directory Identity Protection is a feature of the Azure AD Premium P2 edition that enables you to:
Detect potential vulnerabilities affecting your organization’s identities
Configure automated responses to detected suspicious actions that are related to your organization’s
identities
Investigate suspicious incidents and take appropriate action to resolve them
Getting started
Microsoft has secured cloud-based identities for more than a decade. With Azure Active Directory Identity
Protection, in your environment, you can use the same protection systems Microsoft uses to secure identities.
The vast majority of security breaches take place when attackers gain access to an environment by stealing a
user’s identity. Over the years, attackers have become increasingly effective in leveraging third party breaches
and using sophisticated phishing attacks. As soon as an attacker gains access to even low privileged user
accounts, it is relatively easy for them to gain access to important company resources through lateral
movement.
As a consequence of this, you need to:
Protect all identities regardless of their privilege level
Proactively prevent compromised identities from being abused
Discovering compromised identities is no easy task. Azure Active Directory uses adaptive machine learning
algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised
identities. Using this data, Identity Protection generates reports and alerts that enable you to evaluate the
detected issues and take appropriate mitigation or remediation actions.
Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your
organization's identities, you can configure risk-based policies that automatically respond to detected issues
when a specified risk level has been reached. These policies, in addition to other conditional access controls
provided by Azure Active Directory and EMS, can either automatically block or initiate adaptive remediation
actions including password resets and multi-factor authentication enforcement.
Identity Protection capabilities
Detecting vulnerabilities and risky accounts:
Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
Calculating sign-in risk levels
Calculating user risk levels
Investigating risk events:
Sending notifications for risk events
Investigating risk events using relevant and contextual information
Providing basic workflows to track investigations
Providing easy access to remediation actions such as password reset
Risk-based conditional access policies:
Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
Policy to block or secure risky user accounts
Policy to require users to register for multi-factor authentication
Security administrator Full access to Identity Protection Onboard Identity Protection, reset
passwords for a user
For more details, see Assigning administrator roles in Azure Active Directory
Detection
Vulnerabilities
Azure Active Directory Identity Protection analyses your configuration and detects vulnerabilities that can have
an impact on your user's identities. For more details, see Vulnerabilities detected by Azure Active Directory
Identity Protection.
Risk events
Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect suspicious actions
that are related to your user's identities. The system creates a record for each detected suspicious action. These
records are also known as risk events.
For more details, see Azure Active Directory risk events.
Investigation
Your journey through Identity Protection typically starts with the Identity Protection dashboard.
The dashboard gives you access to:
Reports such as Users flagged for risk, Risk events and Vulnerabilities
Settings such as the configuration of your Security Policies, Notifications and multi-factor
authentication registration
It is typically your starting point for investigation, which is the process of reviewing the activities, logs, and
other relevant information related to a risk event to decide whether remediation or mitigation steps are
necessary, and how the identity was compromised, and understand how the compromised identity was used.
You can tie your investigation activities to the notifications Azure Active Directory Protection sends per email.
The following sections provide you with more details and the steps that are related to an investigation.
Risky sign-ins
Azure Active Directory detects risk event types in real-time and offline. Each risk event that has been detected
for a sign-in of a user contributes to a logical concept called risky sign-in. A risky sign-in is an indicator for a
sign-in attempt that might not have been performed by the legitimate owner of a user account.
Sign-in risk level
A sign-in risk level is an indication (High, Medium, or Low) of the likelihood that a sign-in attempt was not
performed by the legitimate owner of a user account.
Mitigating sign-in risk events
A mitigation is an action to limit the ability of an attacker to exploit a compromised identity or device without
restoring the identity or device to a safe state. A mitigation does not resolve previous sign-in risk events
associated with the identity or device.
To mitigate risky sign-ins automatically, you can configure sign-in risk security policies. Using these policies,
you consider the risk level of the user or the sign-in to block risky sign-ins or require the user to perform multi-
factor authentication. These actions may prevent an attacker from exploiting a stolen identity to cause damage,
and may give you some time to secure the identity.
Sign-in risk security policy
A sign-in risk policy is a conditional access policy that evaluates the risk to a specific sign-in and applies
mitigations based on predefined conditions and rules.
Azure AD Identity Protection helps you manage the mitigation of risky sign-ins by enabling you to:
Set the users and groups the policy applies to:
Set the sign-in risk level threshold (low, medium, or high) that triggers the policy:
However, for security reasons, this setting only works for users that have already been registered for multi-
factor authentication. If the condition to require multi-factor authentication is satisfied for a user who is not yet
registered for multi-factor authentication, the user is blocked.
As a best practice, if you want to require multi-factor authentication for risky sign-ins, you should:
1. Enable the multi-factor authentication registration policy for the affected users.
2. Require the affected users to login in a non-risky session to perform a MFA registration
Completing these steps ensures that multi-factor authentication is required for a risky sign-in.
Best practices
Choosing a High threshold reduces the number of times a policy is triggered and minimizes the impact to
users.
However, it excludes Low and Medium sign-ins flagged for risk from the policy, which may not block an
attacker from exploiting a compromised identity.
When setting the policy,
Exclude users who do not/cannot have multi-factor authentication
Exclude users in locales where enabling the policy is not practical (for example no access to helpdesk)
Exclude users who are likely to generate a lot of false-positives (developers, security analysts)
Use a High threshold during initial policy roll out, or if you must minimize challenges seen by end users.
Use a Low threshold if your organization requires greater security. Selecting a Low threshold introduces
additional user sign-in challenges, but increased security.
The recommended default for most organizations is to configure a rule for a Medium threshold to strike a
balance between usability and security.
The sign-in risk policy is:
Applied to all browser traffic and sign-ins using modern authentication.
Not applied to applications using older security protocols by disabling the WS-Trust endpoint at the
federated IDP, such as ADFS.
The Risk Events page in the Identity Protection console lists all events:
This policy was applied to
You can review the activity and determine whether the action was appropriate or not
For an overview of the related user experience, see:
Risky sign-in recovery
Risky sign-in blocked
Sign-in experiences with Azure AD Identity Protection
To open the related configuration dialog:
On the Azure AD Identity Protection blade, in the Configure section, click Sign-in risk policy.
You can use the user risk levels to create conditional access policies that block risky users from signing in, or
force them to securely change their password.
Closing risk events manually
In most cases, you will take remediation actions such as a secure password reset to automatically close risk
events. However, this might not always be possible.
This is, for example, the case, when:
A user with Active risk events has been deleted
An investigation reveals that a reported risk event has been perform by the legitimate user
Because risk events that are Active contribute to the user risk calculation, you may have to manually lower a
risk level by closing risk events manually.
During the course of investigation, you can choose to take any of these actions to change the status of a risk
event:
Resolve - If after investigating a risk event, you took an appropriate remediation action outside Identity
Protection, and you believe that the risk event should be considered closed, mark the event as Resolved.
Resolved events will set the risk event’s status to Closed and the risk event will no longer contribute to user
risk.
Mark as false-positive - In some cases, you may investigate a risk event and discover that it was
incorrectly flagged as a risky. You can help reduce the number of such occurrences by marking the risk
event as False-positive. This will help the machine learning algorithms to improve the classification of
similar events in the future. The status of false-positive events is to Closed and they will no longer
contribute to user risk.
Ignore - If you have not taken any remediation action, but want the risk event to be removed from the
active list, you can mark a risk event Ignore and the event status will be Closed. Ignored events do not
contribute to user risk. This option should only be used under unusual circumstances.
Reactivate - Risk events that were manually closed (by choosing Resolve, False positive, or Ignore) can
be reactivated, setting the event status back to Active. Reactivated risk events contribute to the user risk
level calculation. Risk events closed through remediation (such as a secure password reset) cannot be
reactivated.
To open the related configuration dialog:
1. On the Azure AD Identity Protection blade, under Investigate, click Risk events.
When you click Dismiss all events, all events are closed and the affected user is no longer at risk.
Remediating user risk events
A remediation is an action to secure an identity or a device that was previously suspected or known to be
compromised. A remediation action restores the identity or device to a safe state, and resolves previous risk
events associated with the identity or device.
To remediate user risk events, you can:
Perform a secure password reset to remediate user risk events manually
Configure a user risk security policy to mitigate or remediate user risk events automatically
Re-image the infected device
Manual secure password reset
A secure password reset is an effective remediation for many risk events, and when performed, automatically
closes these risk events and recalculates the user risk level. You can use the Identity Protection dashboard to
initiate a password reset for a risky user.
The related dialog provides two different methods to reset a password:
Reset password - Select Require the user to reset their password to allow the user to self-recover if the
user has registered for multi-factor authentication. During the user's next sign-in, the user will be required to
solve a multi-factor authentication challenge successfully and then, forced to change the password. This option
isn't available if the user account is not already registered multi-factor authentication.
Temporary password - Select Generate a temporary password to immediately invalidate the existing
password, and create a new temporary password for the user. Send the new temporary password to an
alternate email address for the user or to the user's manager. Because the password is temporary, the user will
be prompted to change the password upon sign-in.
2. From the list of users, select a user with at least one risk events.
Azure AD Identity Protection helps you manage the mitigation and remediation of users flagged for risk by
enabling you to:
Set the users and groups the policy applies to:
Set the user risk level threshold (low, medium, or high) that triggers the policy:
Set the controls to be enforced when the policy triggers:
Choosing a High threshold reduces the number of times a policy is triggered and minimizes the impact to
users. However, it excludes Low and Medium users flagged for risk from the policy, which may not secure
identities or devices that were previously suspected or known to be compromised.
When setting the policy,
Exclude users who are likely to generate a lot of false-positives (developers, security analysts)
Exclude users in locales where enabling the policy is not practical (for example no access to helpdesk)
Use a High threshold during initial policy roll out, or if you must minimize challenges seen by end users.
Use a Low threshold if your organization requires greater security. Selecting a Low threshold introduces
additional user sign-in challenges, but increased security.
The recommended default for most organizations is to configure a rule for a Medium threshold to strike a
balance between usability and security.
For an overview of the related user experience, see:
Compromised account recovery flow.
Compromised account blocked flow.
To open the related configuration dialog:
On the Azure AD Identity Protection blade, in the Configure section, click User risk policy.
Mitigating user risk events
Administrators can set a user risk security policy to block users upon sign-in depending on the risk level.
Blocking a sign-in:
Prevents the generation of new user risk events for the affected user
Enables administrators to manually remediate the risk events affecting the user's identity and restore it to a
secure state
Next steps
Channel 9: Azure AD and Identity Show: Identity Protection Preview
Enabling Azure Active Directory Identity Protection
Vulnerabilities detected by Azure Active Directory Identity Protection
Azure Active Directory risk events
Azure Active Directory Identity Protection notifications
Azure Active Directory Identity Protection playbook
Azure Active Directory Identity Protection glossary
Sign-in experiences with Azure AD Identity Protection
Azure Active Directory Identity Protection - How to unblock users
Get started with Azure Active Directory Identity Protection and Microsoft Graph
Enabling Azure Active Directory Identity Protection
1/16/2018 • 1 min to read • Edit Online
Azure Active Directory Identity Protection is a new capability that provides a consolidated view into suspicious sign-
in activities and potential vulnerabilities and with notifications, remediation recommendations and risk-based
policies helps you protect your business.
The service detects suspicious activities for end user and privileged (admin) identities based on signals like brute
force attacks, leaked credentials, sign ins from unfamiliar locations, infected devices, to protect against these
activities in real-time. More importantly, based on these suspicious activities, a user risk severity is computed and
risk-based policies can be configured and automatically protect the identities of your organization. For more details,
see Azure Active Directory Identity Protection.
This topics shows how to enable Azure Active Directory Identity Protection.
Vulnerabilities are weaknesses in your environment that can be exploited by an attacker. We recommend that you
address these vulnerabilities to improve the security posture of your organization, and prevent attackers from
exploiting them.
The following sections provide you with an overview of the vulnerabilities reported by Identity Protection.
See also
Azure Active Directory Identity Protection
1 min to read •
Edit O nline
Azure Active Directory Identity Protection
notifications
12/11/2017 • 1 min to read • Edit Online
Azure AD Identity Protection sends two types of automated notification emails to help you manage user risk and
risk events:
Users at risk detected email
Weekly digest email
This article provides you with an overview of both notification emails.
Configuration
As an administrator, you can set:
The risk level that triggers the generation of this email - By default, the risk level is set to “High” risk.
The recipients of this email - By default, recipients include all Global Admins. Global Admins can also add
other Global Admins, Security Admins, Security Readers as recipients.
To open the related dialog, click Alerts in the Settings section of the Identity Protection page.
Weekly digest email
The weekly digest email contains a summary of new risk events.
It includes:
Users at risk
Suspicious activities
Detected vulnerabilities
Links to the related reports in Identity Protection
Configuration
As an administrator, you can switch sending a weekly digest email off.
To open the related dialog, click Weekly Digest in the Settings section of the Identity Protection page.
See also
Azure Active Directory Identity Protection
Sign-in experiences with Azure AD Identity
Protection
1/16/2018 • 3 min to read • Edit Online
2. The user is required to prove their identity by solving a security challenge. If the user is registered for multi-
factor authentication they need to round-trip a security code to their phone number. Since this is a just a
risky sign in and not a compromised account, the user won’t have to change the password in this flow.
Risky sign-in blocked
Administrators can also choose to set a Sign-In Risk policy to block users upon sign-in depending on the risk level.
To get unblocked, end users must contact an administrator or help desk, or they can try signing in from a familiar
location or device. Self-recovering by solving multi-factor authentication is not an option in this case.
3. Finally, the user is forced to change their password since someone else may have had access to their
account. Screenshots of this experience are below.
Compromised account blocked
To get a user that was blocked by a user risk security policy unblocked, the user must contact an administrator or
help desk. Self-recovering by solving multi-factor authentication is not an option in this case.
Reset password
If compromised users are blocked from signing in, an administrator can generate a temporary password for them.
The users will have to change their password during a next sign-in.
See also
Azure Active Directory Identity Protection
Azure Active Directory Identity Protection playbook
1/16/2018 • 5 min to read • Edit Online
Simulating vulnerabilities
Vulnerabilities are weaknesses in an Azure AD environment that can be exploited by a bad actor. Currently 3 types
of vulnerabilities are surfaced in Azure AD Identity Protection that leverage other features of Azure AD. These
Vulnerabilities will be displayed on the Identity Protection dashboard automatically once these features are set up.
Azure AD Multi-Factor Authentication?
Azure AD Cloud App Discovery.
Azure AD Privileged Identity Management.
Sign-in risk
To test a sign in risk, perform the following steps:
1. Sign-in to https://portal.azure.com with global administrator credentials for your tenant.
2. Navigate to Identity Protection.
3. On the main Azure AD Identity Protection blade, click Settings.
4. On the Portal Settings blade, under Security rules, click Sign in risk.
5. On the Sign in Risk **blade, select **On under Enable rule.
6. Select one of the following options:
a. To block, select Medium under Block sign in
b. To enforce secure password change, select Medium under Require multi-factor authentication.
7. To block, select Medium under Block sign in.
8. To enforce multi-factor authentication, select Medium under Require multi-factor authentication.
9. Click on Save.
10. You can now test risk-based conditional access by simulating the unfamiliar locations or anonymous IP risk
events because they are both Medium risk events.
See also
Azure Active Directory Identity Protection
Azure Active Directory Identity Protection - How to
unblock users
1/16/2018 • 2 min to read • Edit Online
With Azure Active Directory Identity Protection, you can configure policies to block users if the configured
conditions are satisfied. Typically, a blocked user contacts help desk to become unblocked. This topics explains the
steps you can perform to unblock a blocked user.
Sign-in risk
User risk
A user that is blocked by:
A sign-in risk policy is also known as suspicious sign-in
A user risk policy is also known as an account at risk
Next steps
Do you want to know more about Azure AD Identity Protection? Check out Azure Active Directory Identity
Protection.
Azure Active Directory Identity Protection FAQ
12/11/2017 • 1 min to read • Edit Online
This article includes answers to frequently asked questions about Azure Active Directory (Azure AD) Identity
Protection. For more information, see Azure Active Directory Identity Protection.
At risk (User)
A user with one or more active risk events.
Atypical sign-in location
A sign-in from a geographic location that is not typical for the specific user, similar users, or the tenant.
Azure AD Identity Protection
A security module of Azure Active Directory that provides a consolidated view into risk events and potential
vulnerabilities affecting an organization’s identities.
Conditional access
A policy for securing access to resources. Conditional access rules are stored in the Azure Active Directory and are
evaluated by Azure AD before granting access to the resource. Example rules include restricting access based on
user location, device health or user authentication method.
Credentials
Information that includes identification and proof of identification that is used to gain access to local and network
resources. Examples of credentials are user names and passwords, smart cards, and certificates.
Event
A record of an activity in Azure Active Directory.
False -positive (risk event)
A risk event status set manually by an Identity Protection user, indicating that the risk event was investigated and
was incorrectly flagged as a risk event.
Identity
A person or entity that must be verified by means of authentication, based on criteria such as password or a
certificate.
Identity risk event
AAD event that was flagged as anomalous by Identity Protection, and may indicate that an identity has been
compromised.
Ignored (risk event)
A risk event status set manually by an Identity Protection user, indicating that the risk event is closed without taking
a remediation action.
Impossible travel from atypical locations
A risk event triggered when two sign-ins for the same user are detected, where at least one of them is from an
atypical sign-in location, and where the time between the sign-ins is shorter than the minimum time it would take
to physically travel between these locations.
Investigation
The process of reviewing the activities, logs, and other relevant information related to a risk event to decide
whether remediation or mitigation steps are necessary, understand if and how the identity was compromised, and
understand how the compromised identity was used.
Leaked credentials
A risk event triggered when current user credentials (user name and password) are found posted publicly in the
Dark web by our researchers.
Mitigation
An action to limit or eliminate the ability of an attacker to exploit a compromised identity or device without
restoring the identity or device to a safe state. A mitigation does not resolve previous risk events associated with
the identity or device.
Multi-factor authentication
An authentication method that requires two or more authentication methods, which may include something the
user has, such a certificate; something the user knows, such as user names, passwords, or pass phrases; physical
attributes, such as a thumbprint; and personal attributes, such as a personal signature.
Offline detection
The detection of anomalies and evaluation of the risk of an event such as sign-in attempt after the fact, for an event
that has already happened.
Policy condition
A part of a security policy which defines the entities (groups, users, apps, device platforms, Device states, IP ranges,
client types) included in the policy or excluded from it.
Policy rule
The part of a security policy which describes the circumstances that would trigger the policy, and the actions taken
when the policy is triggered.
Prevention
An action to prevent damage to the organization through abuse of an identity or device suspected or know to be
compromised. A prevention action does not secure the device or identity, and does not resolve previous risk events.
Privileged (user)
A user that at the time of a risk event, had permanent or temporary admin permissions to one or more resource in
Azure Active Directory, such as a Global Administrator, Billing Administrator, Service Administrator, User
administrator, and Password Administrator.
Real-time
See Real-time detection.
Real-time detection
The detection of anomalies and evaluation of the risk of an event such as sign-in attempt before the event is
allowed to proceed.
Remediated (risk event)
A risk event status set automatically by Identity Protection, indicating that the risk event was remediated using the
standard remediation action for this type of risk event. For example, when the user password is reset, many risk
events that indicate that the previous password was compromised are automatically remediated.
Remediation
An action to secure an identity or a device that were previously suspected or known to be compromised. A
remediation action restores the identity or device to a safe state, and resolves previous risk events associated with
the identity or device.
Resolved (risk event)
A risk event status set manually by an Identity Protection user, indicating that the user took an appropriate
remediation action outside Identity Protection, and that the risk event should be considered closed.
Risk event status
A property of a risk event, indicating whether the event is active, and if closed, the reason for closing it.
Risk event type
A category for the risk event, indicating the type of anomaly that caused the event to be considered risky.
Risk level (risk event)
An indication (High, Medium, or Low) of the severity of the risk event to help Identity Protection users prioritize the
actions they take to reduce the risk to their organization.
Risk level (sign-in)
An indication (High, Medium, or Low) of the likelihood that for a specific sign-in, someone else is attempting to use
the user’s identity.
Risk level (user compromise )
An indication (High, Medium, or Low) of the likelihood that an identity has been compromised.
Risk level (vulnerability)
An indication (High, Medium, or Low) of the severity of the vulnerability to help Identity Protection users prioritize
the actions they take to reduce the risk to their organization.
Secure (identity)
Take remediation action such as a password change or machine reimaging to restore a potentially compromised
identity to an uncompromised state.
Security policy
A collection of policy rules and condition. A policy can be applied to entities such as users, groups, apps, devices,
device platforms, device states, IP ranges, and Auth2.0 client types. When a policy is enabled, it is evaluated
whenever an entity included in the policy is issued a token for a resource.
Sign in (v)
To authenticate to an identity in Azure Active Directory.
Sign-in (n)
The process or action of authenticating an identity in Azure Active Directory, and the event that captures this
operation.
Sign-in from anonymous IP address
A risk event triggered after a successful sign-in from IP address that has been identified as an anonymous proxy IP
address.
Sign-in from infected device
A risk event triggered when a sign-in originates from an IP address which is known to be used by one or more
compromised devices, which are actively attempting to communicate with a bot server.
Sign-in from IP address with suspicious activity
A risk event triggered after a successful sign-in from an IP address with a high number of failed login attempts
across multiple user accounts over a short period of time.
Sign-in from unfamiliar location
A risk event triggered when a user successfully signs in from a new location (IP, Latitude/Longitude and ASN).
Sign-in risk
See Risk level (sign-in)
Sign-in risk policy
A conditional access policy that evaluates the risk to a specific sign-in and applies mitigations based on predefined
conditions and rules.
User compromise risk
See Risk level (user compromise)
User risk
See Risk level (user compromise).
User risk policy
A conditional access policy that considers the sign-in and applies mitigations based on predefined conditions and
rules.
Users flagged for risk
Users that have risk events which are either active or remediated
Vulnerability
A configuration or condition in Azure Active Directory which makes the directory susceptible to exploits or threats.
See also
Azure Active Directory Identity Protection
Get started with Azure Active Directory Identity
Protection and Microsoft Graph
1/17/2018 • 4 min to read • Edit Online
Microsoft Graph is the Microsoft unified API endpoint and the home of Azure Active Directory Identity Protection
APIs. The first API, identityRiskEvents, allows you to query Microsoft Graph for a list of risk events and associated
information. This article gets you started querying this API. For an in-depth introduction, full documentation, and
access to the Graph Explorer, see the Microsoft Graph site.
There are four steps to accessing Identity Protection data through Microsoft Graph:
1. Retrieve your domain name.
2. Create a new app registration.
3. Use this secret and a few other pieces of information to authenticate to Microsoft Graph, where you receive an
authentication token.
4. Use this token to make requests to the API endpoint and get Identity Protection data back.
Before you get started, you’ll need:
Administrator privileges to create the application in Azure AD
The name of your tenant's domain (for example, contoso.onmicrosoft.com)
a. In the Name textbox, type a name for your application (e.g.: AADIP Risk Event API Application).
b. As Type, select Web Application And / Or Web API.
c. In the Sign-on URL textbox, type http://localhost .
d. Click Create.
4. To open the Settings page, in the applications list, click your newly created app registration.
5. Copy the Application ID.
4. On the Select an API page, select Microsoft Graph, and then click Select.
6. On the Enable Access page, click Read all identity risk information, and then click Select.
7. On the Add API access page, click Done.
8. On the Required Permissions page, click Grant Permissions, and then click Yes.
NOTE
If you lose this key, you will have to return to this section and create a new key. Keep this key a secret: anyone who
has it can access your data.
`Authorization`=”<token_type> <access_token>"
When authenticating, you can find the token type and access token in the returned token.
Send this header as a request to the following API URL: https://graph.microsoft.com/beta/identityRiskEvents
The response, if successful, is a collection of identity risk events and associated data in the OData JSON format,
which can be parsed and handled as you see fit.
Here’s sample code for authenticating and calling the API using PowerShell.
Just add your client ID, the secret key, and the tenant domain.
$ClientID = "<your client ID here>" # Should be a ~36 hex character string; insert your info here
$ClientSecret = "<your client secret here>" # Should be a ~44 character string; insert your info here
$tenantdomain = "<your tenant domain here>" # For example, contoso.onmicrosoft.com
$loginURL = "https://login.microsoft.com"
$resource = "https://graph.microsoft.com"
$body =
@{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
$oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body
$body
Write-Output $oauth
$url = "https://graph.microsoft.com/beta/identityRiskEvents"
Write-Output $url
} else {
Write-Host "ERROR: No Access Token"
}
Next steps
Congratulations, you just made your first call to Microsoft Graph!
Now you can query identity risk events and use the data however you see fit.
To learn more about Microsoft Graph and how to build applications using the Graph API, check out the
documentation and much more on the Microsoft Graph site. Also, make sure to bookmark the Azure AD Identity
Protection API page that lists all of the Identity Protection APIs available in Graph. As we add new ways to work
with Identity Protection via API, you’ll see them on that page.
For related information, see:
Azure Active Directory Identity Protection
Types of risk events detected by Azure Active Directory Identity Protection
Microsoft Graph
Overview of Microsoft Graph
Azure AD Identity Protection Service Root
Securing privileged access in Azure AD
12/11/2017 • 2 min to read • Edit Online
Securing privileged access is a critical first step to help protect business assets in a modern organization. Privileged
accounts are accounts that administer and manage IT systems. Cyber-attackers target these accounts to gain access
to an organization’s data and systems. To secure privileged access, you should isolate the accounts and systems
from the risk of being exposed to a malicious user.
More users are starting to get privileged access through cloud services. This can include global administrators of
Office365, Azure subscription administrators, and users who have administrative access in VMs or on SaaS apps.
Microsoft recommends you follow this roadmap on Securing Privileged Access.
For customers using Azure Active Directory, Office 365, or other Microsoft services and applications, these
principles apply whether user accounts are managed and authenticated by Active Directory or in Azure Active
Directory. The following sections provide more information on Azure AD features to support securing privileged
access.
For more information, see MFA for Office 365 and MFA for Azure.
Time-bound privileges
Some organizations may find that they have too many users in highly privileged roles. A user might have been
added to the role for a particular activity, like to sign up for a service, but didn't use those privileges frequently
afterward.
To lower the exposure time of privileges and increase your visibility into their use, limit users to only taking on their
privileges "just in time" (JIT), or assign these roles for a shortened duration with confidence the privileges will be
revoked automatically. For Azure Active Directory, Azure Resources (Preview) and Microsoft Online Services, you
can use Azure AD Privileged Identity Management (PIM).
Attack detection
Azure Active Directory Identity Protection provides a consolidated view into risk events and potential vulnerabilities
affecting your organization’s identities. Based on risk events, Identity Protection calculates a user risk level for each
user, enabling you to configure risk-based policies to automatically protect the identities of your organization.
These policies, along with other conditional access controls provided by Azure Active Directory and EMS, can
automatically block the user or offer suggestions that include password resets and multi-factor authentication
enforcement.
Conditional access
With conditional access control, Azure Active Directory checks the specific conditions you choose when
authenticating a user, before allowing access to an application. Once those conditions are met, the user is
authenticated and allowed access to the application.
Related articles
Enable Azure Multi-Factor Authentication
Enable Azure AD Privileged Identity Management
Enable Azure AD Identity Protection
Enable conditional access controls
For more information on building a complete security roadmap, see the “Customer responsibilities and roadmap”
section of the Microsoft Cloud Security for Enterprise Architects document. For more information on engaging
Microsoft services to assist with any of these topics, contact your Microsoft representative or visit our Cybersecurity
solutions page.
Enabling LinkedIn integration in Azure Active
Directory
12/11/2017 • 1 min to read • Edit Online
Enabling LinkedIn integration lets your users access both public LinkedIn data and, if they choose to, their personal
LinkedIn network from within Microsoft apps. Each user can independently choose to connect their work account to
their LinkedIn account.
LinkedIn integration from your end users’ perspective
When end users in your organization connect their LinkedIn accounts to their work accounts, they are able to better
identify the people they work with inside and outside the organization. Connecting the two accounts allows the
user’s LinkedIn connections and profile data to be used in your organization's Microsoft apps, but they can always
opt out by removing permission for LinkedIn to share that data. The integration also uses publicly available profile
information, and users can choose whether to share their public profile and network information with Microsoft
applications through LinkedIn privacy settings.
NOTE
Enabling LinkedIn integration in Azure AD enables apps and services to access some of your end users' information. Read the
Microsoft Privacy Statement to learn more about the privacy considerations when enabling LinkedIn integration in Azure AD.
IMPORTANT
This feature is not available for go-local, sovereign, and government tenants. In addition, Azure AD service updates, such as
LinkedIn integration capabilities, are not deployed to all Azure tenants at the same time. You cannot enable LinkedIn
integration with Azure AD until this capability has been rolled out to your Azure tenant.
1. Sign in to the Azure Active Directory admin center with an account that's a global admin for the directory.
2. Select Users and groups.
3. On the Users and groups blade, select User settings.
4. Under LinkedIn Integration, select Yes or No to enable or disable LinkedIn integration.
Learn more
LinkedIn information and features in your Microsoft apps
LinkedIn help center
Next steps
You can use the following link to enable or disable LinkedIn integration with Azure AD from the Azure portal:
Configure LinkedIn integration
Windows Server Active Directory on Azure VMs
12/11/2017 • 1 min to read • Edit Online
This navigation topic contains links to other topics about how to deploy Windows Server Active Directory Domain
Services (AD DS) or Active Directory Federation Services (AD FS) on an Azure virtual machine (VM).
Conceptual guidelines
Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
Video
How to install a new Active Directory forest on an Azure virtual network
How to articles
Install a new Active Directory forest on an Azure virtual network
Install a Replica Active Directory Domain Controller in Azure Virtual Networks
Additional Resources
Sign up for Azure as an organization
Azure Identity
Guidelines for deploying Windows Server Active
Directory on Azure virtual machines
12/11/2017 • 49 min to read • Edit Online
This article explains the important differences between deploying Windows Server Active Directory Domain
Services (AD DS) and Active Directory Federation Services (AD FS) on-premises versus deploying them on
Microsoft Azure virtual machines.
Introduction
The fundamental requirements for deploying Windows Server Active Directory on Azure virtual machines differ
very little from deploying it in on-premises virtual machines (and, to some extent, physical machines). For example,
in the case of Windows Server AD DS, if the domain controllers (DCs) that you deploy on Azure virtual machines
are replicas in an existing on-premises corporate domain/forest, then the Azure deployment can largely be treated
in the same way as you might treat any other additional Windows Server Active Directory site. That is, subnets must
be defined in Windows Server AD DS, a site created, the subnets linked to that site, and connected to other sites
using appropriate site-links. There are, however, some differences that are common to all Azure deployments and
some that vary according to the specific deployment scenario. Two fundamental differences are outlined below:
Azure virtual machines may need connectivity to the on-premises corporate network.
Connecting Azure virtual machines back to an on-premises corporate network requires Azure virtual network,
which includes a site-to-site or site-to-point virtual private network (VPN) component able to seamlessly connect
Azure virtual machines and on-premises machines. This VPN component could also enable on-premises domain
member computers to access a Windows Server Active Directory domain whose domain controllers are hosted
exclusively on Azure virtual machines. It is important to note, though, that if the VPN fails, authentication and other
operations that depend on Windows Server Active Directory will also fail. While users may be able to sign in using
existing cached credentials, all peer-to-peer or client-to-server authentication attempts for which tickets have yet to
be issued or have become stale will fail.
See Virtual Network for a demonstration video and a list of step-by-step tutorials, including Configure a Site-to-Site
VPN in the Azure portal.
NOTE
You can also deploy Windows Server Active Directory on an Azure virtual network that does not have connectivity with an
on-premises network. The guidelines in this topic, however, assume that an Azure virtual network is used because it provides
IP addressing capabilities that are essential to Windows Server.
NOTE
You should shut down and restart a VM that runs the domain controller role in Azure within the guest operating system
instead of using the Shut Down option in the Azure porta. Today, using the portal to shut down a VM causes the VM to be
deallocated. A deallocated VM has the advantage of not incurring charges, but it also resets the VM-GenerationID, which is
undesirable for a DC. When the VM-GenerationID is reset, the invocationID of the AD DS database is also reset, the RID pool
is discarded, and SYSVOL is marked as non-authoritative. For more information, see Introduction to Active Directory Domain
Services (AD DS) Virtualization and Safely Virtualizing DFSR.
NOTE
Since it provides a layer-3 connection, the VPN component that provides connectivity between an Azure virtual network and
an on-premises network can also enable member servers that run on-premises to leverage DCs that run as Azure virtual
machines on Azure virtual network. But if the VPN is unavailable, communication between on-premises computers and
Azure-based domain controllers will not function, resulting in authentication and various other errors.
NOTE
An option to create a point-to-site VPN is available to connect individual Windows-based computers directly to an Azure
virtual network.
Regardless of whether you create a virtual network or not, Azure charges for egress traffic but not ingress.
Various Windows Server Active Directory design choices can affect how much egress traffic is generated by a
deployment. For example, deploying a read-only domain controller (RODC) limits egress traffic because it does
not replicate outbound. But the decision to deploy an RODC needs to be weighed against the need to perform
write operations against the DC and the compatibility that applications and services in the site have with RODCs.
For more information about traffic charges, see Azure pricing at-a-glance.
While you have complete control over what server resources to use for VMs on-premises, such as RAM, disk
size, and so on, on Azure you must select from a list of preconfigured server sizes. For a DC, a data disk is
needed in addition to the operating system disk in order to store the Windows Server Active Directory database.
However, because Azure does not provide native, full-featured firewall capability, other options need to be used to
restrict traffic. The following table shows each option and its advantages and disadvantages.
Azure network ACLs Less costly and simpler initial Additional network ACL configuration
configuration required if any new VMs are added to
the deployment
Barracuda NG firewall Whitelist mode of operation and it Increased cost and complexity for initial
requires no network ACL configuration setup
A disadvantage to this option is the need to configure the network ACLs for multiple devices, including internal load
balancer, the AD FS servers, and any other servers that get added to the virtual network. If any device is added to
the deployment without configuring network ACLs to restrict traffic to it, the entire deployment can be at risk. If the
IP addresses of the Web Application Proxy nodes ever change, the network ACLs must be reset (which means the
proxies should be configured to use static dynamic IP addresses).
Another option is to use the Barracuda NG Firewall appliance to control traffic between AD FS proxy servers and
the AD FS servers. This option complies with best practices for security and high availability, and requires less
administration after the initial setup because the Barracuda NG Firewall appliance provides a whitelist mode of
firewall administration and it can be installed directly on an Azure virtual network. That eliminates the need to
configure network ACLs any time a new server is added to the deployment. But this option adds initial deployment
complexity and cost.
In this case, two virtual networks are deployed instead of one. We'll call them VNet1 and VNet2. VNet1 contains the
proxies and VNet2 contains the STSs and the network connection back to the corporate network. VNet1 is therefore
physically (albeit virtually) isolated from VNet2 and, in turn, from the corporate network. VNet1 is then connected
to VNet2 using a special tunneling technology known as Transport Independent Network Architecture (TINA). The
TINA tunnel is attached to each of the virtual networks using a Barracuda NG firewall—one Barracuda on each of
the virtual networks. For high-availability, it is recommended that you deploy two Barracudas on each virtual
network; one active, the other passive. They offer extremely rich firewalling capabilities which allow us to mimic the
operation of a traditional on-premises DMZ in Azure.
For more information, see AD FS: Extend a claims-aware on-premises front-end application to the Internet.
An alternative to AD FS deployment if the goal is Office 365 SSO alone
There is another alternative to deploying AD FS altogether if your goal is only to enable sign-in for Office 365. In
that case, you can simply deploy DirSync with password sync on-premises and achieve the same end-result with
minimal deployment complexity because this approach does not require AD FS or Azure.
The following table compares how the sign-in processes work with and without deploying AD FS.
OFFICE 365 SINGLE SIGN-ON USING AD FS AND DIRSYNC OFFICE 365 SAME SIGN-ON USING DIRSYNC + PASSWORD SYNC
1. The user logs on to a corporate network, and is 1. The user logs on to a corporate network, and is
authenticated to Windows Server Active Directory. authenticated to Windows Server Active Directory.
2. The user tries to access Office 365 (I am @contoso.com). 2. The user tries to access Office 365 (I am @contoso.com).
3. Office 365 redirects the user to Azure AD. 3. Office 365 redirects the user to Azure AD.
4. Since Azure AD can’t authenticate the user and understands 4. Azure AD can’t accept Kerberos tickets directly and no trust
there is a trust with AD FS on-premises, it redirects the user to relationship exists so it requests that the user enter
AD FS. credentials.
5. The user sends a Kerberos ticket to the AD FS STS. 5. The user enters the same on-premises password, and Azure
AD validates them against the user name and password that
was synchronized by DirSync.
6. AD FS transforms the Kerberos ticket to the required token 6. Azure AD redirects the user to Office 365.
format/claims and redirects the user to Azure AD.
7. The user authenticates to Azure AD (another transformation 7. The user can sign in to Office 365 and OWA using the
occurs). Azure AD token.
In the Office 365 with DirSync with password sync scenario (no AD FS), single sign-on is replaced by “same sign-
on” where “same” simply means that users must re-enter their same on-premises credentials when accessing
Office 365. Note that this data can be remembered by the user’s browser to help reduce subsequent prompts.
Additional food for thought
If you deploy an AD FS proxy on an Azure virtual machine, connectivity to the AD FS servers is needed. If they
are on-premises, it is recommended that you leverage the site-to-site VPN connectivity provided by the virtual
network to allow the Web Application Proxy nodes to communicate with their AD FS servers.
If you deploy an AD FS server on an Azure virtual machine, connectivity to Windows Server Active Directory
domain controllers, Attribute Stores, and Configuration databases is necessary and may also require an
ExpressRoute or a site-to-site VPN connection between the Azure virtual network and the on-premises network.
Charges are applied to all traffic from Azure virtual machines (egress traffic). If cost is the driving factor, it is
advisable to deploy the Web Application Proxy nodes on Azure, leaving the AD FS servers on-premises. If the AD
FS servers are deployed on Azure virtual machines as well, additional costs will be incurred to authenticate on-
premises users. Egress traffic incurs a cost regardless of whether or not it is traversing the ExpressRoute or the
VPN site-to-site connection.
If you decide to use Azure’s native server load balancing capabilities for high availability of AD FS servers, note
that load balancing provides probes that are used to determine the health of the virtual machines within the
cloud service. In the case of Azure virtual machines (as opposed to web or worker roles), a custom probe must
be used since the agent that responds to the default probes is not present on Azure virtual machines. For
simplicity, you might use a custom TCP probe — this requires only that a TCP connection (a TCP SYN segment
sent and responded to with a TCP SYN ACK segment) be successfully established to determine virtual machine
health. You can configure the custom probe to use any TCP port to which your virtual machines are actively
listening.
NOTE
Machines that need to expose the same set of ports directly to the Internet (such as port 80 and 443) cannot share the same
cloud service. It is, therefore, recommended that you create a dedicated cloud service for your Windows Server AD FS servers
in order to avoid potential overlaps between port requirements for an application and Windows Server AD FS.
Deployment scenarios
The following section outlines commonplace deployment scenarios to draw attention to important considerations
that must be taken into account. Each scenario has links to more details about the decisions and factors to consider.
1. AD DS: Deploy an AD DS-aware application with no requirement for corporate network connectivity
For example, an Internet-facing SharePoint service is deployed on an Azure virtual machine. The application
has no dependencies on corporate-network resources. The application does require Windows Server AD DS
but does NOT require the corporate Windows Server AD DS.
2. AD FS: Extend a claims-aware on-premises front-end application to the Internet
For example, a claims-aware application that has been successfully deployed on-premises and used by
corporate users needs to become accessible from the Internet. The application needs to be accessed directly
over the Internet both by business partners using their own corporate identities and by existing corporate
users.
3. AD DS: Deploy a Windows Server AD DS-aware application that requires connectivity to the corporate
network
For example, an LDAP-aware application that supports Windows-integrated authentication and uses
Windows Server AD DS as a repository for configuration and user-profile data is deployed on an Azure
virtual machine. It is desirable for the application to leverage the existing corporate Windows Server AD DS
and provide single sign-on. The application is not claims-aware.
1. AD DS: Deploy an AD DS -aware application with no requirement for corporate network connectivity
Figure 1
Description
SharePoint is deployed on an Azure virtual machine and the application has no dependencies on corporate-
network resources. The application does require Windows Server AD DS but does not require the corporate
Windows Server AD DS. No Kerberos or federated trusts are required because users are self-provisioned through
the application into the Windows Server AD DS domain that is also hosted in the cloud on Azure virtual machines.
Scenario considerations and how technology areas apply to the scenario
Network topology: Create an Azure virtual network without cross-premises connectivity (also known as site-to-
site connectivity).
DC deployment configuration: Deploy a new domain controller into a new, single-domain, Windows Server
Active Directory forest. This should be deployed along with the Windows DNS server.
Windows Server Active Directory site topology: Use the default Windows Server Active Directory site (all
computers will be in Default-First-Site-Name).
IP addressing and DNS:
Set a static IP address for the DC by using the Set-AzureStaticVNetIP Azure PowerShell cmdlet.
Install and configure Windows Server DNS on the domain controller(s) on Azure.
Configure the virtual network properties with the name and IP address of the VM that hosts the DC and
DNS server roles.
Global Catalog: The first DC in the forest must be a global catalog server. Additional DCs should also be
configured as GCs because in a single domain forest, the global catalog does not require any additional work
from the DC.
Placement of the Windows Server AD DS database and SYSVOL: Add a data disk to DCs running as Azure VMs
in order to store the Windows Server Active Directory database, logs, and SYSVOL.
Backup and Restore: Determine where you want to store system state backups. If necessary, add another data
disk to the DC VM to store backups.
2 AD FS: Extend a claims-aware on-premises front-end application to the Internet
Figure 2
Description
A claims-aware application that has been successfully deployed on-premises and used by corporate users needs to
become accessible directly from the Internet. The application serves as a web frontend to a SQL database in which it
stores data. The SQL servers used by the application are also located on the corporate network. Two Windows
Server AD FS STSs and a load-balancer have been deployed on-premises to provide access to the corporate users.
The application now needs to be additionally accessed directly over the Internet both by business partners using
their own corporate identities and by existing corporate users.
In an effort to simplify and meet the deployment and configuration needs of this new requirement, it is decided that
two additional web frontends and two Windows Server AD FS proxy servers be installed on Azure virtual machines.
All four VMs will be exposed directly to the Internet and will be provided connectivity to the on-premises network
using Azure Virtual Network’s site-to-site VPN capability.
Scenario considerations and how technology areas apply to the scenario
Network topology: Create an Azure virtual network and configure cross-premises connectivity.
NOTE
For each of the Windows Server AD FS certificates, ensure that the URL defined within the certificate template and the
resulting certificates can be reached by the Windows Server AD FS instances running on Azure. This may require
cross-premises connectivity to parts of your PKI infrastructure. For example if the CRL's endpoint is LDAP-based and
hosted exclusively on-premises, then cross-premises connectivity will be required. If this is not desirable, it may be
necessary to use certificates issued by a CA whose CRL is accessible over the Internet.
Cloud services configuration: Ensure you have two cloud services in order provide two load-balanced virtual IP
addresses. The first cloud service’s virtual IP address will be directed to the two Windows Server AD FS proxy
VMs on ports 80 and 443. The Windows Server AD FS proxy VMs will be configured to point to the IP address of
the on-premises load-balancer that fronts the Windows Server AD FS STSs. The second cloud service’s virtual IP
address will be directed to the two VMs running the web frontend again on ports 80 and 443. Configure a
custom probe to ensure the load-balancer only directs traffic to functioning Windows Server AD FS proxy and
web frontend VMs.
Federation server configuration: Configure Windows Server AD FS as a federation server (STS) to generate
security tokens for the Windows Server Active Directory forest created in the cloud. Set federation claims
provider trust relationships with the different partners you wish to accept identities from, and configure
relying party trust relationships with the different applications you want to generate tokens to.
In most scenarios, Windows Server AD FS proxy servers are deployed in an Internet-facing capacity for
security purposes while their Windows Server AD FS federation counterparts remain isolated from direct
Internet connectivity. Regardless of your deployment scenario, you must configure your cloud service with a
virtual IP address that will provide a publicly exposed IP address and port that is able to load-balance across
either your two Windows Server AD FS STS instances or proxy instances.
Windows Server AD FS high availability configuration: It is advisable to deploy a Windows Server AD FS farm
with at least two servers for failover and load balancing. You might want to consider using the Windows Internal
Database (WID) for Windows Server AD FS configuration data, and use the internal load balancing capability of
Azure to distribute incoming requests across the servers in the farm.
For more information, see the AD DS Deployment Guide.
3. AD DS: Deploy a Windows Server AD DS -aware application that requires connectivity to the corporate
network
Figure 3
Description
An LDAP-aware application is deployed on an Azure virtual machine. It supports Windows-integrated
authentication and uses Windows Server AD DS as a repository for configuration and user profile data. The goal is
for the application to leverage the existing corporate Windows Server AD DS and provide single sign-on. The
application is not claims-aware. Users also need to access the application directly from the Internet. To optimize for
performance and cost, it is decided that two additional domain controllers that are part of the corporate domain be
deployed alongside the application on Azure.
Scenario considerations and how technology areas apply to the scenario
Network topology: Create an Azure virtual network with cross-premises connectivity.
Installation method: Deploy replica DCs from the corporate Windows Server Active Directory domain. For a
replica DC, you can install Windows Server AD DS on the VM, and optionally use the Install From Media (IFM)
feature to reduce the amount of data that needs to be replicated to the new DC during installation. For a tutorial,
see Install a replica Active Directory domain controller on Azure. Even if you use IFM, it may be more efficient to
build the virtual DC on-premises and move the entire Virtual Hard Disk (VHD) to the cloud instead of replicating
Windows Server AD DS during installation. For safety, it is recommended that you delete the VHD from the on-
premises network once it has been copied to Azure.
Windows Server Active Directory site topology: Create a new Azure site in Active Directory Sites and Services.
Create a Windows Server Active Directory subnet object to represent the Azure virtual network and add the
subnet to the site. Create a new site link that includes the new Azure site and the site in which the Azure virtual
network VPN endpoint is located in order to control and optimize Windows Server Active Directory traffic to and
from Azure.
IP addressing and DNS:
Set a static IP address for the DC by using the Set-AzureStaticVNetIP Azure PowerShell cmdlet.
Install and configure Windows Server DNS on the domain controller(s) on Azure.
Configure the virtual network properties with the name and IP address of the VM that hosts the DC and
DNS server roles.
Geo-distributed DCs: Configure additional virtual networks as needed. If your Active Directory site topology
requires DCs in geographies that correspond to different Azure regions, than you want to create Active Directory
sites accordingly.
Read-only DCs: You might deploy an RODC in the Azure site, depending on your requirements for performing
write operations against the DC and the compatibility of applications and services in the site with RODCs. For
more information about application compatibility, see the Read-Only domain controllers application
compatibility guide.
Global Catalog: GCs are needed to service logon requests in multidomain forests. If you do not deploy a GC
in the Azure site, you will incur egress traffic costs as authentication requests cause queries GCs in other
sites. To minimize that traffic, you can enable universal group membership caching for the Azure site in
Active Directory Sites and Services.
If you deploy a GC, configure site links and site links costs so that the GC in the Azure site is not preferred as
a source DC by other GCs that need to replicate the same partial domain partitions.
Placement of the Windows Server AD DS database and SYSVOL: Add a data disk to DCs running on Azure VMs
in order to store the Windows Server Active Directory database, logs, and SYSVOL.
Backup and Restore: Determine where you want to store system state backups. If necessary, add another data
disk to the DC VM to store backups.
Windows Server Active Directory site How do you configure subnets, sites, Subnet and site definitions
topology and site links with Azure Virtual Site link properties and change
Network to optimize traffic and notification
minimize cost? Replication compression
IP addressing and DNS How to configure IP addresses and Use the Use the Set-
name resolution? AzureStaticVNetIP cmdlet to assign a
static IP address
Install Windows Server DNS server
and configure the virtual network
properties with the name and IP
address of the VM that hosts the DC
and DNS server roles
Geo-distributed DCs How to replicate to DCs on separate If your Active Directory site topology
virtual networks? requires DCs in geographies that
corresponds to different Azure regions,
than you want to create Active
Directory sites accordingly. Configure
virtual network to virtual network
Connectivity to replicate between
domain controllers on separate virtual
networks.
Global catalog Install global catalog? For single-domain forest, make all
DCs GCs
For multidomain forest, GCs are
required for authentication
Placement of the Windows Server AD Where to store Windows Server AD DS Change Dcpromo.exe default values.
DS database and SYSVOL database, logs, and SYSVOL? These critical Active Directory files must
be placed on Azure Data Disks instead
of Operating System disks that
implement write caching.
Backup and Restore How to safeguard and recover data? Create system state backups
Cloud services configuration A cloud service is implicitly deployed the Does a VM or VMs require direct
first time you create a virtual machine. exposure to the Internet?
Do you need to deploy additional cloud Does the service require load-
services? balancing?
Federation server requirements for Does the Windows Server AD FS Create one cloud-service for each virtual
public and private IP addressing instance need to be reached directly IP address that is required by your
(dynamic IP vs. virtual IP) from the Internet? deployment
Does the application being deployed
in the cloud require its own Internet-
facing IP address and port?
Windows Server AD FS high availability How many nodes in my Windows Resiliency and fault tolerance
configuration Server AD FS server farm?
How many nodes to deploy in my
Windows Server AD FS proxy farm?
Network topology
In order to meet the IP address consistency and DNS requirements of Windows Server AD DS, it is necessary to first
create an Azure virtual network and attach your virtual machines to it. During its creation, you must decide whether
to optionally extend connectivity to your on-premises corporate network, which transparently connects Azure
virtual machines to on-premises machines — this is achieved using traditional VPN technologies and requires that
a VPN endpoint be exposed on the edge of the corporate network. That is, the VPN is initiated from Azure to the
corporate network, not vice-versa.
Note that additional charges apply when extending a virtual network to your on-premises network beyond the
standard charges that apply to each VM. Specifically, there are charges for CPU time of the Azure Virtual Network
gateway and for the egress traffic generated by each VM that communicates with on-premises machines across the
VPN. For more information about network traffic charges, see Azure pricing at-a-glance.
DC deployment configuration
The way you configure the DC depends on the requirements for the service you want to run on Azure. For example,
you might deploy a new forest, isolated from your own corporate forest, for testing a proof-of-concept, a new
application, or some other short term project that requires directory services but not specific access to internal
corporate resources.
As a benefit, an isolated forest DC does not replicate with on-premises DCs, resulting in less outbound network
traffic generated by the system itself, directly reducing costs. For more information about network traffic charges,
see Azure pricing at-a-glance.
As another example, suppose you have privacy requirements for a service, but the service depends on access to
your internal Windows Server Active Directory. If you are allowed to host data for the service in the cloud, you
might deploy a new child domain for your internal forest on Azure. In this case, you can deploy a DC for the new
child domain (without the global catalog in order to help address privacy concerns). This scenario, along with a
replica DC deployment, requires a virtual network for connectivity with your on-premises DCs.
If you create a new forest, choose whether to use Active Directory trusts or Federation trusts. Balance the
requirements dictated by compatibility, security, compliance, cost, and resiliency. For example, to take advantage of
selective authentication you might choose to deploy a new forest on Azure and create a Windows Server Active
Directory trust between the on-premises forest and the cloud forest. If the application is claims-aware, however,
you might deploy federation trusts instead of Active Directory forest trusts. Another factor will be the cost to either
replicate more data by extending your on-premises Windows Server Active Directory to the cloud or generate more
outbound traffic as a result of authentication and query load.
Requirements for availability and fault tolerance also affect your choice. For example, if the link is interrupted,
applications leveraging either a Kerberos trust or a federation trust are all likely entirely broken unless you have
deployed sufficient infrastructure on Azure. Alternative deployment configurations such as replica DCs (writeable or
RODCs) increase the likelihood of being able to tolerate link outages.
Windows Server Active Directory site topology
You need to correctly define sites and site links in order to optimize traffic and minimize cost. Sites, site-links, and
subnets affect the replication topology between DCs and the flow of authentication traffic. Consider the following
traffic charges and then deploy and configure DCs according to the requirements of your deployment scenario:
There is a nominal fee per hour for the gateway itself:
It can be started and stopped as you see fit
If stopped, Azure VMs are isolated from the corporate network
Inbound traffic is free
Outbound traffic is charged, according to Azure pricing at-a-glance. You can optimize site link properties
between on-premises sites and the cloud sites as follows:
If you are using multiple virtual networks, configure the site-links and their costs appropriately to prevent
Windows Server AD DS from prioritizing the Azure site over one that can provide the same levels of
service at no charge. You might also consider disabling the Bridge all site link (BASL) option (which is
enabled by default). This ensures that only directly-connected sites replicate with one another. DCs in
transitively connected sites are no longer able to replicate directly with each other, but must replicate
through a common site or sites. If the intermediary sites become unavailable for some reason, replication
between DCs in transitively connected sites will not occur even if connectivity between the sites is
available. Finally, where sections of transitive replication behavior remain desirable, create site link
bridges that contain the appropriate site-links and sites, such as on-premises, corporate network sites.
Configure site link costs appropriately to avoid unintended traffic. For example, if Try Next Closest Site
setting is enabled, make sure the virtual network sites are not the next closest by increasing the cost
associated of the site-link object that connects the Azure site back to the corporate network.
Configure site link intervals and schedules according to consistency requirements and rate of object
changes. Align replication schedule with latency tolerance. DCs replicate only the last state of a value, so
decreasing the replication interval can save costs if there is a sufficient object change rate.
If minimizing costs is a priority, ensure replication is scheduled and change notification is not enabled. This is the
default configuration when replicating between sites. This is not important if you are deploying an RODC on a
virtual network because the RODC will not replicate any changes outbound. But if you deploy a writable DC, you
should make sure the site link is not configured to replicate updates with unnecessary frequency. If you deploy a
global catalog server (GC), make sure that every other site that contains a GC replicates domain partitions from
a source DC in a site that is connected with a site-link or site-links that have a lower cost than the GC in the
Azure site.
It is possible to further still reduce network traffic generated by replication between sites by changing the
replication compression algorithm. The compression algorithm is controlled by the REG_DWORD registry entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Replicator compression
algorithm. The default value is 3, which correlates to the Xpress Compress algorithm. You can change the value
to 2, which changes the algorithm to MSZip. In most cases, this will increase the compression, but it does so at
the expense of CPU utilization. For more information, see How Active Directory replication topology works.
IP addressing and DNS
Azure virtual machines are allocated “DHCP-leased addresses” by default. Because Azure virtual network dynamic
addresses persist with a virtual machine for the lifetime of the virtual machine, the requirements of Windows
Server AD DS are met.
As a result, when you use a dynamic address on Azure, you are in effect using a static IP address because it is
routable for the period of the lease, and the period of the lease is equal to the lifetime of the cloud service.
However, the dynamic address is deallocated if the VM is shutdown. To prevent the IP address from being
deallocated, you can use Set-AzureStaticVNetIP to assign a static IP address.
For name resolution, deploy your own (or leverage your existing) DNS server infrastructure; Azure-provided DNS
does not meet the advanced name resolution needs of Windows Server AD DS. For example, it does not support
dynamic SRV records, and so on. Name resolution is a critical configuration item for DCs and domain-joined clients.
DCs must be capable of registering resource records and resolving other DC’s resource records. For fault tolerance
and performance reasons, it is optimal to install the Windows Server DNS service on the DCs running on Azure.
Then configure the Azure virtual network properties with the name and IP address of the DNS server. When other
VMs on the virtual network start, their DNS client resolver settings will be configured with DNS server as part of the
dynamic IP address allocation.
NOTE
You cannot join on-premises computers to a Windows Server AD DS Active Directory domain that is hosted on Azure directly
over the Internet. The port requirements for Active Directory and the domain-join operation render it impractical to directly
expose the necessary ports and in effect, an entire DC to the Internet.
VMs register their DNS name automatically on startup or when there is a name change.
For more information about this example and another example that shows how to provision the first VM and install
AD DS on it, see Install a new Active Directory forest on Microsoft Azure. For more information about using
Windows PowerShell, see Install Azure PowerShell and Azure Management Cmdlets.
Geo -distributed DCs
Azure offers advantages when hosting multiple DCs on different virtual networks:
Multi-site fault-tolerance
Physical proximity to branch offices (lower latency)
For information about configuring direct communication between virtual networks, see Configure virtual network
to virtual network connectivity.
Read-only DCs
You need to choose whether to deploy read-only or writeable DCs. You might be inclined to deploy RODCs because
you will not have physical control over them, but RODCs are designed to be deployed in locations where their
physical security is at risk, such as branch offices.
Azure does not present the physical security risk of a branch office, but RODCs might still prove to be more cost
effective because the features they provide are well-suited to these environments albeit for very different reasons.
For example, RODCs have no outbound replication and are able to selectively populate secrets (passwords). On the
downside, the lack of these secrets might require on-demand outbound traffic to validate them as a user or
computer authenticates. But secrets can be selectively prepopulated and cached.
RODCs provide an additional advantage in and around HBI and PII concerns because you can add attributes that
contain sensitive data to the RODC filtered attribute set (FAS). The FAS is a customizable set of attributes that are
not replicated to RODCs. You can use the FAS as a safeguard in case you are not permitted or do not want to store
PII or HBI on Azure. For more information, see [RODC filtered attribute
set[(https://technet.microsoft.com/library/cc753459)].
Make sure that applications will be compatible with RODCs you plan to use. Many Windows Server Active
Directory-enabled applications work well with RODCs, but some applications can perform inefficiently or fail if they
do not have access to a writable DC. For more information, see Read-Only DCs application compatibility guide.
Global catalog
You need to choose whether to install a global catalog (GC). In a single domain forest, you should configure all DCs
as global catalog servers. It will not increase costs because there will be no additional replication traffic.
In a multidomain forest, GCs are necessary to expand Universal Group memberships during the authentication
process. If you do not deploy a GC, workloads on the virtual network that authenticate against a DC on Azure will
indirectly generate outbound authentication traffic to query GCs on-premises during each authentication attempt.
The costs associated with GCs are less-predictable because they host every domain (in-part). If the workload hosts
an Internet-facing service and authenticates users against Windows Server AD DS, the costs could be completely
unpredictable. To help reduce GC queries outside of the cloud site during authentication, you can enable Universal
Group Membership Caching.
Installation method
You need to choose how to install the DCs on the virtual network:
Promote new DCs. For more information, see Install a new Active Directory forest on an Azure virtual network.
Move the VHD of an on-premises virtual DC to the cloud. In this case, you must ensure that the on-premises
virtual DC is “moved,” not “copied” or “cloned.”
Use only Azure virtual machines for DCs (as opposed to Azure “web” or “worker” role VMs). They are durable and
durability of state for a DC is required. Azure virtual machines are designed for workloads such as DCs.
Do not use SYSPREP to deploy or clone DCs. The ability to clone DCs is only available beginning in Windows Server
2012. The cloning feature requires support for VMGenerationID in the underlying hypervisor. Hyper-V in Windows
Server 2012 and Azure virtual networks both support VMGenerationID, as do third-party virtualization software
vendors.
Placement of the Windows Server AD DS database and SYSVOL
Select where to locate the Windows Server AD DS database, logs, and SYSVOL. They must be deployed on Azure
Data disks.
NOTE
Azure Data disks are constrained to 1 TB.
Data disk drives do not cache writes by default. Data disk drives that are attached to a VM use write-through
caching. Write-through caching makes sure the write is committed to durable Azure storage before the transaction
is complete from the perspective of the VM’s operating system. It provides durability, at the expense of slightly
slower writes.
This is important for Windows Server AD DS because write-behind disk-caching invalidates assumptions made by
the DC. Windows Server AD DS attempts to disable write caching but it is up to the disk IO system to honor it.
Failure to disable write caching may, under certain circumstances, introduce USN rollback resulting in lingering
objects and other problems.
As a best practice for virtual DCs, do the following:
Set the Host Cache Preference setting on the Azure data disk for NONE. This prevents issues with write caching
for AD DS operations.
Store the database, logs, and SYSVOL on the either same data disk or separate data disks. Typically, this is a
separate disk from the disk used for the operating system itself. The key takeaway is that the Windows Server
AD DS database and SYSVOL must not be stored on an Azure Operating System disk type. By default, the AD DS
installation process installs these components in %systemroot% folder, which is NOT recommended for Azure.
Backup and restore
Be aware of what is and is not supported for backup and restore of a DC in general, and more specifically, those
running in a VM. See Backup and Restore Considerations for Virtualized DCs.
Create system state backups by using only backup software that is specifically aware of backup requirements for
Windows Server AD DS, such as Windows Server Backup.
Do not copy or clone VHD files of DCs instead of performing regular backups. Should a restore ever be required,
doing so using cloned or copied VHDs without Windows Server 2012 and a supported hypervisor will introduce
USN bubbles.
Federation server configuration
The configuration of Windows Server AD FS federation servers (STSs) depends in part on whether the applications
that you want to deploy on Azure need to access resources on your on-premises network.
If the applications meet the following criteria, you could deploy the applications in isolation from your on-premises
network.
They accept SAML security tokens
They are exposable to the Internet
They do not access on-premises resources
In this case, configure Windows Server AD FS STSs as follows:
1. Configure an isolated single-domain forest on Azure.
2. Provide federated access to the forest by configuring a Windows Server AD FS federation server farm.
3. Configure Windows Server AD FS (federation server farm and federation server proxy farm) in the on-premises
forest.
4. Establish a federation trust relationship between the on-premises and Azure instances of Windows Server AD
FS.
On the other hand, if the applications require access to on-premises resources, you could configure Windows
Server AD FS with the application on Azure as follows:
1. Configure connectivity between on-premises networks and Azure.
2. Configure a Windows Server AD FS federation server farm in the on-premises forest.
3. Configure a Windows Server AD FS federation server proxy farm on Azure.
This configuration has the advantage of reducing the exposure of on-premises resources, similar to configuring
Windows Server AD FS with applications in a perimeter network.
Note that in either scenario, you can establish trusts relationships with more identity providers, if business-to-
business collaboration is needed.
Cloud services configuration
Cloud services are necessary if you want to expose a VM directly to the Internet or to expose an Internet-facing
load-balanced application. This is possible because each cloud service offers a single configurable virtual IP address.
Federation server requirements for public and private IP addressing (dynamic IP vs. virtual IP)
Each Azure virtual machine receives a dynamic IP address. A dynamic IP address is a private address accessible only
within Azure. In most cases, however, it will be necessary to configure a virtual IP address for your Windows Server
AD FS deployments. The virtual IP is necessary to expose Windows Server AD FS endpoints to the Internet, and will
be used by federated partners and clients for authentication and ongoing management. A virtual IP address is a
property of a cloud service which contains one or more Azure virtual machines. If the claims-aware application
deployed on Azure and Windows Server AD FS are both Internet-facing and share common ports, each will require
a virtual IP address of its own and it will therefore be necessary to create one cloud service for the application and a
second for Windows Server AD FS.
For definitions of the terms virtual IP address and dynamic IP address, see Terms and definitions.
Windows Server AD FS high availability configuration
While it is possible to deploy standalone Windows Server AD FS federation services, it is recommended to deploy a
farm with at least two nodes for both AD FS STS and proxies for production environments.
See AD FS 2.0 deployment topology considerations in the AD FS 2.0 Design Guide to decide which deployment
configuration options best suit your particular needs.
NOTE
In order to get load balancing for Windows Server AD FS endpoints on Azure, configure all members of the Windows Server
AD FS farm in the same cloud service, and use the load balancing capability of Azure for HTTP (default 80) and HTTPS ports
(default 443). For more information, see Azure load-balancer probe. Windows Server Network Load Balancing (NLB) is not
supported on Azure.
Install a replica Active Directory domain controller in
an Azure virtual network
12/11/2017 • 5 min to read • Edit Online
This article discusses how to install additional domain controllers (DCs) to be used as replica DCs for an on-
premises Active Directory domain on Azure virtual machines (VMs) in an Azure virtual network. You can also
install a Windows Server Active Directory forest on an Azure virtual network. For how to install Active Directory
Domain Services (AD DS) on an Azure virtual network, see Guidelines for Deploying Windows Server Active
Directory on Azure Virtual Machines.
Scenario diagram
In this scenario, external users need to access applications that run on domain-joined servers. The VMs that run
the application servers and the replica DCs are installed in an Azure virtual network. The virtual network can be
connected to the on-premises network by ExpressRoute, or you can use a site-to-site VPN connection, as shown:
The application servers and the DCs are deployed within separate cloud services to distribute compute processing
and within availability sets for improved fault tolerance. The DCs replicate with each other and with on-premises
DCs by using Active Directory replication. No synchronization tools are needed.
For more information about setting a static IP address, see Configure a static internal IP address for a VM.
SETTING VALUES
Virtual Machine Configuration Virtual Machine Name: Type a single label name (such as
AppServer1).
New User Name: Type the name of a user. This user will
be a member of the local Administrators group on the
VM. You will need this name to sign in to the VM for the
first time. The built-in account named Administrator will
not work.
New Password/Confirm: Type a password
Virtual Machine Configuration Cloud Service: Choose Create a new cloud service for
the first VM and select that same cloud service name
when you create more VMs that will host the application.
Cloud Service DNS Name: Specify a globally unique name
Region/Affinity Group/Virtual Network: Specify the virtual
network name (such as WestUSVNet).
Storage Account: Choose Use an automatically
generated storage account for the first VM and then
select that same storage account name when you create
more VMs that will host the application.
Availability Set: Choose Create an availability set.
Availability set name: Type a name for the availability set
when you create the first VM and then select that same
name when you create more VMs.
Virtual Machine Configuration Select Install the VM Agent and any other extensions
you need.
Additional resources
For more information about using Windows PowerShell, see Get Started with Azure Cmdlets and Azure Cmdlet
Reference.
Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
How to upload existing on-premises Hyper-V domain controllers to Azure by using Azure PowerShell
Install a new Active Directory forest on an Azure virtual network
Azure Virtual Network
Microsoft Azure IT Pro IaaS: (01) Virtual Machine Fundamentals
Microsoft Azure IT Pro IaaS: (05) Creating Virtual Networks and Cross-Premises Connectivity
Azure PowerShell
Azure Management Cmdlets
Install a new Active Directory forest on an Azure
virtual network
12/11/2017 • 7 min to read • Edit Online
This article shows how to create a new Windows Server Active Directory environment on a virtual machine (VM)
on an Azure virtual network. In this case, the Azure virtual network is not connected to an on-premises network.
You might also be interested in these related articles:
For a video that shows these steps, see How to install a new Active Directory forest on an Azure virtual
network
You can optionally configure a site-to-site VPN and then either install a new forest or extend an on-premises
forest to an Azure virtual network. For those steps, see Install a Replica Active Directory Domain Controller in
an Azure Virtual Network.
For conceptual guidance about installing Active Directory Domain Services (AD DS) on an Azure virtual
network, see Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines.
Scenario Diagram
In this scenario, external users need to access applications that run on domain-joined servers. The VMs that run
the application servers and the VMs that run domain controllers are installed installed in their own cloud service
in an Azure virtual network. They are also included within an availability set for improved fault tolerance.
IP address for the domain Assign static IP address on the network Run the Set-AzureStaticVNetIP cmdlet
controller adapter properties to assign a static IP address
DNS client resolver Set Preferred and Alternate DNS server Set DNS server address on the the
address on the network adapter virtual network properties
properties of domain members
Active Directory database storage Optionally change the default storage You need to change default storage
location from C:\ location from C:\
Virtual Network Details Name: Enter a name for your virtual network
Region: Choose the closest region
Virtual network address spaces Subnet name: Enter a name for your subnet
Starting IP: 10.0.0.0
CIDR: /24 (256)
Create VMs to run the domain controller and DNS server roles
Repeat the following steps to create VMs to host the DC role as needed. You should deploy at least two virtual
DCs to provide fault tolerance and redundancy. If the Azure virtual network includes at least two DCs that are
similarly configured (that is, they are both GCs, run DNS server, and neither holds any FSMO role, and so on) then
place the VMs that run those DCs in an availability set for improved fault tolerance.
To create the VMs by using Windows PowerShell instead of the UI, see Use Azure PowerShell to create and
preconfigure Windows-based Virtual Machines.
1. In the Azure portal, select New > Compute, and then select a virtual machine. Use the following values to
complete the wizard. Accept the default value for a setting unless another value is suggested or required.
Virtual Machine Configuration Virtual Machine Name: Type a single label name (such
as AzureDC1).
New User Name: Type the name of a user. This user
will be a member of the local Administrators group
on the VM. You will need this name to sign in to the
VM for the first time. The built-in account named
Administrator will not work.
New Password/Confirm: Type a password
Virtual Machine Configuration Cloud Service: Choose Create a new cloud service
for the first VM and select that same cloud service
name when you create more VMs that will host the
DC role.
Cloud Service DNS Name: Specify a globally unique
name
Region/Affinity Group/Virtual Network: Specify the
virtual network name (such as WestUSVNet).
Storage Account: Choose Use an automatically
generated storage account for the first VM and
then select that same storage account name when
you create more VMs that will host the DC role.
Availability Set: Choose Create an availability set.
Availability set name: Type a name for the availability
set when you create the first VM and then select that
same name when you create more VMs.
Virtual Machine Configuration Select Install the VM Agent and any other
extensions you need.
2. Attach a disk to each VM that will run the DC server role. The additional disk is needed to store the AD
database, logs, and SYSVOL. Specify a size for the disk (such as 10 GB) and leave the Host Cache Preference
set to None. For the steps, see How to Attach a Data Disk to a Windows Virtual Machine.
3. After you first sign in to the VM, open Server Manager > File and Storage Services to create a volume on
this disk using NTFS.
4. Reserve a static IP address for VMs that will run the DC role. To reserve a static IP address, download the
Microsoft Web Platform Installer and install Azure PowerShell and run the Set-AzureStaticVNetIP cmdlet.
For example:
Get-AzureVM -ServiceName AzureDC1 -Name AzureDC1 | Set-AzureStaticVNetIP -IPAddress 10.0.0.4 | Update-
AzureVM
For more information about setting a static IP address, see Configure a Static Internal IP Address for a VM.
Virtual Machine Configuration Virtual Machine Name: Type a single label name (such
as AppServer1).
New User Name: Type the name of a user. This user
will be a member of the local Administrators group
on the VM. You will need this name to sign in to the
VM for the first time. The built-in account named
Administrator will not work.
New Password/Confirm: Type a password
Virtual Machine Configuration Cloud Service: Choose Create a new cloud service
for the first VM and select that same cloud service
name when you create more VMs that will host the
application.
Cloud Service DNS Name: Specify a globally unique
name
Region/Affinity Group/Virtual Network: Specify the
virtual network name (such as WestUSVNet).
Storage Account: Choose Use an automatically
generated storage account for the first VM and
then select that same storage account name when
you create more VMs that will host the application.
Availability Set: Choose Create an availability set.
Availability set name: Type a name for the availability
set when you create the first VM and then select that
same name when you create more VMs.
ON THIS WIZARD PAGE… SPECIFY THESE VALUES
Virtual Machine Configuration Select Install the VM Agent and any other
extensions you need.
2. After each VM is provisioned, sign in and join it to the domain. In Server Manager, click Local Server >
WORKGROUP > Change… and then select Domain and type the name of your on-premises domain. Provide
credentials of a domain user, and then restart the VM to complete the domain join.
To create the VMs by using Windows PowerShell instead of the UI, see Use Azure PowerShell to create and
preconfigure Windows-based Virtual Machines.
For more information about using Windows PowerShell, see Get Started with Azure Cmdlets and Azure Cmdlet
Reference.
See Also
How to install a new Active Directory forest on an Azure virtual network
Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines
Configure a Site-to-Site VPN
Install a Replica Active Directory Domain Controller in an Azure virtual network
Microsoft Azure IT Pro IaaS: (01) Virtual Machine Fundamentals
Microsoft Azure IT Pro IaaS: (05) Creating Virtual Networks and Cross-Premises Connectivity
Virtual Network Overview
How to install and configure Azure PowerShell
Azure PowerShell
Azure Cmdlet Reference
Set Azure VM Static IP Address
How to assign Static IP to Azure VM
Install a New Active Directory Forest
Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)
1 min to read •
Edit O nline
High availability cross-geographic AD FS deployment
in Azure with Azure Traffic Manager
12/11/2017 • 6 min to read • Edit Online
AD FS deployment in Azure provides step-by-step guideline as to how you can deploy a simple AD FS
infrastructure for your organization in Azure. This article provides the next steps to create a cross-geographic
deployment of AD FS in Azure using Azure Traffic Manager. Azure Traffic Manager helps create a geographically
spread high availability and high-performance AD FS infrastructure for your organization by making use of range
of routing methods available to suit different needs from the infrastructure.
A highly available cross-geographic AD FS infrastructure enables:
Elimination of single point of failure: With failover capabilities of Azure Traffic Manager, you can achieve a
highly available AD FS infrastructure even when one of the data centers in a part of the globe goes down
Improved performance: You can use the suggested deployment in this article to provide a high-performance
AD FS infrastructure that can help users authenticate faster.
Design principles
The basic design principles will be same as listed in Design principles in the article AD FS deployment in Azure. The
diagram above shows a simple extension of the basic deployment to another geographical region. Below are some
points to consider when extending your deployment to new geographical region
Virtual network: You should create a new virtual network in the geographical region you want to deploy
additional AD FS infrastructure. In the diagram above you see Geo1 VNET and Geo2 VNET as the two virtual
networks in each geographical region.
Domain controllers and AD FS servers in new geographical VNET: It is recommended to deploy domain
controllers in the new geographical region so that the AD FS servers in the new region do not have to contact a
domain controller in another far away network to complete an authentication and thereby improving the
performance.
Storage accounts: Storage accounts are associated with a region. Since you will be deploying machines in a
new geographic region, you will have to create new storage accounts to be used in the region.
Network Security Groups: As storage accounts, Network Security Groups created in a region cannot be used
in another geographical region. Therefore, you will need to create new network security groups similar to those
in the first geographical region for INT and DMZ subnet in the new geographical region.
DNS Labels for public IP addresses: Azure Traffic Manager can refer to endpoints ONLY via DNS labels.
Therefore, you are required to create DNS labels for the External Load Balancers’ public IP addresses.
Azure Traffic Manager: Microsoft Azure Traffic Manager allows you to control the distribution of user traffic to
your service endpoints running in different datacenters around the world. Azure Traffic Manager works at the
DNS level. It uses DNS responses to direct end-user traffic to globally-distributed endpoints. Clients then
connect to those endpoints directly. With different routing options of Performance, Weighted and Priority, you
can easily choose the routing option best suited for your organization’s needs.
V-net to V-net connectivity between two regions: You do not need to have connectivity between the virtual
networks itself. Since each virtual network has access to domain controllers and has AD FS and WAP server in
itself, they can work without any connectivity between the virtual networks in different regions.
2. Traffic routing method: There are three routing options available in traffic manager:
Priority
Performance
Weighted
Performance is the recommended option to achieve highly responsive AD FS infrastructure.
However, you can choose any routing method best suited for your deployment needs. The AD FS
functionality is not impacted by the routing option selected. See Traffic Manager traffic routing
methods for more information. In the sample screenshot above you can see the Performance
method selected.
3. Configure endpoints: In the traffic manager page, click on endpoints and select Add. This will open an Add
endpoint page similar to the screenshot below
NOTE
Ensure that the status of the endpoints is ONLINE once the configuration is complete. If all endpoints are in
‘degraded’ state, Azure Traffic Manager will do a best attempt to route the traffic assuming that the diagnostics is
incorrect and all endpoints are reachable.
5. Modifying DNS records for Azure Traffic Manager: Your federation service should be a CNAME to the
Azure Traffic Manager DNS name. Create a CNAME in the public DNS records so that whoever is trying to
reach the federation service actually reaches the Azure Traffic Manager.
For example, to point the federation service fs.fabidentity.com to the Traffic Manager, you would need to
update your DNS resource record to be the following:
fs.fabidentity.com IN CNAME mysts.trafficmanager.net
Test the routing and AD FS sign-in
Routing test
A very basic test for the routing would be to try ping the federation service DNS name from a machine in each
geographic region. Depending on the routing method chosen, the endpoint it actually pings will be reflected in the
ping display. For example, if you selected the performance routing, then the endpoint nearest to the region of the
client will be reached. Below is the snapshot of two pings from two different region client machines, one in EastAsia
region and one in West US.
AD FS sign-in test
The easiest way to test AD FS is by using the IdpInitiatedSignon.aspx page. In order to be able to do that, it is
required to enable the IdpInitiatedSignOn on the AD FS properties. Follow the steps below to verify your AD FS
setup
1. Run the below cmdlet on the AD FS server, using PowerShell, to set it to enabled. Set-AdfsProperties -
EnableIdPInitiatedSignonPage $true
2. From any external machine access https:///adfs/ls/IdpInitiatedSignon.aspx
3. You should see the AD FS page like below:
and on successful sign-in, it will provide you with a success message as shown below:
Related links
Basic AD FS deployment in Azure
Microsoft Azure Traffic Manager
Traffic Manager traffic routing methods
Next steps
Manage an Azure Traffic Manager profile
Add, disable, enable or delete endpoints
Change signature hash algorithm for Office 365
relying party trust
12/11/2017 • 1 min to read • Edit Online
Overview
Active Directory Federation Services (AD FS) signs its tokens to Microsoft Azure Active Directory to ensure that they
cannot be tampered with. This signature can be based on SHA1 or SHA256. Azure Active Directory now supports
tokens signed with an SHA256 algorithm, and we recommend setting the token-signing algorithm to SHA256 for
the highest level of security. This article describes the steps needed to set the token-signing algorithm to the more
secure SHA256 level.
NOTE
Microsoft recommends usage of SHA256 as the algorithm for signing tokens as it is more secure than SHA1 but SHA1 still
remains a supported option.
AD FS PowerShell cmdlets
1. On any AD FS server, open PowerShell under administrator privileges.
2. Set the secure hash algorithm by using the Set-AdfsRelyingPartyTrust cmdlet.
Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' -SignatureAlgorithm
'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
Also read
Repair Office 365 trust with Azure AD Connect
How to get support for Azure Active Directory
12/11/2017 • 2 min to read • Edit Online
Microsoft provides global technical, pre-sales, billing, and subscription support for Azure Active Directory (Azure
AD). Support is available both online and by phone for Microsoft Azure paid and trial subscriptions. Phone support
and online billing support are available in additional languages.
NOTE
For billing or subscription issues, you must use the Office 365 admin center.
NOTE
Support for Azure AD in the Office 365 admin center is offered for administrators only.
1. Sign in to the Office 365 admin center with an account that has an Enterprise Mobility + Security (EMS)
license.
2. On the Support tile, select New service request:
3. On the Support Overview page, select Identity management or User and domain management:
4. For Feature, select the Azure AD feature for which you want support.
5. For Symptom, select an appropriate symptom, summarize your issue and provide relevant details, and
then select Next.
6. Select one of the offered self-help resources, or select Yes, continue or No, cancel request.
7. If you continue, you are asked for more details. You can attach any files you have that represent the
problem, and then select Next.
8. Provide your contact information and select Submit request.
Next steps
Microsoft Tech Community
Technical documentation at docs.microsoft.com
Troubleshooting: 'Active Directory' item is missing or
not available
12/11/2017 • 1 min to read • Edit Online
Many of the instructions for using Azure Active Directory features and services begin with "Go to the Azure
Management Portal and click Active Directory." But what do you do if the Active Directory extension or menu item
does not appear or if it is marked Not Available? This topic is designed to help. It describes the conditions under
which Active Directory does not appear or is unavailable and explains how to proceed.
The Active Directory item appears in the left navigation menu when any of the following conditions is true.
Otherwise, the item does not appear.
The current user signed on with a Microsoft account (formerly known as a Windows Live ID).
OR
The Azure tenant has a directory and the current account is a directory administrator.
OR
The Azure tenant has at least one Azure AD Access Control (ACS) namespace. For more information, see
Access Control Namespace.
OR
The Azure tenant has at least one Azure Multi-Factor Authentication provider. For more information, see
Administering Azure Multi-Factor Authentication Providers.
To create an Access Control namespace or a Multi-Factor Authentication provider, click +New > App Services >
Active Directory.
To get administrative rights to a directory, have an administrator assign an administrator role to your account. For
details, see Assigning administrator roles.
This article provides guidelines to explore different Azure AD capabilities in a Proof of Concept (PoC). The intended
audience of this document is Identity Architects, IT Professionals, and System Integrators
NOTE
Throughout this article, you will see some specific third party applications and products mentioned as examples for
convenience. Azure AD supports thousands of applications in our application gallery that you can use based on your needs
and environment.
Playbook Steps
1. Introduction
2. Ingredients
Theme
Environment
Target Users
3. Implementation
Foundation - Syncing AD to Azure AD
Extending your on-premises identity to the cloud
Assigning Azure AD licenses using Groups
Theme - Lots of apps, one identity
Integrate SaaS Applications - Federated SSO
SSO and Identity Lifecycle Events
Integrate SaaS Applications - Password SSO
Secure Access to Shared Accounts
Secure Remote Access to On-Prem Applications
Synchronize LDAP identities to Azure AD
Theme - Increase your security
Secure administrator account access
Secure access to applications
Enable Just in time (JIT) administration
Protect Identities based on risk
Authenticate without passwords using certificate based authentication
Theme - Scale with Self Service
Self Service Password Reset
Self Service Access to Applications
4. Building Blocks
Catalog of Actors
Common Prerequisites for all building blocks
Directory Synchronization - Password Hash Sync (PHS) - New Installation
Branding
Group based licensing
SaaS Federated SSO Configuration
SaaS Password SSO Configuration
SaaS Shared Accounts Configuration
App Proxy Configuration
Generic LDAP Connector configuration
Groups - Delegated Ownership
SaaS and Identity Lifecycle
Self Service Access to Application Management
Self Service Password Reset
Azure Multi-Factor Authentication with Phone Calls
MFA Conditional Access for SaaS applications
Privileged Identity Management (PIM)
Discovering Risk Events
Deploying Sign-in risk policies
Configuring certificate based authentication
Azure Active Directory Proof of Concept Playbook
Ingredients
12/11/2017 • 2 min to read • Edit Online
Theme
Azure AD provides identity and access solutions across multiple areas in the enterprise. We classify the scenarios
in the following areas:
Lots of apps, one identity
Increase your security
Scale with Self Service
Defining a theme to frame the PoC helps to focus the efforts that resonates with business goals, which oftentimes
are the triggers of the interest in a proof of concept in the first place.
Environment
It is important to determine the details of the environment where you will deliver the PoC. Ideally you can build
upon it after the PoC is completed. The target environment is crucial and you should find the right balance
between making it as real as possible and the overhead of constraints or extra considerations. The typical
environments for PoCs are:
Production: The scenarios will be implemented in your live environment and already deployed Microsoft
Cloud services (production AD, Office 365, Azure AD tenant/SSO solution).
User Acceptance Test (UAT)/Dev environment: You have test infrastructure (parallel AD and potentially
Azure AD tenant/SSO solution) with test data that resembles production. Typically, the test environment is
shared across multiple projects in the enterprise.
Most scenarios in this guide are additive in nature. As a result, they can be deployed in the production tenant
without affecting users outside the PoC. Throughout this document, we will be calling out which scenarios would
have tenant-wide effect. In those cases, you might want to consider a non-production environment.
Target Users
It is important to determine the target set of users that will exercise the scenarios, especially when the
environment is production or test. The categories of target users for PoC are:
Pilot Users: Real users in the environment that will be using the solution with the account they use for their
day to day job functions
Test Users: Test accounts created in the environment
Most scenarios in this guide can be exercised by pilot users. Throughout this document, we will be calling out
target user considerations if needed.
Playbook Steps
1. Introduction
2. Ingredients
Theme
Environment
Target Users
3. Implementation
Foundation - Syncing AD to Azure AD
Extending your on-premises identity to the cloud
Assigning Azure AD licenses using Groups
Theme - Lots of apps, one identity
Integrate SaaS Applications - Federated SSO
SSO and Identity Lifecycle Events
Integrate SaaS Applications - Password SSO
Secure Access to Shared Accounts
Secure Remote Access to On-Prem Applications
Synchronize LDAP identities to Azure AD
Theme - Increase your security
Secure administrator account access
Secure access to applications
Enable Just in time (JIT) administration
Protect Identities based on risk
Authenticate without passwords using certificate based authentication
Theme - Scale with Self Service
Self Service Password Reset
Self Service Access to Applications
4. Building Blocks
Catalog of Actors
Common Prerequisites for all building blocks
Directory Synchronization - Password Hash Sync (PHS) - New Installation
Branding
Group based licensing
SaaS Federated SSO Configuration
SaaS Password SSO Configuration
SaaS Shared Accounts Configuration
App Proxy Configuration
Generic LDAP Connector configuration
Groups - Delegated Ownership
SaaS and Identity Lifecycle
Self Service Access to Application Management
Self Service Password Reset
Azure Multi-Factor Authentication with Phone Calls
MFA Conditional Access for SaaS applications
Privileged Identity Management (PIM)
Discovering Risk Events
Deploying Sign-in risk policies
Configuring certificate based authentication
Azure Active Directory Proof of Concept Playbook:
Implementation
12/11/2017 • 9 min to read • Edit Online
Extending your on-premises identity to the cloud Directory Synchronization - Password Hash Sync
Note: If you already have DirSync/ADSync or earlier versions
of Azure AD Connect, this step is optional. Some scenarios in
this guide might require newer version of Azure AD Connect.
Branding
IMPORTANT
This is an advanced configuration requiring some familiarity with FIM/MIM. If used in production, we advise questions about
this configuration go through Premier Support.
Authenticate without passwords using certificate based Configuring certificate based authentication
authentication
Playbook Steps
1. Introduction
2. Ingredients
Theme
Environment
Target Users
3. Implementation
Foundation - Syncing AD to Azure AD
Extending your on-premises identity to the cloud
Assigning Azure AD licenses using Groups
Theme - Lots of apps, one identity
Integrate SaaS Applications - Federated SSO
SSO and Identity Lifecycle Events
Integrate SaaS Applications - Password SSO
Secure Access to Shared Accounts
Secure Remote Access to On-Prem Applications
Synchronize LDAP identities to Azure AD
Theme - Increase your security
Secure administrator account access
Secure access to applications
Enable Just in time (JIT) administration
Protect Identities based on risk
Authenticate without passwords using certificate based authentication
Theme - Scale with Self Service
Self Service Password Reset
Self Service Access to Applications
4. Building Blocks
Catalog of Actors
Common Prerequisites for all building blocks
Directory Synchronization - Password Hash Sync (PHS) - New Installation
Branding
Group based licensing
SaaS Federated SSO Configuration
SaaS Password SSO Configuration
SaaS Shared Accounts Configuration
App Proxy Configuration
Generic LDAP Connector configuration
Groups - Delegated Ownership
SaaS and Identity Lifecycle
Self Service Access to Application Management
Self Service Password Reset
Azure Multi-Factor Authentication with Phone Calls
MFA Conditional Access for SaaS applications
Privileged Identity Management (PIM)
Discovering Risk Events
Deploying Sign-in risk policies
Configuring certificate based authentication
Azure Active Directory proof of concept playbook:
Building blocks
12/11/2017 • 26 min to read • Edit Online
Catalog of roles
PROOF OF CONCEPT (POC)
ROLE DESCRIPTION RESPONSIBILITY
Identity Architecture / development This team is usually the one that They provide the environments and are
team designs the solution, implements the ones evaluating the different
prototypes, drives approvals, and scenarios from the manageability
finally hands off to operations perspective
On-Premises Identity Operations Manages the different identity sources Provide access to on-premises
team on-premises: Active Directory Forests, resources needed for the PoC
LDAP directories, HR systems, and scenarios.
Federation Identity Providers. They should be involved as little as
possible
Application Technical Owners Technical owners of the different cloud Provide details on SaaS applications
apps and services that will integrate (potentially instances for testing)
with Azure AD
Azure AD Global Admin Manages the Azure AD configuration Provide credentials to configure the
synchronization service. Usually the
same team as Identity Architecture
during PoC but separate during the
operations phase
Database team Owners of the Database infrastructure Provide access to SQL environment
(ADFS or Azure AD Connect) for
specific scenario preparations.
They should be involved as little as
possible
Network team Owners of the Network infrastructure Provide required access at the network
level for the synchronization servers to
properly access the data sources and
cloud services (firewall rules, ports
opened, IPSec rules etc.)
Security team Defines the security strategy, analyzes Provide target security evaluation
security reports from various sources, scenarios
and follows through on findings.
Azure AD tenant defined with a valid Azure subscription How to get an Azure Active Directory tenant
Note: If you already have an environment with Azure AD
Premium licenses, you can get a zero cap subscription by
navigating to https://aka.ms/accessaad
Learn more at:
https://blogs.technet.microsoft.com/enterprisemobility/2016/
02/26/azure-ad-mailbag-azure-subscriptions-and-azure-ad-
2/ and https://technet.microsoft.com/library/dn832618.aspx
Domains defined and verified Add a custom domain name to Azure Active Directory
Note: Some workloads such as Power BI could have
provisioned an azure AD tenant under the covers. To check if
a given domain is associated to a tenant, navigate to
https://login.microsoftonline.com/{domain}/v2.0/.well-
known/openid-configuration. If you get a successful
response, then the domain is already assigned to a tenant
and take over might be needed. If so, contact Microsoft for
further guidance. Learn more about the takeover options at:
What is Self-Service Signup for Azure?
Azure AD Premium or EMS trial Enabled Azure Active Directory Premium free for one month
You have assigned Azure AD Premium or EMS licenses to License yourself and your users in Azure Active Directory
PoC users
Azure AD Global Admin credentials Assigning administrator roles in Azure Active Directory
Optional but strongly recommended: Parallel lab Prerequisites for Azure AD Connect
environment as a fallback
Target POC users, in the same domain and part of a security Custom installation of Azure AD Connect
group, and OU
Azure AD Connect Features needed for the POC are Connect Active Directory with Azure Active Directory -
identified Configure sync features
You have needed credentials for on-premises and cloud Azure AD Connect: Accounts and permissions
environments
Steps
STEP RESOURCES
Download the latest version of Azure AD Connect Download Microsoft Azure Active Directory Connect
Install Azure AD Connect with the simplest path: Express Azure AD Connect: Custom installation: Domain and OU
1. Filter to the target OU to minimize the Sync Cycle time filtering
2. Choose target set of users in the on-premises group. Azure AD Connect: Custom installation: Group based filtering
3. Deploy the features needed by the other POC Themes Azure AD Connect: Integrating your on-premises identities
with Azure Active Directory: Configure Sync Features
Open the Azure AD Connect UI and see the running profiles Azure AD Connect sync: Scheduler
completed (Import, sync, and export)
Open the Azure AD management portal, go to the "All Azure AD management portal
Users" blade, add "Source of authority" column and see that
the users appear, marked properly as coming from "Windows
Server AD"
Considerations
1. Look at the security considerations of password hash sync here. If password hash sync for pilot production
users is definitively not an option, then consider the following alternatives:
Create test users in the production domain. Make sure you don't synchronize any other account
Move to an UAT environment
2. If you want to pursue federation, it is worthwhile to understand the costs associated a federated solution with
on-premises Identity Provider beyond the POC and measure that against the benefits you are looking for:
It is in the critical path so you have to design for high availability
It is an on-premises service you need to capacity plan
It is an on-premises service you need to monitor/maintain/patch
Learn more: Understanding Office 365 identity and Azure Active Directory - Federated Identity
Branding
Approximate time to Complete: 15 minutes
Pre -requisites
PRE-REQUISITE RESOURCES
Assets (Images, Logos, etc.); For best visualization make sure Add company branding to your sign-in page in the Azure
the assets have the recommended sizes. Active Directory
Optional: If the environment has an ADFS server, access to AD FS user sign-in customization
the server to customize web theme
Steps
STEP RESOURCES
Upload the assets for the login page (hero logo, small logo, Add company branding to your sign-in and Access Panel
labels, etc.). Optionally if you have AD FS, align the same pages: Customizable Elements
assets with ADFS login pages
Confirm the look and feel in browser Add company branding to your sign-in and Access Panel
pages
Considerations
If the old look and feel remains after the customization then flush the browser client cache, and retry the
operation.
All POC users are part of a security group (either cloud or Create a group and add members in Azure Active Directory
on-premises)
Steps
STEP RESOURCES
Assign the licenses to the security group with POC users. Assign licenses to a group of users in Azure Active Directory
Considerations
In case of any issues, go to Scenarios, limitations, and known issues with using groups to manage licensing in
Azure Active Directory
Admin access to the ServiceNow management console Tutorial: Azure Active Directory integration with ServiceNow
Target set of users to assign the application to. A security Assign a user or group to an enterprise app in Azure Active
group containing the PoC users is recommended. Directory
If creating the group is not feasible, then assign the users to
directly to the application for the PoC
Steps
STEP RESOURCES
Share the tutorial to all actors from Microsoft Documentation Tutorial: Azure Active Directory integration with ServiceNow
Set a working meeting and follow the tutorial steps with each Tutorial: Azure Active Directory integration with ServiceNow
actor.
Assign the app to the group identified in the Prerequisites. If Assign a user or group to an enterprise app in Azure Active
the POC has conditional access in the scope, you can revisit Directory
that later and add MFA, and similar. Create a group and add members in Azure Active Directory
Note this will kick in the provisioning process (if configured)
Use Azure AD management Portal to add ServiceNow Azure AD management Portal: Enterprise Applications
Application from Gallery What's new in Enterprise Application management in Azure
Active Directory
In "Provisioning" blade of ServiceNow App enable Managing user account provisioning for enterprise apps in
"Automatic" provisioning the new Azure portal
Click on the tile for the application that was just created.
Confirm access
Optionally, you can check the application usage reports. Note Sign-in activity reports in the Azure Active Directory portal:
there is some latency, so you need to wait some time to see Usage of managed applications
the traffic in the reports. Azure Active Directory report retention policies
Considerations
1. Above Tutorial refers to old Azure AD management experience. But PoC is based on Quick start experience.
2. If the target application is not present in the gallery, then you can use "Bring your own app". Learn more:
What's new in Enterprise Application management in Azure Active Directory: Add custom applications from
one place
Test environment for SaaS applications. An example of Twitter on Microsoft Azure Marketplace
Password SSO is HipChat and Twitter. For any other HipChat on Microsoft Azure Marketplace
application, you need the exact URL of the page with html
sign-in form.
Target set of users to assign the application to. A security Assign a user or group to an enterprise app in Azure Active
group contained the users is recommended. Directory
Local administrator access to a computer to deploy the Access Panel Extension for IE
Access Panel Extension for Internet Explorer, Chrome or Access Panel Extension for Chrome
Firefox Access Panel Extension for Firefox
Steps
STEP RESOURCES
Configure Application from Gallery What's new in Enterprise Application management in Azure
Active Directory: The new and improved application gallery
Configure Password SSO Managing single sign-on for enterprise apps in the new
Azure portal: Password-based sign on
Assign the app to the group identified in the Prerequisites Assign a user or group to an enterprise app in Azure Active
Directory
Click on the tile for the application that was just created. What is the Access Panel?: Password-based SSO without
identity provisioning
Supply the application credential What is the Access Panel?: Password-based SSO without
identity provisioning
STEP RESOURCES
Close the browser and repeat the login. This time around the
user should see seamless access to the application.
Optionally, you can check the application usage reports. Note Sign-in activity reports in the Azure Active Directory portal:
there is some latency, so you need to wait some time to see Usage of managed applications
the traffic in the reports. Azure Active Directory report retention policies
Considerations
If the target application is not present in the gallery, then you can use "Bring your own app". Learn more: What's
new in Enterprise Application management in Azure Active Directory: Add custom applications from one place
Keep in mind the following requirements:
Application should have a known login URL
The sign-in page should contain an HTML form with one more text fields that the browser extensions can
auto-populate. At the minimum, it should contain username and password.
The list of target applications and the exact sign-in URLS Twitter on Microsoft Azure Marketplace
ahead of time. As an example, you can use Twitter. Sign up for Twitter
Shared credential for this SaaS application. Sharing accounts using Azure AD
Azure AD automated password roll-over for Facebook,
Twitter and LinkedIn now in preview! - Enterprise Mobility
and Security Blog
Credentials for at least two team members who will access Assign a user or group to an enterprise app in Azure Active
the same account. They must be part of a security group. Directory
Local administrator access to a computer to deploy the Access Panel Extension for IE
Access Panel Extension for Internet Explorer, Chrome or Access Panel Extension for Chrome
Firefox Access Panel Extension for Firefox
Steps
STEP RESOURCES
Configure Application from Gallery What's new in Enterprise Application management in Azure
Active Directory: The new and improved application gallery
Configure Password SSO Managing single sign-on for enterprise apps in the new
Azure portal: Password-based sign on
STEP RESOURCES
Assign the app to the group identified in the Prerequisites Assign a user or group to an enterprise app in Azure Active
while assigning them credentials Directory
Optionally, you can check the application usage reports. Note Sign-in activity reports in the Azure Active Directory portal:
there is some latency, so you need to wait some time to see Usage of managed applications
the traffic in the reports. Azure Active Directory report retention policies
Considerations
If the target application is not present in the gallery, then you can use "Bring your own app". Learn more: What's
new in Enterprise Application management in Azure Active Directory: Add custom applications from one place
Keep in mind the following requirements:
Application should have a known login URL
The sign-in page should contain an HTML form with one more text fields that the browser extensions can
auto-populate. At the minimum, it should contain username and password.
A Microsoft Azure AD basic or premium subscription and an Azure Active Directory editions
Azure AD directory for which you are a global administrator
A server running Windows Server 2012 R2, or Windows 8.1 Understand Azure AD Application Proxy connectors
or higher, on which you can install the Application Proxy
Connector
If there is a firewall in the path, make sure that it's open so Enable Application Proxy in the Azure portal: Application
that the Connector can make HTTPS (TCP) requests to the Proxy prerequisites
Application Proxy
If your organization uses proxy servers to connect to the Work with existing on-premises proxy servers
internet, take a look at the blog post Working with existing
on-premises proxy servers for details on how to configure
them
Steps
STEP RESOURCES
Install a connector on the server Enable Application Proxy in the Azure portal: Install and
register the Connector
STEP RESOURCES
Publish the on-prem application in Azure AD as an Publish applications using Azure AD Application Proxy
Application Proxy application
Assign test users Publish applications using Azure AD Application Proxy: Add a
test user
Optionally, configure a single sign-on experience for your Provide single sign-on with Azure AD Application Proxy
users
Considerations
1. While we suggest putting the connector in your corporate network, there are cases when you will see better
performance placing it in the cloud. Learn more: Network topology considerations when using Azure Active
Directory Application Proxy
2. For further security details and how this provides a particularly secure remote access solution by only
maintaining outbound connections see: Security considerations for accessing apps remotely by using Azure
AD Application Proxy
IMPORTANT
This is an advanced configuration requiring some familiarity with FIM/MIM. If used in production, we advise questions
about this configuration go through Premier Support.
Pre -requisites
PRE-REQUISITE RESOURCES
Azure AD Connect installed and configured Building block: Directory Synchronization - Password Hash
Sync
ADLDS instance meeting requirements Generic LDAP Connector technical reference: Overview of the
Generic LDAP Connector
List of workloads, that users are using and attributes Azure AD Connect sync: Attributes synchronized to Azure
associated with these workloads Active Directory
Steps
STEP RESOURCES
Add Generic LDAP Connector Generic LDAP Connector technical reference: Create a new
Connector
Create run profiles for created connector (full import, delta Create a Management Agent Run Profile
import, full synchronization, delta synchronization, export) Using connectors with the Azure AD Connect Sync Service
Manager
STEP RESOURCES
Run full import profile and verify, that there are objects in Search for a Connector Space Object
connector space Using connectors with the Azure AD Connect Sync Service
Manager: Search Connector Space
Create synchronization rules, so that objects in Metaverse Azure AD Connect sync: Best practices for changing the
have necessary attributes for workloads default configuration: Changes to Synchronization Rules
Azure AD Connect sync: Understanding Declarative
Provisioning
Azure AD Connect sync: Understanding Declarative
Provisioning Expressions
Start full synchronization cycle Azure AD Connect sync: Scheduler: Start the scheduler
Verify, that LDAP user can sign-in and access the application https://myapps.microsoft.com
Considerations
IMPORTANT
This is an advanced configuration requiring some familiarity with FIM/MIM. If used in production, we advise questions
about this configuration go through Premier Support.
SaaS application (Federated SSO or Password SSO) has been Building block: SaaS Federated SSO Configuration
already configured
Cloud Group that is assigned access to the application in #1 Building block: SaaS Federated SSO Configuration
is identified Create a group and add members in Azure Active Directory
Credentials for the group owner are available Manage access to resources with Azure Active Directory
groups
Credentials for the information worker accessing the apps What is the Access Panel?
has been identified
Steps
STEP RESOURCES
Identify the group that has been granted access to the Manage the settings for a group in Azure Active Directory
application, and configure the owner of given group
Log in as the group owner, see the group membership in Azure Active Directory Groups Management page
groups tab of access panel
STEP RESOURCES
Log in as the information worker, confirm the tile is available What is the Access Panel?
Considerations
If the application has provisioning enabled, you might need to wait a few minutes for the provisioning to
complete before accessing the application as the information worker.
SaaS application (Federated SSO or Password SSO) has been Building block: SaaS Federated SSO Configuration
already configured
Cloud Group that is assigned access to the application in #1 Building block: SaaS Federated SSO Configuration
is identified Create a group and add members in Azure Active Directory
Credentials for the information worker accessing the apps What is the Access Panel?
has been identified
Steps
STEP RESOURCES
Remove the user from the group the app is assigned to Manage group membership for users in your Azure Active
Directory tenant
Wait for a few minutes for de-provisioning Automated SaaS App User Provisioning in Azure AD: How
does automated provisioning work?
Considerations
Extrapolate the PoC scenario to leavers and/or leave of absence scenarios. If the user gets disabled in on-
premises AD or removed, there is no longer a way to log in to the SaaS application.
Identify POC users that will request access to the Building block: SaaS Federated SSO Configuration
applications, as part of the security group
Configure Application from Pre-requisites with self service What's new in Enterprise Application management in Azure
Active Directory: Configure self-service application access
Considerations
The applications chosen might have provisioning requirements, so going immediately to the app might cause
some errors. If the application chosen supports provisioning with azure ad and it is configured, you might use
this as an opportunity to show the whole flow working end to end. See the building block for SaaS Federated
SSO Configuration for further recommendations
Enable self-service password management in your tenant. Azure Active Directory password reset for IT administrators
Enable password write-back to manage passwords from on- Password Writeback prerequisites
premises. Note this requires specific Azure AD Connect
versions
Identify the PoC users that will use this functionality, and Customize: Azure AD Password Management: Restrict Access
make sure they are members of a security group. The users to password reset
must be non-admins to fully showcase the capability
Steps
STEP RESOURCES
Navigate to Azure AD Management Portal: Password Reset Azure AD Management Portal: Password Reset
Considerations
1. If upgrading the Azure AD Connect is going to cause friction, then consider using it against cloud accounts or
make it a demo against a separate environment
2. The administrators have a different policy and using the admin account to reset the password might taint the
PoC and cause confusion. Make sure you use a regular user account to test the reset operations
Phone with good reception for MFA challenge What is Azure Multi-Factor Authentication?
Steps
STEP RESOURCES
Navigate to "Users and groups" blade in Azure AD Azure AD Management Portal: Users and groups
Management Portal
In the top bar choose "Multi-Factor Authentication" button Direct URL for Azure MFA portal: https://aka.ms/mfaportal
In the "User" settings select the PoC users and enable them User States in Azure Multi-Factor Authentication
for MFA
Considerations
1. The PoC steps in this building block explicitly setting MFA for a user on all logins. There are other tools such as
Conditional Access, and Identity Protection that engage MFA on more targeted scenarios. This will be
something to consider when moving from POC to production.
2. The PoC steps in this building block are explicitly using Phone Calls as the MFA method for expedience. As you
transition from POC to production, we recommend using applications such as the Microsoft Authenticator as
your second factor whenever possible. Learn more: DRAFT NIST Special Publication 800-63B
MFA Conditional Access for SaaS applications
Approximate time to Complete: 10 minutes
Pre -requisites
PRE-REQUISITE RESOURCES
Identify PoC users to target the policy. These users should be SaaS Federated SSO Configuration
in a security group to scope the conditional access policy
POC user is registered for MFA. Using a phone with Good http://aka.ms/ssprsetup
reception
Device in the internal network. IP Address configured in the Find your ip address: https://www.bing.com/search?
internal address range q=what%27s+my+ip
Steps
STEP RESOURCES
Go to Azure AD Management Portal: Conditional Access Azure AD Management Portal: Conditional Access
blade
Create Conditional Access policy: Get started with conditional access in Azure Active Directory:
- Target PoC Users under "Users and groups" Policy configuration steps
- Target PoC Application under "Cloud apps"
- Target all locations except trusted ones under "Conditions"
-> "Locations" Note: trusted IPs are configured in MFA
Portal
- Require multi-factor authentication under "Grant"
Access application from inside corporate network Get started with conditional access in Azure Active Directory:
Testing the policy
Access application from public network Get started with conditional access in Azure Active Directory:
Testing the policy
Considerations
If you are using federation, you can use the on-premises Identity Provider (IdP) to communicate the
inside/outside corporate network state with claims. You can use this technique without having to manage the list
of IP addresses which might be complex to assess and manage in large organizations. In that setup, you need
account for the "network roaming" scenario (a user logging from the internal network, and while logged in
switches locations such as a coffee shop) and make sure you understand the implications. Learn more: Securing
cloud resources with Azure Multi-Factor Authentication and AD FS: Trusted IPs for federated users
Identify the global admin that will be part of the POC for PIM Start using Azure AD Privileged Identity Management
Identify the global admin that will become the Security Start using Azure AD Privileged Identity Management
Administrator Different administrative roles in Azure Active Directory PIM
Optional: Confirm if the global admins have email access to What is Azure AD Privileged Identity Management?:
exercise email notifications in PIM Configure the role activation settings
Steps
STEP RESOURCES
Login to https://portal.azure.com as a global admin (GA) and Using the security wizard in Azure AD Privileged Identity
bootstrap the PIM blade. The Global Admin that performs Management
this step is seeded as the security administrator. Let's call this
actor GA1
Identify the global admin and move them from permanent to Azure AD Privileged Identity Management: How to add or
eligible. This should be a separate admin from the one used remove a user role
in step 1 for clarity. Let's call this actor GA2 What is Azure AD Privileged Identity Management?:
Configure the role activation settings
In a new tab and in the same session as step 3, navigate now How to activate or deactivate roles in Azure AD Privileged
to https://portal.azure.com and add the PIM blade to the Identity Management: Add the Privileged Identity
dashboard. Management application
Request activation to the Global Administrator role How to activate or deactivate roles in Azure AD Privileged
Identity Management: Activate a role
8 Check the audit history and observe the report to confirm What is Azure AD Privileged Identity Management?: Review
the elevation of GA2 is shown. role activity
Considerations
This capability is part of Azure AD Premium P2 and/or EMS E5
Device with Tor browser downloaded and installed Download Tor Browser
Access to POC user to do the login Azure Active Directory Identity Protection playbook
Steps
STEP RESOURCES
Log in to https://myapps.microsoft.com with the POC user Azure Active Directory Identity Protection playbook:
account Simulating Risk Events
Open the risk events blade. You should see an entry under Azure Active Directory Identity Protection playbook:
"Sign-ins from anonymous IP addresses" Simulating Risk Events
Considerations
This capability is part of Azure AD Premium P2 and/or EMS E5
Device with Tor browser downloaded and installed Download Tor Browser
POC user is registered with MFA. Make sure to use a phone Building Block: Azure Multi-Factor Authentication with Phone
with good reception Calls
Steps
STEP RESOURCES
Enable a sign-in risk policy as follows: Azure Active Directory Identity Protection playbook: Sign-in
- Assigned to: POC user risk
- Conditions: Sign-in risk medium or higher (sign-in from
anonymous location is deemed as a medium risk level)
- Controls: Require MFA
Notice the MFA challenge Sign-in experiences with Azure AD Identity Protection: Risky
sign-in recovery
Considerations
This capability is part of Azure AD Premium P2 and/or EMS E5. To learn more about risk events visit: Azure Active
Directory risk events
Device with user certificate provisioned (Windows, iOS or Deploy User Certificates
Android) from Enterprise PKI
For iOS devices have Microsoft Authenticator app installed Get started with the Microsoft Authenticator app
Steps
STEP RESOURCES
Optional: Enable Certificate Authentication in Azure AD for Get started with certificate-based authentication in Azure
Exchange Active Sync clients Active Directory
Considerations
To learn more about caveats of this deployment visit: ADFS: Certificate Authentication with Azure AD & Office
365
NOTE
Possession of user certificate should be guarded. Either by managing devices or with PIN in case of smart cards.
Playbook Steps
1. Introduction
2. Ingredients
Theme
Environment
Target Users
3. Implementation
Foundation - Syncing AD to Azure AD
Extending your on-premises identity to the cloud
Assigning Azure AD licenses using Groups
Theme - Lots of apps, one identity
Integrate SaaS Applications - Federated SSO
SSO and Identity Lifecycle Events
Integrate SaaS Applications - Password SSO
Secure Access to Shared Accounts
Secure Remote Access to On-Prem Applications
Synchronize LDAP identities to Azure AD
Theme - Increase your security
Secure administrator account access
Secure access to applications
Enable Just in time (JIT) administration
Protect Identities based on risk
Authenticate without passwords using certificate based authentication
Theme - Scale with Self Service
Self Service Password Reset
Self Service Access to Applications
4. Building Blocks
Catalog of Actors
Common Prerequisites for all building blocks
Directory Synchronization - Password Hash Sync (PHS) - New Installation
Branding
Group based licensing
SaaS Federated SSO Configuration
SaaS Password SSO Configuration
SaaS Shared Accounts Configuration
App Proxy Configuration
Generic LDAP Connector configuration
Groups - Delegated Ownership
SaaS and Identity Lifecycle
Self Service Access to Application Management
Self Service Password Reset
Azure Multi-Factor Authentication with Phone Calls
MFA Conditional Access for SaaS applications
Privileged Identity Management (PIM)
Discovering Risk Events
Deploying Sign-in risk policies
Configuring certificate based authentication
Azure AD service limits and restrictions
12/11/2017 • 2 min to read • Edit Online
This article contains the usage constraints and other service limits for the Azure Active Directory (Azure AD) service.
If you’re looking for the full set of Microsoft Azure service limits, see Azure Subscription and Service Limits, Quotas,
and Constraints.
Here are the usage constraints and other service limits for the Azure Active Directory service.
CATEGORY LIMITS
What's next
Sign up for Azure as an organization
How Azure subscriptions are associated with Azure AD
Integrate your on-premises directories with Azure
Active Directory
1/3/2018 • 7 min to read • Edit Online
Azure AD Connect will integrate your on-premises directories with Azure Active Directory. This allows you to
provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
This topic will guide you through the planning, deployment, and operation steps. It is a collection of links to the
topics related to this area.
IMPORTANT
Azure AD Connect is the best way to connect your on-premises directory with Azure AD and Office 365. This is a great
time to upgrade to Azure AD Connect from Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these
tools are now deprecated are no longer supported as of April 13, 2017.
Synchronization - This component is responsible for creating users, groups, and other objects. It is also
responsible for making sure identity information for your on-premises users and groups is matching the
cloud.
AD FS - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid
environment using an on-premises AD FS infrastructure. This can be used by organizations to address
complex deployments, such as domain join SSO, enforcement of AD sign-in policy, and smart card or 3rd
party MFA.
Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in
the Azure portal to view this activity. For additional information, see Azure Active Directory Connect Health.
SOLUTION SCENARIO
Before you start - Hardware and prerequisites Steps to complete before you start to install Azure AD
Connect.
Customized settings Used when you have multiple forests. Supports many on-
premises topologies.
Customize your sign-in option, such as ADFS for federation
or use a 3rd party identity provider.
Customize synchronization features, such as filtering and
writeback.
Upgrade from DirSync Used when you have an existing DirSync server already
running.
SOLUTION SCENARIO
Upgrade from Azure AD Sync or Azure AD Connect There are several different methods depending on your
preference.
After installation you should verify it is working as expected and assign licenses to the users.
Next steps to Install Azure AD Connect
TOPIC LINK
TOPIC LINK
Accounts used for installation More about Azure AD Connect credentials and permissions
Understanding the default configuration Azure AD Connect sync: Understanding the default
configuration
TOPIC LINK
Understanding users and contacts Azure AD Connect sync: Understanding Users and Contacts
Change the default configuration Best practices for changing the default configuration
Configure ADFS with subdomains Multiple Domain Support for Federating with Azure AD
Manually updating federation certificates Renewing Federation Certificates for Office 365 and Azure AD
Compare DirSync, Azure ADSync, and Azure AD Connect Directory integration tools comparison
Configuring a SAML 2.0 Idp Using a SAML 2.0 Identity Provider (IdP) for Single Sign On
Additional Resources
Ignite 2015 presentation on extending your on-premises directories to the cloud.
Monitor your on-premises identity infrastructure and
synchronization services in the cloud
12/11/2017 • 7 min to read • Edit Online
Azure Active Directory (Azure AD) Connect Health helps you monitor and gain insights into your on-premises
identity infrastructure and the synchronization services. It enables you to maintain a reliable connection to Office
365 and Microsoft Online Services by providing monitoring capabilities for your key identity components such
as Active Directory Federation Services (AD FS) servers, Azure AD Connect servers (also known as Sync Engine),
Active Directory domain controllers, etc. It also makes the key data points about these components easily
accessible so that you can get usage and other important insights to make informed decisions.
The information is presented in the Azure AD Connect Health portal. In the Azure AD Connect Health portal, you
can view alerts, performance monitoring, usage analytics, and other information. Azure AD Connect Health
enables the single lens of health for your key identity components in one place.
As the features in Azure AD Connect Health increase, the portal provides a single dashboard through the lens of
identity. You get an even more robust, healthy, and integrated environment for your users to increase their
ability to get things done.
>
NOTE
Remember that before you see data in your Azure AD Connect Health dashboard, you need to install the Azure AD
Connect Health Agents on your targeted servers.
NOTE
For licensing information, see the Azure AD Connect FAQ or the Azure AD Pricing page.
Quick Start: When you select this option, the Quick Start blade opens. You can download the Azure AD
Connect Health Agent by selecting Get Tools. You can also access documentation and provide feedback.
Active Directory Federation Services: This option shows all the AD FS services that Azure AD Connect
Health is currently monitoring. When you select an instance, the blade that opens shows information about
that service instance. This information includes an overview, properties, alerts, monitoring, and usage
analytics. Read more about the capabilities at Using Azure AD Connect Health with AD FS.
Azure Active Directory Connect (sync): This option shows your Azure AD Connect servers that Azure AD
Connect Health is currently monitoring. When you select the entry, the blade that opens shows information
about your Azure AD Connect servers. Read more about the capabilities at Using Azure AD Connect Health for
sync.
Active Directory Domain Services: This option shows all the AD DS forests that Azure AD Connect Health is
currently monitoring. When you select a forest, the blade that opens shows information about that forest. This
information includes an overview of essential information, the Domain Controllers dashboard, the Replication
Status dashboard, alerts, and monitoring. Read more about the capabilities at Using Azure AD Connect Health
with AD DS.
Configure: This section includes options to turn the following on or off:
Auto-update to automatically update the Azure AD Connect Health agent to the latest version: You will
be automatically updated to the latest versions of the Azure AD Connect Health Agent when they
become available. This is enabled by default.
Allow Microsoft access to your Azure AD directory’s health data for troubleshooting purposes only: If
this is enabled, Microsoft can see the same data that you see. This information can help with
troubleshooting and assistance with issues. This is disabled by default.
Related links
Azure AD Connect Health Agent installation
Azure AD Connect Health operations
Using Azure AD Connect Health with AD FS
Using Azure AD Connect Health for sync
Using Azure AD Connect Health with AD DS
Azure AD Connect Health FAQ
Azure AD Connect Health version history
Integrating with Azure Active Directory
12/11/2017 • 6 min to read • Edit Online
NOTE
This article is part of the Azure Active Directory developer's guide.
Azure Active Directory provides organizations with enterprise-grade identity management for cloud applications.
Azure AD integration gives your users a streamlined sign-in experience, and helps your application conform to IT
policy.
How To Integrate
There are several ways for your application to integrate with Azure AD. Take advantage of as many or as few of
these scenarios as is appropriate for your application.
Support Azure AD as a Way to Sign In to Your Application
Reduce sign in friction and reduce support costs. By using Azure AD to sign in to your application, your users
won't have one more name and password to remember. As a developer, you'll have one less password to store and
protect. Not having to handle forgotten password resets may be a significant savings alone. Azure AD powers sign
in for some of the world's most popular cloud applications, including Office 365 and Microsoft Azure. With
hundreds of millions users from millions of organizations, chances are your user is already signed in to Azure AD.
Learn more about adding support for Azure AD sign in.
Simplify sign up for your application. During sign up for your application, Azure AD can send essential
information about a user so that you can pre-fill your sign up form or eliminate it completely. Users can sign up for
your application using their Azure AD account via a familiar consent experience similar to those found in social
media and mobile applications. Any user can sign up and sign in to an application that is integrated with Azure AD
without requiring IT involvement. Learn more about signing-up your application for Azure AD Account login.
Browse for Users, Manage User Provisioning, and Control Access to Your Application
Browse for users in the directory. Use the Graph API to help users search and browse for other people in their
organization when inviting others or granting access, instead of requiring them to type email addresses. Users can
browse using a familiar address book style interface, including viewing the details of the organizational hierarchy.
Learn more about the Graph API.
Re-use Active Directory groups and distribution lists your customer is already managing. Azure AD
contains the groups that your customer is already using for email distribution and managing access. Using the
Graph API, re-use these groups instead of requiring your customer to create and manage a separate set of groups
in your application. Group information can also be sent to your application in sign in tokens. Learn more about the
Graph API.
Use Azure AD to control who has access to your application. Administrators and application owners in Azure
AD can assign access to applications to specific users and groups. Using the Graph API, you can read this list and
use it to control provisioning and de-provisioning of resources and access within your application.
Use Azure AD for Roles Based Access Control. Administrators and application owners can assign users and
groups to roles that you define when you register your application in Azure AD. Role information is sent to your
application in sign in tokens and can also be read using the Graph API. Learn more about using Azure AD for
authorization.
Get Access to User's Profile, Calendar, Email, Contacts, Files, and More
Azure AD is the authorization server for Office 365 and other Microsoft business services. If you support
Azure AD for sign in to your application or support linking your current user accounts to Azure AD user accounts
using OAuth 2.0, you can request read and write access to a user's profile, calendar, email, contacts, files, and other
information. You can seamlessly write events to user's calendar, and read or write files to their OneDrive. Learn
more about accessing the Office 365 APIs.
Promote Your Application in the Azure and Office 365 Marketplaces
Promote your application to the millions of organizations who are already using Azure AD. Users who
search and browse these marketplaces are already using one or more cloud services, making them qualified cloud
service customers. Learn more about promoting your application in the Azure Marketplace.
When users sign up for your application, it will appear in their Azure AD access panel and Office 365 app
launcher. Users will be able to quickly and easily return to your application later, improving user engagement.
Learn more about the Azure AD access panel.
Secure Device -to -Service and Service -to -Service Communication
Using Azure AD for identity management of services and devices reduces the code you need to write and
enables IT to manage access. Services and devices can get tokens from Azure AD using OAuth and use those
tokens to access web APIs. Using Azure AD you can avoid writing complex authentication code. Since the identities
of the services and devices are stored in Azure AD, IT can manage keys and revocation in one place instead of
having to do this separately in your application.
Benefits of Integration
Integration with Azure AD comes with benefits that do not require you to write additional code.
Integration with Enterprise Identity Management
Help your application comply with IT policies. Organizations integrate their enterprise identity management
systems with Azure AD, so when a person leaves an organization, they will automatically lose access to your
application without IT needing to take extra steps. IT can manage who can access your application and determine
what access policies are required - for example multi-factor authentication - reducing your need to write code to
comply with complex corporate policies. Azure AD provides administrators with a detailed audit log of who signed
in to your application so IT can track usage.
Azure AD extends Active Directory to the cloud so that your application can integrate with AD. Many
organizations around the world use Active Directory as their principal sign-in and identity management system,
and require their applications to work with AD. Integrating with Azure AD integrates your app with Active Directory.
Advanced Security Features
Multi-factor authentication. Azure AD provides native multi-factor authentication. IT administrators can require
multi-factor authentication to access your application, so that you do not have to code this support yourself. Learn
more about Multi-Factor Authentication.
Anomalous sign in detection. Azure AD processes more than a billion sign-ins a day, while using machine
learning algorithms to detect suspicious activity and notify IT administrators of possible problems. By supporting
Azure AD sign-in, your application gets the benefit of this protection. Learn more about viewing Azure Active
Directory access report.
Conditional access. In addition to multi-factor authentication, administrators can require specific conditions be
met before users can sign-in to your application. Conditions that can be set include the IP address range of client
devices, membership in specified groups, and the state of the device being used for access. Learn more about Azure
Active Directory conditional access.
Easy Development
Industry standard protocols. Microsoft is committed to supporting industry standards. Azure AD supports the
SAML 2.0, OpenID Connect 1.0, OAuth 2.0, and WS-Federation 1.2 authentication protocols. The Graph API is OData
4.0 compliant. If your application already supports the SAML 2.0 or OpenID Connect 1.0 protocols for federated
sign in, adding support for Azure AD can be straightforward. Learn more about Azure AD supported authentication
protocols.
Open source libraries. Microsoft provides fully supported open source libraries for popular languages and
platforms to speed development. The source code is licensed under Apache 2.0, and you are free to fork and
contribute back to the projects. Learn more about Azure AD authentication libraries.
Worldwide Presence and High Availability
Azure AD is deployed in datacenters around the world and is managed and monitored around the clock.
Azure AD is the identity management system for Microsoft Azure and Office 365 and is deployed in 28 datacenters
around the world. Directory data is guaranteed to be replicated to at least three datacenters. Global load balancers
ensure users access the closest copy of Azure AD containing their data, and automatically re-route requests to other
datacenters if a problem is detected.
Next Steps
Get started writing code.
Sign Users In Using Azure AD
Securing privileged access in Azure AD
12/11/2017 • 2 min to read • Edit Online
Securing privileged access is a critical first step to help protect business assets in a modern organization. Privileged
accounts are accounts that administer and manage IT systems. Cyber-attackers target these accounts to gain access
to an organization’s data and systems. To secure privileged access, you should isolate the accounts and systems
from the risk of being exposed to a malicious user.
More users are starting to get privileged access through cloud services. This can include global administrators of
Office365, Azure subscription administrators, and users who have administrative access in VMs or on SaaS apps.
Microsoft recommends you follow this roadmap on Securing Privileged Access.
For customers using Azure Active Directory, Office 365, or other Microsoft services and applications, these
principles apply whether user accounts are managed and authenticated by Active Directory or in Azure Active
Directory. The following sections provide more information on Azure AD features to support securing privileged
access.
For more information, see MFA for Office 365 and MFA for Azure.
Time-bound privileges
Some organizations may find that they have too many users in highly privileged roles. A user might have been
added to the role for a particular activity, like to sign up for a service, but didn't use those privileges frequently
afterward.
To lower the exposure time of privileges and increase your visibility into their use, limit users to only taking on
their privileges "just in time" (JIT), or assign these roles for a shortened duration with confidence the privileges will
be revoked automatically. For Azure Active Directory, Azure Resources (Preview) and Microsoft Online Services,
you can use Azure AD Privileged Identity Management (PIM).
Attack detection
Azure Active Directory Identity Protection provides a consolidated view into risk events and potential vulnerabilities
affecting your organization’s identities. Based on risk events, Identity Protection calculates a user risk level for each
user, enabling you to configure risk-based policies to automatically protect the identities of your organization.
These policies, along with other conditional access controls provided by Azure Active Directory and EMS, can
automatically block the user or offer suggestions that include password resets and multi-factor authentication
enforcement.
Conditional access
With conditional access control, Azure Active Directory checks the specific conditions you choose when
authenticating a user, before allowing access to an application. Once those conditions are met, the user is
authenticated and allowed access to the application.
Related articles
Enable Azure Multi-Factor Authentication
Enable Azure AD Privileged Identity Management
Enable Azure AD Identity Protection
Enable conditional access controls
For more information on building a complete security roadmap, see the “Customer responsibilities and roadmap”
section of the Microsoft Cloud Security for Enterprise Architects document. For more information on engaging
Microsoft services to assist with any of these topics, contact your Microsoft representative or visit our
Cybersecurity solutions page.