Merge pull request #5582 from MicrosoftDocs/main

10/17/2024 AM Publish

.openpublishing.redirection.json

@@ -1091,6 +1091,11 @@
       "source_path_from_root": "/docs/identity-platform/tutorial-v2-windows-uwp.md",
       "redirect_url": "/entra/identity-platform/quickstart-desktop-app-wpf-sign-in",
       "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/docs/identity-platform/quickstart-web-app-nodejs-msal-sign-in.md",
+      "redirect_url": "/entra/identity-platform/quickstart-web-app-nodejs-sign-in",
+      "redirect_document_id": false
     }
   ]
-}
+}

docs/external-id/cross-tenant-access-settings-b2b-collaboration.yml

@@ -20,7 +20,7 @@ introduction: |
   [!INCLUDE [applies-to-workforce-only](./includes/applies-to-workforce-only.md)]
 
   Use External Identities cross-tenant access settings to manage how you collaborate with other Microsoft Entra organizations through B2B collaboration. These settings determine both the level of *inbound* access users in external Microsoft Entra organizations have to your resources, and the level of *outbound* access your users have to external organizations. They also let you trust multifactor authentication (MFA) and device claims ([compliant claims and Microsoft Entra hybrid joined claims](~/identity/conditional-access/howto-conditional-access-policy-compliant-device.md)) from other Microsoft Entra organizations. For details and planning considerations, see [Cross-tenant access in Microsoft Entra External ID](cross-tenant-access-overview.md).
-  
+
   **Collaboration across clouds:** Partner organizations in different Microsoft clouds can set up B2B collaboration with each other. First, both organizations must enable collaboration with each other as described in [Configure Microsoft cloud settings](cross-cloud-settings.md). Then each organization can optionally modify their [inbound access settings](#modify-inbound-access-settings) and [outbound access settings](#modify-outbound-access-settings), as described below.
 
   > [!IMPORTANT]
@@ -37,8 +37,8 @@ prerequisites:
     - Identify any Microsoft Entra organizations that need customized settings so you can configure **Organizational settings** for them.
     - If you want to apply access settings to specific users, groups, or applications in an external organization, you need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.
     - If you want to set up B2B collaboration with a partner organization in an external Microsoft Azure cloud, follow the steps in [Configure Microsoft cloud settings](cross-cloud-settings.md). An admin in the partner organization needs to do the same for your tenant.
-    - Both allow/block list and cross-tenant access settings are checked at the time of invitation. If a user's domain is on the allowlist, they can be invited, unless the domain is explicitly blocked in the cross-tenant access settings. If a user's domain is on the blocklist, they can't be invited regardless of the cross-tenant access settings. If a user isn't on either list, we check the cross-tenant access settings to determine whether they can be invited.  
-    
+    - Both allow/block list and cross-tenant access settings are checked at the time of invitation. If a user's domain is on the allowlist, they can be invited, unless the domain is explicitly blocked in the cross-tenant access settings. If a user's domain is on the blocklist, they can't be invited regardless of the cross-tenant access settings. If a user isn't on either list, we check the cross-tenant access settings to determine whether they can be invited.
+
 procedureSection:
   - title: |
       Configure default settings
@@ -49,7 +49,7 @@ procedureSection:
     steps:
       - |
         Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Security Administrator](~/identity/role-based-access-control/permissions-reference.md#security-administrator).
-      - |       
+      - |
         Browse to **Identity** > **External Identities** > **Cross-tenant access settings**, then select  **Cross-tenant access settings**.
       - |
         Select the **Default settings** tab and review the summary page.
@@ -189,15 +189,58 @@ procedureSection:
 
       14. Select **Save**.
 
-      ### Add the Microsoft Admin Portals app to B2B collaboration
+      ### Considerations for allowing Microsoft applications
+
+      If you want to configure **Cross-tenant access settings** to allow only a designated set of applications, consider adding the Microsoft applications shown in the following table. For example, if you configure an allow list and only allow SharePoint Online, the user can't access My Apps or register for MFA in the resource tenant. To ensure a smooth end user experience, include the following applications in your inbound and outbound collaboration settings.
+
+      |Application|Resource ID|Available in portal|Details|
+      |----|----|----|----|
+      |My Apps|2793995e-0a7d-40d7-bd35-6968ba142197|Yes|Default landing page after redeemed invitation. Defines access to `myapplications.microsoft.com`.|
+      |Microsoft App Access Panel|0000000c-0000-0000-c000-000000000000|No|Used in some late-bound calls when loading certain pages within My Sign ins. For example, the Security Info blade or the Organizations switcher.|
+      |My Profile|8c59ead7-d703-4a27-9e55-c96a0054c8d2|Yes|Defines access to `myaccount.microsoft.com` including My Groups and My Access portals. Some tabs within My Profile require the other apps listed here in order to work.|
+      |My Sign ins|19db86c3-b2b9-44cc-b339-36da233a3be2|No|Defines access to `mysignins.microsoft.com` including access to Security Info. Allow this app if you require users to register for and use MFA in the resource tenant (for example, MFA isn't trusted from the home tenant).|
+
+      Some of the applications in the previous table don't allow selection from the Microsoft Entra admin center. To allow them, add them with Microsoft Graph API as shown in the following example:
+
+      ```json
+      PATCH https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/<insert partner’s tenant id> 
+      { 
+          "b2bCollaborationInbound": { 
+              "applications": { 
+                  "accessType": "allowed", 
+                  "targets": [ 
+                      { 
+                          "target": "2793995e-0a7d-40d7-bd35-6968ba142197", 
+                          "targetType": "application" 
+                      }, 
+                      { 
+                          "target": "0000000c-0000-0000-c000-000000000000", 
+                          "targetType": "application" 
+                      }, 
+                      { 
+                          "target": "8c59ead7-d703-4a27-9e55-c96a0054c8d2", 
+                          "targetType": "application" 
+                      }, 
+                      { 
+                          "target": "19db86c3-b2b9-44cc-b339-36da233a3be2", 
+                          "targetType": "application" 
+                      } 
+                  ] 
+              } 
+          } 
+      }
+      ```
+      > [!NOTE]
+      > Be sure to include any additional applications you want to allow in the PATCH request as this will overwrite any previously configured applications. Applications that are already configured can be retrieved manually from the portal or by running a GET request on the partner policy. For example, `GET https://graph.microsoft.com/v1.0/policies/crossTenantAccessPolicy/partners/<insert partner's tenant id>`
 
-      You can't directly add the [Microsoft Admin Portals app](/entra/identity/conditional-access/concept-conditional-access-cloud-apps#microsoft-admin-portals) to the inbound and outbound cross-tenant access settings in the Microsoft Entra admin center. However, you can add the apps listed below individually by using the [Microsoft Graph API](/graph/api/crosstenantaccesspolicy-post-partners).
+      > [!NOTE]
+      > Applications added via Microsoft Graph API that do not map to an application available in the Microsoft Entra admin center will be displayed as the app ID.
 
-      The following apps are part of the Microsoft Admin Portals app group: 
-      - Azure portal (c44b4083-3bb0-49c1-b47d-974e53cbdf3c)
-      - Microsoft Entra admin center (c44b4083-3bb0-49c1-b47d-974e53cbdf3c)
-      - Microsoft 365 Defender Portal (80ccca67-54bd-44ab-8625-4b79c4dc7775)
-      - Microsoft Intune Admin Center (80ccca67-54bd-44ab-8625-4b79c4dc7775)
+      You can't add the Microsoft Admin Portals app to the inbound and outbound cross-tenant access settings in the Microsoft Entra admin center. To allow external access to Microsoft admin portals, use the Microsoft Graph API to individually add the following apps that are part of the Microsoft Admin Portals app group: 
+      - Azure portal (c44b4083-3bb0-49c1-b47d-974e53cbdf3c) 
+      - Microsoft Entra admin center (c44b4083-3bb0-49c1-b47d-974e53cbdf3c) 
+      - Microsoft 365 Defender Portal (80ccca67-54bd-44ab-8625-4b79c4dc7775) 
+      - Microsoft Intune Admin Center (80ccca67-54bd-44ab-8625-4b79c4dc7775) 
       - Microsoft Purview Compliance Portal (80ccca67-54bd-44ab-8625-4b79c4dc7775)
 
       ### Configure redemption order
@@ -209,7 +252,7 @@ procedureSection:
       2. Select **External Identities** > **Cross-tenant access settings**.
 
       3. On the **Default settings** tab, under **Inbound access settings**, select **Edit inbound defaults**.
-      
+
       4. On the **B2B collaboration** tab, select the **Redemption order** tab.
 
       5. Move the identity providers up or down to change the order in which your guest users can sign in when they accept your invitation. You can also reset the redemption order to the default settings here.
@@ -414,7 +457,7 @@ procedureSection:
           :::image type="content" source="~/media/external-identities/outbound-consent-prompt-setting.png" alt-text="Screenshot that shows the outbound Automatic redemption check box.":::
       - |
         Select **Save**.
-        
+
   - title: |
       Remove an organization
     summary: |

docs/id-governance/entitlement-management-ticketed-provisioning.md

@@ -6,7 +6,7 @@ ms.author: owinfrey
 ms.service: entra-id-governance
 ms.subservice: entitlement-management
 ms.topic: tutorial
-ms.date: 07/15/2024
+ms.date: 10/17/2024
 ms.custom: template-tutorial
 ---
 
@@ -16,12 +16,12 @@ ms.custom: template-tutorial
 
 Scenario: In this scenario you learn how to use custom extensibility, and a Logic App, to automatically generate ServiceNow tickets for manual provisioning of users who have received assignments and need access to apps.
 
-In this tutorial, you learn how to:
+In this tutorial, you'll learn:
 
 > [!div class="checklist"]
 > * Adding a Logic App Workflow to an existing catalog.
 > * Adding a custom extension to a policy within an existing access package.
-> * Register an application in Microsoft Entra ID for resuming Entitlement Management workflow
+> * Registering an application in Microsoft Entra ID for resuming Entitlement Management workflow
 > * Configuring ServiceNow for Automation Authentication.
 > * Requesting access to an access package as an end-user.
 > * Receiving access to the requested access package as an end-user.
@@ -38,16 +38,11 @@ In this tutorial, you learn how to:
 
 ## Adding Logic App Workflow to an existing Catalog for Entitlement Management
 
-To add a Logic App workflow to an existing catalog use the ARM template for the Logic App creation here: 
+Logic App workflows can be added to an existing catalog. For more information on how to create a new catalog, see: [Create and manage a catalog of resources in entitlement management](entitlement-management-catalog-create.md).
 
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Figaelmprodportalhosting.blob.core.windows.net%2Farm-deployment-template%2FLogicAppServiceNowIntegration.json).
+After a catalog is created, you'd add a Logic App workflow by doing the following steps:
 
-:::image type="content" source="media/entitlement-management-servicenow-integration/logic-app-arm-template.png" alt-text="Screenshot of Logic App ARM template." lightbox="media/entitlement-management-servicenow-integration/logic-app-arm-template.png":::
-
-Provide the Azure subscription, resource group details, along with the Logic App name and the Catalog ID to associate the Logic App with and select purchase. For more information on how to create a new catalog, see: [Create and manage a catalog of resources in entitlement management](entitlement-management-catalog-create.md).
-
-
-1. Navigate To Microsoft Entra admin center [Identity Governance - Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_ERM/DashboardBlade/~/elmEntitlement) as at least the role of [Identity Governance Administrator](~/identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Identity Governance Administrator](~/identity/role-based-access-control/permissions-reference.md#identity-governance-administrator).
     > [!TIP]
     > Other least privilege roles that can complete this task include the Catalog owner and Resource group owner.
 1. In the left menu, select **Catalogs**. 
@@ -62,11 +57,13 @@ Provide the Azure subscription, resource group details, along with the Logic App
     :::image type="content" source="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-behavior.png" alt-text="Screenshot of entitlement management custom extension behavior actions tab." lightbox="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-behavior.png":::
 1. Select **Launch and wait** in the **Extension Configuration** which will pause the associated access package action until after the Logic App linked to the extension completes its task, and a resume action is sent by the admin to continue the process. For more information on this process, see:  [Configuring custom extensions that pause entitlement management processes](entitlement-management-logic-apps-integration.md#configuring-custom-extensions-that-pause-entitlement-management-processes).
 
-1. In the **Details** tab, choose No in the "*Create new logic App*" field as the Logic App has already been created in the previous steps. However, you need to provide the Azure subscription and resource group details, along with the Logic App name.
+1. In the **Details** tab, choose Yes in the "*Create new logic App*" field. Add a name for the Logic App, along with the subscription, and resource group, where you're putting it.
     :::image type="content" source="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-details.png" alt-text="Screenshot of the entitlement management  custom extension details tab." lightbox="media/entitlement-management-servicenow-integration/entitlement-management-custom-extension-details.png":::
-1. In **Review and Create**, review the summary of your custom extension and make sure the details for your Logic App call-out are correct. Then select **Create**.
+1. In **Review and Create**, review the summary of your custom extension and make sure the details for your Logic App, and it's call-out, are correct. After reviewing these details, select **Create**.
+
+1. Once created, the Logic App is able to be accessed under **Logic App** next to the custom extension on the custom extensions page. You're able to call on this in access package policies.
+    :::image type="content" source="media/entitlement-management-servicenow-integration/custom-extension-list.png" alt-text="Screenshot of custom extension list.":::
 
-1. This custom extension to the linked Logic App now appears in your Custom Extensions tab under Catalogs. You're able to call on this in access package policies.
 
 > [!TIP]
 > To learn more about custom extension feature that pause entitlement management processes, see: [Configuring custom extensions that pause entitlement management processes](entitlement-management-logic-apps-integration.md#configuring-custom-extensions-that-pause-entitlement-management-processes).
@@ -85,9 +82,8 @@ After setting up custom extensibility in the catalog, administrators can create
 1. In the policy settings, go to the **Custom Extensions** tab.
 
 1. In the menu below **Stage**, select the access package event you wish to use as trigger for this custom extension (Logic App). For our scenario, to trigger the custom extension Logic App workflow when access package has been approved, select **Request is approved**.
-> [!NOTE]
-> To create a ServiceNow ticket for an expired assignment that had permission granted previously, add a new stage for "*Assignment is removed*", and then select the LogicApp.
-
+    > [!NOTE]
+    > To create a ServiceNow ticket for an expired assignment that had permission granted previously, add a new stage for "*Assignment is removed*", and then select the LogicApp.
 1. In the menu below Custom Extension, select the custom extension (Logic App) you created in the above steps to add to this access package. The action you select executes when the event selected in the *when* field occurs.
 
 1. Select **Update** to add it to an existing access package's policy.

docs/identity-platform/TOC.yml

@@ -175,7 +175,7 @@
         - name: ASP.NET Core
           href: quickstart-web-app-dotnet-core-sign-in.md
         - name: Node.js
-          href: quickstart-web-app-nodejs-msal-sign-in.md
+          href: quickstart-web-app-nodejs-sign-in.md
         - name: Java
           href: quickstart-web-app-java-sign-in.md
         - name: Python Flask