diff --git a/docs/external-id/add-users-administrator.md b/docs/external-id/add-users-administrator.md index 18cdc424401..eefaaa5bf78 100644 --- a/docs/external-id/add-users-administrator.md +++ b/docs/external-id/add-users-administrator.md @@ -13,6 +13,8 @@ ms.author: cmulligan author: csmulligan manager: celestedg ms.collection: M365-identity-device-management + +# Customer intent: As a user with limited administrator directory roles, I want to add B2B collaboration users in the Microsoft Entra admin center, so that I can invite guest users to the directory, group, or application and manage their access to resources. --- # Add Microsoft Entra B2B collaboration users in the Microsoft Entra admin center diff --git a/docs/external-id/add-users-information-worker.md b/docs/external-id/add-users-information-worker.md index 37fe5eb57f6..befc6d1c00c 100644 --- a/docs/external-id/add-users-information-worker.md +++ b/docs/external-id/add-users-information-worker.md @@ -15,7 +15,7 @@ manager: celestedg ms.custom: "it-pro, seo-update-azuread-jan" ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to learn how can my users invite guest users to an app. +# Customer intent: As an application owner in Microsoft Entra, I want to be able to invite guest users to an app and manage their access, so that I can easily share the app with external users and control their permissions. --- # How users in your organization can invite guest users to an app diff --git a/docs/external-id/auditing-and-reporting.md b/docs/external-id/auditing-and-reporting.md index b48c3d1a6be..6212fe19921 100644 --- a/docs/external-id/auditing-and-reporting.md +++ b/docs/external-id/auditing-and-reporting.md @@ -14,7 +14,7 @@ manager: celestedg ms.custom: "it-pro, seo-update-azuread-jan" ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to see access reviews, and system and user activities in my tenant. +# Customer intent: As an IT admin managing B2B collaboration users, I want to audit and report on guest user activities, so that I can ensure the security and compliance of my organization's resources. --- # Auditing and reporting a B2B collaboration user diff --git a/docs/external-id/b2b-direct-connect-overview.md b/docs/external-id/b2b-direct-connect-overview.md index 5733d4f1c6b..e146bba7ff8 100644 --- a/docs/external-id/b2b-direct-connect-overview.md +++ b/docs/external-id/b2b-direct-connect-overview.md @@ -12,6 +12,8 @@ ms.author: cmulligan author: csmulligan manager: celestedg ms.collection: M365-identity-device-management + +# Customer intent: As an IT admin managing collaboration between organizations, I want to configure B2B direct connect settings, so that I can control inbound and outbound access for users and groups from external organizations and ensure secure collaboration. --- # B2B direct connect overview diff --git a/docs/external-id/b2b-fundamentals.md b/docs/external-id/b2b-fundamentals.md index a8e5bb2ad1c..278de0efa62 100644 --- a/docs/external-id/b2b-fundamentals.md +++ b/docs/external-id/b2b-fundamentals.md @@ -12,6 +12,9 @@ author: csmulligan manager: celestedg ms.custom: "it-pro" ms.collection: M365-identity-device-management + +# Customer intent: As an IT admin managing external collaboration in Microsoft Entra, I want to follow best practices and recommendations for securing collaboration with external partners, so that I can ensure a secure and efficient B2B collaboration experience. + --- # Microsoft Entra B2B best practices diff --git a/docs/external-id/b2b-quickstart-add-guest-users-portal.md b/docs/external-id/b2b-quickstart-add-guest-users-portal.md index a5afa09e4dd..04f7022952a 100644 --- a/docs/external-id/b2b-quickstart-add-guest-users-portal.md +++ b/docs/external-id/b2b-quickstart-add-guest-users-portal.md @@ -11,7 +11,7 @@ ms.service: active-directory ms.subservice: B2B ms.custom: it-pro, seo-update-azuread-jan, mode-ui ms.collection: M365-identity-device-management -#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a guest user in the Microsoft Entra admin center, and understand the end user experience. +#Customer intent: As an administrator, I want to add a guest user to my Microsoft Entra directory and send them an invitation, so that they can collaborate with my organization using their own work, school, or social account. --- # Quickstart: Add a guest user and send an invitation diff --git a/docs/external-id/b2b-quickstart-invite-powershell.md b/docs/external-id/b2b-quickstart-invite-powershell.md index 6ac2b49b7c2..19e7030b2d3 100644 --- a/docs/external-id/b2b-quickstart-invite-powershell.md +++ b/docs/external-id/b2b-quickstart-invite-powershell.md @@ -12,7 +12,7 @@ ms.subservice: B2B ms.custom: it-pro, seo-update-azuread-jan, mode-api, has-azure-ad-ps-ref, azure-ad-ref-level-one-done ms.collection: M365-identity-device-management -#Customer intent: As a tenant admin, I want to walk through the B2B invitation workflow so that I can understand how to add a user via PowerShell. +#Customer intent: As an administrator, I want to add a guest user to my Microsoft Entra directory and send them an invitation via PowerShell, so that they can collaborate with my organization using their own work, school, or social account. --- # Quickstart: Add a guest user with PowerShell diff --git a/docs/external-id/b2b-sponsors.md b/docs/external-id/b2b-sponsors.md index 42c80382fbd..73be8a60d5c 100644 --- a/docs/external-id/b2b-sponsors.md +++ b/docs/external-id/b2b-sponsors.md @@ -13,7 +13,7 @@ author: csmulligan manager: CelesteDG ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to know how to add sponsors to guest users in Microsoft Entra External ID. +# Customer intent: As a B2B organization administrator, I want to track and manage sponsors for guest users, so that I can ensure accountability and proper governance of external partners in my directory. --- # Sponsors field for B2B users (preview) diff --git a/docs/external-id/b2b-tutorial-require-mfa.md b/docs/external-id/b2b-tutorial-require-mfa.md index db2c2e15827..b3959763e65 100644 --- a/docs/external-id/b2b-tutorial-require-mfa.md +++ b/docs/external-id/b2b-tutorial-require-mfa.md @@ -14,7 +14,7 @@ manager: CelesteDG ms.custom: "it-pro, seo-update-azuread-jan" ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to set up MFA requirement for B2B guest users to protect my apps and resources. +# Customer intent: As an IT admin managing external B2B guest users, I want to enforce multifactor authentication for access to cloud or on-premises applications, so that I can ensure the security of our resources and protect against unauthorized access. --- # Tutorial: Enforce multifactor authentication for B2B guest users diff --git a/docs/external-id/bulk-invite-powershell.md b/docs/external-id/bulk-invite-powershell.md index 19fbdc60a70..ac1d623271d 100644 --- a/docs/external-id/bulk-invite-powershell.md +++ b/docs/external-id/bulk-invite-powershell.md @@ -15,7 +15,7 @@ manager: CelesteDG ms.custom: has-azure-ad-ps-ref ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user. +# Customer intent: As an IT admin managing external partners in Microsoft Entra B2B collaboration, I want to use PowerShell to send bulk invitations to guest users, so that I can efficiently add multiple users to my organization and streamline the onboarding process. --- # Tutorial: Use PowerShell to bulk invite Microsoft Entra B2B collaboration users diff --git a/docs/external-id/claims-mapping.md b/docs/external-id/claims-mapping.md index 8a48a1a89de..9768724e589 100644 --- a/docs/external-id/claims-mapping.md +++ b/docs/external-id/claims-mapping.md @@ -14,6 +14,9 @@ manager: celestedg ms.collection: M365-identity-device-management + +# Customer intent: As a B2B collaboration user, I want to customize the claims issued in the SAML token for my application in Microsoft Entra External ID, so that I can ensure the token contains the specific information I need for user identification and authentication. + --- # B2B collaboration user claims mapping in Microsoft Entra External ID diff --git a/docs/external-id/cross-tenant-access-overview.md b/docs/external-id/cross-tenant-access-overview.md index 12c8a4b1762..347382386bf 100644 --- a/docs/external-id/cross-tenant-access-overview.md +++ b/docs/external-id/cross-tenant-access-overview.md @@ -12,6 +12,8 @@ author: csmulligan manager: celestedg ms.custom: "it-pro" ms.collection: M365-identity-device-management + +# Customer intent: As an IT admin managing cross-tenant access settings, I want to configure B2B collaboration and B2B direct connect with external organizations, so that I can control inbound and outbound access and manage trust settings for multi-factor authentication and device claims. --- # Overview: Cross-tenant access with Microsoft Entra External ID diff --git a/docs/external-id/customize-invitation-api.md b/docs/external-id/customize-invitation-api.md index 951bf687da0..c670a64e221 100644 --- a/docs/external-id/customize-invitation-api.md +++ b/docs/external-id/customize-invitation-api.md @@ -14,7 +14,7 @@ author: csmulligan manager: celestedg ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to customize the invitation process with the API. +# Customer intent: As an organization administrator, I want to customize the invitation process for external users using the Microsoft Graph REST API, so that I can tailor the onboarding experience and control the notifications sent to the users. --- # Microsoft Entra B2B collaboration API and customization diff --git a/docs/external-id/hybrid-cloud-to-on-premises.md b/docs/external-id/hybrid-cloud-to-on-premises.md index 14cacf16f07..ec8846148c7 100644 --- a/docs/external-id/hybrid-cloud-to-on-premises.md +++ b/docs/external-id/hybrid-cloud-to-on-premises.md @@ -14,7 +14,7 @@ manager: celestedg ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to enable B2B user access to on-premises apps. +# Customer intent: As an organization using Microsoft Entra B2B collaboration, I want to grant B2B users access to our on-premises applications, so that they can authenticate and access these apps using SAML-based authentication or integrated Windows authentication with Kerberos constrained delegation. --- # Grant Microsoft Entra B2B users access to your on-premises applications diff --git a/docs/external-id/hybrid-on-premises-to-cloud.md b/docs/external-id/hybrid-on-premises-to-cloud.md index c2636f218c0..6096adfa02c 100644 --- a/docs/external-id/hybrid-on-premises-to-cloud.md +++ b/docs/external-id/hybrid-on-premises-to-cloud.md @@ -14,7 +14,7 @@ manager: celestedg ms.custom: "it-pro, seo-update-azuread-jan" ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to enable locally-managed external partners' access to both local and cloud resources via the Microsoft Entra B2B collaboration. +# Customer intent: As an IT admin managing partner accounts in a hybrid organization, I want to sync partner accounts from our on-premises directory to the cloud using Microsoft Entra Connect, so that our partners can access the resources they need with the same sign-in credentials for both on-premises and cloud resources. --- # Grant locally managed partner accounts access to cloud resources using Microsoft Entra B2B collaboration diff --git a/docs/external-id/hybrid-organizations.md b/docs/external-id/hybrid-organizations.md index 8675e16d38c..b17d6d0fc4d 100644 --- a/docs/external-id/hybrid-organizations.md +++ b/docs/external-id/hybrid-organizations.md @@ -12,7 +12,7 @@ author: csmulligan manager: celestedg ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to give partners access to both on-premises and cloud resources with Microsoft Entra B2B collaboration. +# Customer intent: As an IT admin managing a hybrid organization, I want to grant external partners access to on-premises and cloud-based resources using Microsoft Entra B2B collaboration, so that I can easily manage their access and ensure they can use the same credentials for both environments. --- # Microsoft Entra B2B collaboration for hybrid organizations diff --git a/docs/external-id/invitation-email-elements.md b/docs/external-id/invitation-email-elements.md index 5b007facb08..75c7113c89d 100644 --- a/docs/external-id/invitation-email-elements.md +++ b/docs/external-id/invitation-email-elements.md @@ -13,6 +13,8 @@ author: csmulligan manager: celestedg ms.custom: "it-pro, seo-update-azuread-jan" ms.collection: M365-identity-device-management + +# Customer intent: As a B2B collaboration user, I want to understand the elements of the invitation email, so that I can effectively invite partners to join my organization and provide them with the necessary information to make an informed decision. --- # The elements of the B2B collaboration invitation email diff --git a/docs/external-id/invite-internal-users.md b/docs/external-id/invite-internal-users.md index 058ccb883f1..98b2bb92f61 100644 --- a/docs/external-id/invite-internal-users.md +++ b/docs/external-id/invite-internal-users.md @@ -14,7 +14,7 @@ author: csmulligan manager: CelesteDG ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to know how to invite internal users to B2B collaboration. +# Customer intent: As an IT admin managing internal guest users, I want to invite them to use B2B collaboration, so that they can sign in using their own identities and credentials, eliminating the need for password maintenance or account lifecycle management. --- # Invite internal users to B2B collaboration diff --git a/docs/external-id/leave-the-organization.md b/docs/external-id/leave-the-organization.md index dadf4c30896..030f1832b4a 100644 --- a/docs/external-id/leave-the-organization.md +++ b/docs/external-id/leave-the-organization.md @@ -17,7 +17,7 @@ manager: celestedg ms.collection: M365-identity-device-management adobe-target: true -# Customer intent: As a tenant administrator, I want to make sure that guest users can leave the organization. +# Customer intent: As a Microsoft Entra B2B collaboration or B2B direct connect user, I want to leave an organization, so that I can stop using apps from that organization and end any association with it. --- # Leave an organization as an external user diff --git a/docs/external-id/redemption-experience.md b/docs/external-id/redemption-experience.md index 81fa65b2627..5d4cb6b5135 100644 --- a/docs/external-id/redemption-experience.md +++ b/docs/external-id/redemption-experience.md @@ -14,7 +14,7 @@ manager: celestedg ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to make sure that guest users can access resources and the consent process. +# Customer intent: As a Microsoft Entra B2B administrator, I want to understand the redemption process for guest users, so that I can ensure they can access our resources and complete the consent process smoothly. --- # Microsoft Entra B2B collaboration invitation redemption diff --git a/docs/external-id/reset-redemption-status.md b/docs/external-id/reset-redemption-status.md index 62e5c59f0d6..0b7061f1aa0 100644 --- a/docs/external-id/reset-redemption-status.md +++ b/docs/external-id/reset-redemption-status.md @@ -14,7 +14,7 @@ author: csmulligan manager: celestedg ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to update the sign-in information for a guest user. +# Customer intent: As an admin managing guest users in B2B collaboration, I want to reset the redemption status for a guest user, so that I can update their sign-in information and reinvite them without deleting their account. --- # Reset redemption status for a guest user diff --git a/docs/external-id/troubleshoot.md b/docs/external-id/troubleshoot.md index 69da5a8bf56..60fd1cdf4bd 100644 --- a/docs/external-id/troubleshoot.md +++ b/docs/external-id/troubleshoot.md @@ -11,6 +11,7 @@ ms.author: cmulligan author: csmulligan ms.custom: it-pro, seo-update-azuread-jan, has-azure-ad-ps-ref ms.collection: M365-identity-device-management +# Customer intent: As an IT admin troubleshooting Microsoft Entra B2B collaboration, I want to find remedies for common problems, so that I can resolve issues and ensure smooth collaboration between organizations. --- # Troubleshooting Microsoft Entra B2B collaboration diff --git a/docs/external-id/tutorial-bulk-invite.md b/docs/external-id/tutorial-bulk-invite.md index 744961f99b7..e7a11d0fb91 100644 --- a/docs/external-id/tutorial-bulk-invite.md +++ b/docs/external-id/tutorial-bulk-invite.md @@ -13,7 +13,7 @@ ms.author: cmulligan author: csmulligan manager: CelesteDG -# Customer intent: As a tenant administrator, I want to send B2B invitations to multiple external users at the same time so that I can avoid having to send individual invitations to each user. +# Customer intent: As an Entra admin, I want to learn how to bulk invite external users to my organization using the Entra admin center, so that I can efficiently manage user invitations and onboarding. ms.collection: M365-identity-device-management ms.custom: diff --git a/docs/external-id/use-dynamic-groups.md b/docs/external-id/use-dynamic-groups.md index 790ba4dca5a..de78648f1e1 100644 --- a/docs/external-id/use-dynamic-groups.md +++ b/docs/external-id/use-dynamic-groups.md @@ -16,7 +16,7 @@ ms.reviewer: mal ms.collection: M365-identity-device-management ms.custom: -# Customer intent: As a tenant administrator, I want to learn how to use dynamic groups with B2B collaboration. +# Customer intent: As an administrator managing user access in Microsoft Entra B2B collaboration, I want to create dynamic groups based on user attributes, so that I can automatically add or remove members from security groups and provide access to applications or cloud resources. --- # Create dynamic groups in Microsoft Entra B2B collaboration diff --git a/docs/external-id/user-properties.md b/docs/external-id/user-properties.md index c50df037aae..14aecf31616 100644 --- a/docs/external-id/user-properties.md +++ b/docs/external-id/user-properties.md @@ -12,7 +12,7 @@ author: csmulligan manager: celestedg ms.custom: it-pro, has-azure-ad-ps-ref, azure-ad-ref-level-one-done ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to learn about B2B collaboration guest user properties and states before and after invitation redemption. +# Customer intent: As an IT admin managing external collaboration in Microsoft Entra, I want to understand the properties and management options for B2B collaboration users, so that I can effectively invite and manage external users accessing apps and resources in my organization. --- # Properties of a Microsoft Entra B2B collaboration user diff --git a/docs/external-id/user-token.md b/docs/external-id/user-token.md index 6f47586a4f6..ddc32b9e03f 100644 --- a/docs/external-id/user-token.md +++ b/docs/external-id/user-token.md @@ -14,7 +14,7 @@ manager: celestedg ms.collection: M365-identity-device-management -# Customer intent: As a tenant administrator, I want to know what the token looks like for a B2B collaboration user in the resource tenant. +# Customer intent: As a user of Microsoft Entra B2B collaboration, I want to understand the details and content of user tokens, so that I can effectively manage and authenticate guest accounts in my organization. --- # Understand user tokens in Microsoft Entra B2B collaboration diff --git a/docs/external-id/what-is-b2b.md b/docs/external-id/what-is-b2b.md index f5fbb55b69b..43bb4dcba68 100644 --- a/docs/external-id/what-is-b2b.md +++ b/docs/external-id/what-is-b2b.md @@ -12,6 +12,7 @@ author: csmulligan manager: celestedg ms.custom: "it-pro, seo-update-azuread-jan" ms.collection: M365-identity-device-management +# Customer intent: As an administrator managing external collaboration, I want to easily invite guest users from the Azure portal, so that I can securely share my company's applications and services with external partners and maintain control over my corporate data. --- # B2B collaboration overview diff --git a/docs/external-id/whats-new-docs.md b/docs/external-id/whats-new-docs.md index 543f685bab8..5017f8d3aff 100644 --- a/docs/external-id/whats-new-docs.md +++ b/docs/external-id/whats-new-docs.md @@ -9,6 +9,7 @@ ms.topic: reference ms.author: cmulligan author: csmulligan manager: CelesteDG +# Customer intent: As a Microsoft Entra External ID user, I want to stay updated on the new documentation and significant updates, so that I can stay informed about the changes and improvements in the service. --- # Microsoft Entra External ID: What's new diff --git a/docs/fundamentals/media/users-reset-password-azure-portal/user-profile-reset-password-link.png b/docs/fundamentals/media/users-reset-password-azure-portal/user-profile-reset-password-link.png index 476584e810f..476df9a09dc 100644 Binary files a/docs/fundamentals/media/users-reset-password-azure-portal/user-profile-reset-password-link.png and b/docs/fundamentals/media/users-reset-password-azure-portal/user-profile-reset-password-link.png differ diff --git a/docs/fundamentals/media/users-restore/users-deleted-users-view-restorable.png b/docs/fundamentals/media/users-restore/users-deleted-users-view-restorable.png index 81fa8ab78d8..565f581a2a0 100644 Binary files a/docs/fundamentals/media/users-restore/users-deleted-users-view-restorable.png and b/docs/fundamentals/media/users-restore/users-deleted-users-view-restorable.png differ diff --git a/docs/global-secure-access/concept-clients.md b/docs/global-secure-access/concept-clients.md new file mode 100644 index 00000000000..5273a9672d5 --- /dev/null +++ b/docs/global-secure-access/concept-clients.md @@ -0,0 +1,29 @@ +--- +title: Learn about the Global Secure Access clients for Microsoft Entra Private Access and Microsoft Entra Internet Access +description: Learn about the Global Secure Access clients for Microsoft Entra Private Access and Microsoft Entra Internet Access. +author: kenwith +ms.author: kenwith +manager: amycolannino +ms.topic: concept-article +ms.date: 10/27/2023 +ms.service: network-access +ms.custom: +ms.reviewer: frankgomulka +--- + + +# Global Secure Access clients + +The Global Secure Access Client allows organizations control over network traffic at the end-user computing device, giving organizations the ability to route specific traffic profiles through Microsoft Entra Internet Access and Microsoft Entra Private Access. Routing traffic in this method allows for more controls like continuous access evaluation (CAE), device compliance, or multifactor authentication to be required for resource access. + +The Global Secure Access Client acquires traffic using a lightweight filter (LWF) driver, while many other security service edge (SSE) solutions integrate as a virtual private network (VPN) connection. This distinction allows the Global Secure Access Client to coexist with these other solutions. The Global Secure Access Client acquires the traffic based on the traffic forwarding profiles you configure prior to other solutions. + + +## Available clients + +You install the client on a device, such as computer or phone, and then use Global Secure Access settings in the Microsoft Entra admin center to secure the device. Clients are currently available for Windows and Android. To learn how to install the Windows client, see [Global Secure Access Client for Windows (preview)](how-to-install-windows-client.md). To learn how to install the Android client, see [Global Secure Access Client for Android](./how-to-install-android-client.md). + +## Related content + +- [Global Secure Access Client for Windows (preview)](how-to-install-windows-client.md) +- [Global Secure Access Client for Android (preview)](how-to-install-android-client.md) diff --git a/docs/global-secure-access/concept-internet-access.md b/docs/global-secure-access/concept-internet-access.md new file mode 100644 index 00000000000..80a0884be4c --- /dev/null +++ b/docs/global-secure-access/concept-internet-access.md @@ -0,0 +1,46 @@ +--- +title: Learn about Microsoft Entra Internet Access +description: Learn about how Microsoft Entra Internet Access secures access to the Internet. +author: kenwith +ms.author: kenwith +manager: amycolannino +ms.topic: how-to +ms.date: 11/02/2023 +ms.service: network-access +ms.custom: +ms.reviewer: frankgomulka + +--- + +# Learn about Microsoft Entra Internet Access for all apps + +Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications and other Internet traffic. It protects users, devices, and data from the Internet's wide threat landscape with best-in-class security controls and visibility through Traffic Logs. + +## Web content filtering + +The key introductory feature for Microsoft Entra Internet Access for all apps is **Web content filtering**. This feature provides granular access control for web categories and FQDNs. By explicitly blocking known inappropriate, malicious, or unsafe sites, you protect your users and their devices from any Internet connection whether they're remote or within the corporate network. + +Web content filtering is implemented using filtering policies, which are grouped into security profiles, which can be linked to Conditional Access policies. To learn more about Conditional Access, see [Microsoft Entra Conditional Access](/azure/active-directory/conditional-access/). + + +## Security profiles + +Security profiles are objects you use to group filtering policies and deliver them through user aware Conditional Access policies. For instance, to block all **News** websites except for `msn.com` for user `angie@contoso.com` you create two web filtering policies and add them to a security profile. You then take the security profile and link it to a Conditional Access policy assigned to `angie@contoso.com`. + +``` +"Security Profile for Angie" <---- the security profile + Allow msn.com at priority 100 <---- higher priority filtering policies + Block News at priority 200 <---- lower priority filtering policy +``` + +## Policy processing logic +Within a security profile, policies are enforced according to priority ordering with 100 being the highest priority and 65,000 being the lowest priority (similar to traditional firewall logic). As a best practice, add spacing of about 100 between priorities to allow for policy flexibility in the future. + +Once you link a security profile to a Conditional Access (CA) policy, if multiple CA policies match, both security profiles are processed in priority ordering of the matching security profiles. + +> [!IMPORTANT] +> If you create a security profile with priority 65,000 then it will apply to all traffic even without linking it to a Conditional Access policy. This can be used to create a baseline policy applying to all Internet Access traffic routed through the service. + +## Next steps + +- [Configure Web content filtering](how-to-configure-web-content-filtering.md) diff --git a/docs/global-secure-access/how-to-configure-web-content-filtering.md b/docs/global-secure-access/how-to-configure-web-content-filtering.md new file mode 100644 index 00000000000..ce3ea96b674 --- /dev/null +++ b/docs/global-secure-access/how-to-configure-web-content-filtering.md @@ -0,0 +1,126 @@ +--- +title: How to configure Global Secure Access (preview) Web content filtering +description: Learn how to configure Web content filtering in Microsoft Entra Internet Access (preview). +author: kenwith +ms.author: kenwith +manager: amycolannino +ms.topic: how-to +ms.date: 11/03/2023 +ms.service: network-access +ms.custom: +ms.reviewer: frankgomulka +--- + +# How to configure Global Secure Access (preview) Web content filtering + +Web content filtering empowers you to implement granular Internet access controls for your organization based on website categorization. + +Microsoft Entra Internet Access's first Secure Web Gateway (SWG) features include Web content filtering based on domain names. Microsoft integrates granular filtering policies with Microsoft Entra ID and Microsoft Entra Conditional Access, which results in filtering policies that are user-aware, context-aware, and easy to manage. + +The web filtering feature is currently limited to user- and context-aware Fully Qualified Domain Name (FQDN)-based web category filtering and FQDN filtering. + +## Prerequisites + +- Administrators who interact with **Global Secure Access (preview)** features must have one or more of the following role assignments depending on the tasks they're performing. + - The **Global Secure Access Administrator** role to manage the Global Secure Access preview features. + - [Conditional Access Administrator](/azure/active-directory/roles/permissions-reference#conditional-access-administrator) or [Security Administrator](/azure/active-directory/roles/permissions-reference#security-administrator) to create and interact with Conditional Access policies. +- Complete the [Get started with Global Secure Access](how-to-get-started-with-global-secure-access.md) guide. +- [Install the Global Secure Access client](how-to-install-windows-client.md) on end user devices. +- You must disable DNS over HTTPS (Secure DNS) to tunnel network traffic based on the rules of the fully qualified domain names (FQDNs) in the traffic forwarding profile. For more information, see [Configure the DNS client to support DoH](/windows-server/networking/dns/doh-client-support#configure-the-dns-client-to-support-doh). +- Disable built-in DNS client on Chrome and Edge. +- UDP traffic isn't supported in the current preview. If you plan to tunnel Exchange Online traffic, disable the QUIC protocol (443 UDP). For more information, see [Block QUIC when tunneling Exchange Online traffic](how-to-install-windows-client.md#block-quic-when-tunneling-exchange-online-traffic). +- Review Web content filtering concepts, see [Web content filtering](concept-internet-access.md). + +## High level steps + +There are several steps to configuring web content filtering. Take note of where you need to configure a Conditional Access policy. + +1. [Enable internet traffic forwarding.](#enable-internet-traffic-forwarding) +1. [Create a Web content filtering policy.](#create-a-web-content-filtering-policy) +1. [Create a security profile.](#create-a-security-profile) +1. [Link the security profile to a Conditional Access policy.](#create-and-link-conditional-access-policy) + +## Enable internet traffic forwarding + +To enable the Microsoft Entra Internet Access forwarding profile to forward user traffic: + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as a [Global Secure Access Administrator](/azure/active-directory/roles/permissions-reference#global-secure-access-administrator). +1. Browse to **Global Secure Access** > **Connect** > **Traffic forwarding**. +1. Enable the **Internet access profile**. Enabling the setting begins forwarding internet traffic from all client devices to Microsoft's Security Service Edge (SSE) proxy, where you can configure granular security policies. + +## Create a Web content filtering policy + +1. Browse to **Global Secure Access** > **Secure** **Web content filtering policy**. +1. Select **Create policy**. +1. Enter a name and description for the policy and select **Next**. +1. Select **Add rule**. +1. Enter a name, select a [web category](reference-web-content-filtering-categories.md), and then select **Add**. +1. Select **Next** to review the policy and then select **Create policy**. + +## Create a security profile + +Security profiles are a grouping of filtering policies. You can assign, or link, security profiles with Microsoft Entra Conditional Access policies. One security profile can contain multiple filtering policies. And one security profile can be associated with multiple Conditional Access policies. + +In this step, you create a security profile to group filtering policies. Then you assign, or link, the security profiles with a Conditional Access policy to make them user or context aware. + +> [!NOTE] +> To learn more about Microsoft Entra Conditional Access policies, see [Building a Conditional Access policy](/azure/active-directory/conditional-access/concept-conditional-access-policies). + +1. Browse to **Global Secure Access** > **Secure** > **Security profiles**. +1. Select **Create profile**. +1. Enter a name and description for the policy and select **Next**. +1. Select **Link a policy** and then select **Existing policy**. +1. Select the Web content filtering policy you already created and select **Add**. +1. Select **Next** to review the security profile and associated policy. +1. Select **Create a profile**. +1. Select **Refresh** to refresh the profiles page and view the new profile. + +## Create and link Conditional Access policy + +Create a Conditional Access policy for end users or groups and deliver your security profile through Conditional Access Session controls. Conditional Access is the delivery mechanism for user and context awareness for Internet Access policies. To learn more about session controls, see [Conditional Access: Session](/azure/active-directory/conditional-access/concept-conditional-access-session). + +1. Browse to **Identity** > **Protection** > **Conditional Access**. +1. Select **Create new policy**. +1. Enter a name and assign a user or group. +1. Select **Target resources** and **Global Secure Access (Preview)** from the drop-down menu to set what the policy applies to. +1. Select **Internet traffic** from the drop-down menu to set the traffic profile this policy applies to. +1. Select **Session** > **Use Global Secure Access security profile** and choose a security profile. +1. Select **Select**. +1. In the **Enable policy** section, ensure **On** is selected. +1. Select **Create**. + +## Verify end user policy enforcement + +Use a Windows device with the Global Secure Access client installed. Sign in as a user that is assigned the Internet traffic acquisition profile. Test that navigating to websites is allowed or restricted as expected. + +1. Right-click on the Global Secure Access client icon in the task manager tray and open **Advanced Diagnostics** > **Forwarding profile**. Ensure that the Internet access acquisition rules are present. Also, check if the hostname acquisition and flows for the users Internet traffic are being acquired while browsing. + +1. Navigate to an allowed site and check if it loads properly. + +1. Navigate to a blocked site and confirm the site is blocked. + +1. Browse to **Global Secure Access** > **Monitor** > **Traffic logs** to confirm traffic if blocked or allowed appropriately. It takes approximately 15 minutes for new entries to appear. + +> [!NOTE] +> The current blocking experience for all browsers and processes includes a "Connection Reset" browser error for HTTPS traffic and a "DeniedTraffic" browser error for HTTP traffic. + +## Known limitations + +- Currently, end-user notification on blocks, either from the client or the browser, aren't provided. +- Admins can't configure their own Internet traffic acquisition profiles for the client. +- The client traffic acquisition policy includes TCP ports 80/443. +- Currently assuming standard ports for HTTP/S traffic (ports 80 and 443). +- *microsoft.com is currently acquired by the Microsoft 365 access profile. +- IPv6 isn't supported on this platform yet. +- Hyper-V isn't supported on this platform yet. +- Remote network connectivity for branch offices is currently not supported. +- OSI Layer 3/4 (that is, network layer) filtering isn't supported yet. +- No captive portal support yet. This means that connecting to public WiFi via captive portal access may fail because these endpoints are currently acquired by the client. +- TLS Termination is in development. +- No URL path based filtering or URL categorization for HTTP and HTTPS traffic. +- Currently, an admin can create up to 100 web content filtering policies and up to 1,000 rules based on up to 8,000 total FQDNs. Admins can also create up to 256 security profiles. + - These initial limits are placeholders until more features are added to this platform. + +## Next steps + +- [Learn about the traffic dashboard](concept-traffic-dashboard.md) diff --git a/docs/global-secure-access/how-to-install-android-client.md b/docs/global-secure-access/how-to-install-android-client.md new file mode 100644 index 00000000000..9c2d60a4361 --- /dev/null +++ b/docs/global-secure-access/how-to-install-android-client.md @@ -0,0 +1,160 @@ +--- +title: The Global Secure Access Client for Android (preview) +description: Install the Global Secure Access Android Client to connect to Microsoft's Security Edge Solutions, Microsoft Entra Internet Access and Private Access. +ms.service: network-access +ms.topic: how-to +ms.date: 12/12/2023 +ms.author: kenwith +author: kenwith +manager: amycolannino +ms.reviewer: dhruvinshah +--- +# Global Secure Access Client for Android (preview) + +The Global Secure Access Client can be deployed to compliant Android devices using Microsoft Intune and Microsoft Defender for Endpoint on Android. The Android client is built into the Defender for Endpoint Android app, which streamlines how your end users connect to Global Secure Access. The Global Secure Access Android Client makes it easier for your end users to connect to the resources they need without having to manually configure VPN settings on their devices. + +This article explains the prerequisites and how to deploy the client onto Android devices. + +## Prerequisites + +- The preview requires a Microsoft Entra ID P1 license. If needed, you can [purchase licenses or get trial licenses](https://aka.ms/azureadlicense). +- At least one Global Secure Access [traffic forwarding profile](concept-traffic-forwarding.md) must be enabled. +- Device installation permissions on the device are required for installation. +- Android devices must be running Android 10.0 or later. +- Android devices need to be Microsoft Entra registered devices. + - The Microsoft Authenticator app must be installed on the device if the device isn't managed by your organization. + - If the device is managed through Intune, the Company Portal app must be installed on the device. + - Device enrollment is required for Intune device compliance policies to be enforced. + +### Known limitations + +- Mobile devices running *Android (Go edition)* aren't currently supported. +- Microsoft Defender for Endpoint on Android *on shared devices* isn't currently supported. +- Tunneling IPv6 traffic isn't currently supported. +- Private DNS must be disabled on the device. This setting is usually found in the System > Network and Internet options. +- Running third party endpoint protection products alongside Microsoft Defender for Endpoint might cause performance problems and unpredictable system errors. + +## Supported scenarios + +Global Secure Access Client for Android supports deployment for the legacy Device Administrator and Android Enterprise scenarios. The following Android Enterprise scenarios are supported: + +- Corporate-owned, fully managed user devices +- Corporate-owned devices with a work profile +- Personally-owned devices with a work profile + +### Third party mobile device management + +Third party mobile device management (MDM) scenarios are also supported. In these scenarios, known as *Global Secure Access only mode*, you only need to enable a traffic forwarding profile and configure the app according to the vendor documentation. + +## Deploy Microsoft Defender for Endpoint Android + +There are several combinations of deployment modes and scenarios for using the Global Secure Access Client for Android. + +Once you enable a traffic forwarding profile and configure your network, the Global Secure Access Android Client appears in the Defender app automatically; however, the Global Secure Access client is disabled by default. Users can enable the client from the Defender app. The steps to enable the client are provided in the [Confirm Global Secure Access appears in Defender app](#confirm-global-secure-access-appears-in-defender-app) section. + +### [Device Administrator](#tab/device-administrator) + +This legacy enrollment mode allows you to deploy Defender for Endpoint on Android with Microsoft Intune Company Portal - Device Administrator enrolled devices. + +The high level process is as follows: + +1. Deploy Defender to Intune enrolled Android devices. + +1. If Defender is already deployed, [enable at least one traffic forwarding profile](concept-traffic-forwarding.md). + +1. [Confirm Global Secure Access appears in the Defender app](#confirm-global-secure-access-appears-in-defender-app). + +The detailed process for deploying Defender is as follows: + +1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com/) as an [Intune Administrator](../identity/role-based-access-control/permissions-reference.md#intune-administrator). +1. Browse to **Apps** > **Android** > **Add** > **Android store app** > **Select**. + + ![Screenshot of the add Android app store options.](media/how-to-install-android-client/intune-add-android-store-app.png) + +1. Provide a **Name**, **Description**, and **Publisher**. +1. Enter the following URL in the **Appstore URL** field: + - `https://play.google.com/store/apps/details?id=com.microsoft.scmx` +1. Leave all other fields as their default values and select **Next**. + + ![Screenshot of the completed fields.](media/how-to-install-android-client/intune-add-defender-app-fields.png) + +1. In the **Required** section, select **Add group**, then select the groups to assign the app to and select **Next**. + - The selected group should consist of your Intune enrolled users. + - You can edit or add more groups later. + + ![Screenshot of the add groups steps.](media/how-to-install-android-client/intune-add-group.png) + +1. On the **Review + create** tab, confirm the information is correct and select **Create**. +1. On the new app details page, select **Device install status** and confirm the app is installed. + +Users need to enable the client in the Defender app. Proceed to the next section to confirm the app is installed and for how to enable the client. + +### [Android Enterprise](#tab/android-enterprise) + +Follow these steps to add the Microsoft Defender for Endpoint app into your managed Google Play store. + +The high level process is as follows: + +1. Deploy Defender on Android Enterprise enrolled devices. + +1. [Enable at least one traffic forwarding profile](concept-traffic-forwarding.md). + +1. [Confirm Global Secure Access appears in the Microsoft Defender for Endpoint app](#confirm-global-secure-access-appears-in-defender-app). + +The detailed process for deploying to the Google Play store is as follows: + +1. Sign in to the [Microsoft Intune admin center](https://intune.microsoft.com/) as an [Intune Administrator](../identity/role-based-access-control/permissions-reference.md#intune-administrator). +1. Browse to **Apps** > **Android** > **Add** > **Managed Google Play app** > **Select**. + + ![Screenshot of the add Google Play app options.](media/how-to-install-android-client/intune-add-google-play-app.png) + +1. On the managed Google Play page, search for **Microsoft Defender** and select it from the search results. +1. On the details page for Microsoft Defender, select the **Select** button. +1. Select the **Sync** button in the upper-left corner. This step syncs Defender with your apps list. + + ![Screenshot of the Defender app details, with the Sync button highlighted.](media/how-to-install-android-client/intune-sync-google-play.png) + +1. Select the **Refresh** button on the Android apps screen so Microsoft Defender for Endpoint appears in the list. +1. Select **Microsoft Defender** from the app list and browse to **Properties** > **Assignments** > **Edit**. + + ![Screenshot of the Edit option for assigning groups.](media/how-to-install-android-client/intune-google-assignments-edit.png) + +1. In the **Required** section, select **Add group**, then select the groups to assign the app to and select **Next**. +1. Select **Review + save** and once the details are confirmed, select **Save**. + + ![Screenshot of the Add group option.](media/how-to-install-android-client/intune-google-add-group.png) + +After you assign a group, the app is automatically installed in the *work profile* during the next sync of the device via the Company Portal app. Users need to enable the client in the Defender app. Proceed to the next section to confirm the app is installed and for how to enable the client. + +--- + +## Confirm Global Secure Access appears in Defender app + +Because of how the Android client is integrated with Defender for Endpoint, it's helpful to understand the end user experience. After onboarding to Global Secure Access - by enabling a traffic forwarding profile - the client appears in the Defender dashboard. + +![Screenshot of the Defender app with the Global Secure Access tile on the dashboard.](media/how-to-install-android-client/defender-endpoint-dashboard.png) + +The client is disabled by default when it's deployed to user devices. Users need to enable the client from the Defender app. Tap the toggle to enable the client. + +![Screenshot of the disabled Global Secure Access client.](media/how-to-install-android-client/defender-global-secure-access-disabled.png) + +Tap on the tile on the dashboard to view the details of the client. When enabled and working properly, the client displays an "Enabled" message. The date and time for when the client connected to Global Secure Access also appears. + +![Screenshot of the enabled Global Secure Access client.](media/how-to-install-android-client/defender-global-secure-access-enabled.png) + +If the client is unable to connect, a toggle appears to disable the service. Users can come back later to try enabling the client. + +![Screenshot of the Global Secure Access client that is unable to connect.](media/how-to-install-android-client/defender-global-secure-access-unable.png) + +## Troubleshooting + +The following common scenarios can occur when deploying the Global Secure Access Android Client to Defender for Endpoint on Android: + +- The Global Secure Access tile doesn't appear after onboarding the tenant to the service. Restart the Defender app. +- When attempting to access a Private Access application, the connection might time out after a successful interactive sign-in. Reloading the application through a web browser refresh should resolve the issue. + +## Related content + +- [About Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android) +- [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune) +- [Learn about managed Google Play apps and Android Enterprise devices with Intune](/mem/intune/apps/apps-add-android-for-work) \ No newline at end of file diff --git a/docs/global-secure-access/how-to-install-windows-client.md b/docs/global-secure-access/how-to-install-windows-client.md index 84deeadac8d..f0448a67ba9 100644 --- a/docs/global-secure-access/how-to-install-windows-client.md +++ b/docs/global-secure-access/how-to-install-windows-client.md @@ -3,17 +3,15 @@ title: The Global Secure Access Client for Windows (preview) description: Install the Global Secure Access Client for Windows to enable connectivity to Microsoft's Security Edge Solutions, Microsoft Entra Internet Access and Microsoft Entra Private Access. ms.service: network-access ms.topic: how-to -ms.date: 08/04/2023 -ms.author: joflore -author: MicrosoftGuyJFlo +ms.date: 10/27/2023 +ms.author: kenwith +author: kenwith manager: amycolannino ms.reviewer: lirazb --- -# The Global Secure Access Client for Windows (preview) +# Global Secure Access Client for Windows (preview) -The Global Secure Access Client allows organizations control over network traffic at the end-user computing device, giving organizations the ability to route specific traffic profiles through Microsoft Entra Internet Access and Microsoft Entra Private Access. Routing traffic in this method allows for more controls like continuous access evaluation (CAE), device compliance, or multifactor authentication to be required for resource access. - -The Global Secure Access Client acquires traffic using a lightweight filter (LWF) driver, while many other security service edge (SSE) solutions integrate as a virtual private network (VPN) connection. This distinction allows the Global Secure Access Client to coexist with these other solutions. The Global Secure Access Client acquires the traffic based on the traffic forwarding profiles you configure prior to other solutions. +Learn how to install the Global Secure Access Client for Windows. ## Prerequisites diff --git a/docs/global-secure-access/media/how-to-install-android-client/defender-endpoint-dashboard.png b/docs/global-secure-access/media/how-to-install-android-client/defender-endpoint-dashboard.png new file mode 100644 index 00000000000..c37816fda30 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/defender-endpoint-dashboard.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-disabled.png b/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-disabled.png new file mode 100644 index 00000000000..5fd5d05b870 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-disabled.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-enabled.png b/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-enabled.png new file mode 100644 index 00000000000..0ec03c52779 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-enabled.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-unable.png b/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-unable.png new file mode 100644 index 00000000000..7fad2f55dc3 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/defender-global-secure-access-unable.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/intune-add-android-store-app.png b/docs/global-secure-access/media/how-to-install-android-client/intune-add-android-store-app.png new file mode 100644 index 00000000000..f5b4810da47 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/intune-add-android-store-app.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/intune-add-defender-app-fields.png b/docs/global-secure-access/media/how-to-install-android-client/intune-add-defender-app-fields.png new file mode 100644 index 00000000000..061516ad680 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/intune-add-defender-app-fields.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/intune-add-google-play-app.png b/docs/global-secure-access/media/how-to-install-android-client/intune-add-google-play-app.png new file mode 100644 index 00000000000..63c4156c6f5 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/intune-add-google-play-app.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/intune-add-group.png b/docs/global-secure-access/media/how-to-install-android-client/intune-add-group.png new file mode 100644 index 00000000000..d3ee1a9d430 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/intune-add-group.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/intune-google-add-group.png b/docs/global-secure-access/media/how-to-install-android-client/intune-google-add-group.png new file mode 100644 index 00000000000..ad6335b8f54 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/intune-google-add-group.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/intune-google-assignments-edit.png b/docs/global-secure-access/media/how-to-install-android-client/intune-google-assignments-edit.png new file mode 100644 index 00000000000..6013424fbdf Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/intune-google-assignments-edit.png differ diff --git a/docs/global-secure-access/media/how-to-install-android-client/intune-sync-google-play.png b/docs/global-secure-access/media/how-to-install-android-client/intune-sync-google-play.png new file mode 100644 index 00000000000..62c57fe6374 Binary files /dev/null and b/docs/global-secure-access/media/how-to-install-android-client/intune-sync-google-play.png differ diff --git a/docs/global-secure-access/overview-what-is-global-secure-access.md b/docs/global-secure-access/overview-what-is-global-secure-access.md index 523fd9ad12a..00edfa8ad00 100644 --- a/docs/global-secure-access/overview-what-is-global-secure-access.md +++ b/docs/global-secure-access/overview-what-is-global-secure-access.md @@ -5,7 +5,7 @@ author: kenwith ms.author: kenwith manager: amycolannino ms.topic: overview -ms.date: 07/27/2023 +ms.date: 11/30/2023 ms.service: network-access ms.custom: references_regions --- @@ -26,7 +26,7 @@ The Global Secure Access features streamline the roll-out and management of the ## Microsoft Entra Internet Access -Microsoft Entra Internet Access secures access to Microsoft 365, SaaS, and public internet apps while protecting users, devices, and data against internet threats. Best-in-class security and visibility, along with fast and seamless access to Microsoft 365 apps is currently available in public preview. Secure access to public internet apps through the identity-centric, device-aware, cloud-delivered Secure Web Gateway (SWG) of Microsoft Entra Internet Access is in private preview. +Microsoft Entra Internet Access secures access to Microsoft 365, SaaS, and public internet apps while protecting users, devices, and data against internet threats. Best-in-class security and visibility, along with fast and seamless access to Microsoft 365 apps is currently available in public preview. Secure access to public internet apps through the identity-centric, device-aware, cloud-delivered Secure Web Gateway (SWG) of Microsoft Entra Internet Access is also in public preview. ### Key features @@ -36,21 +36,16 @@ Microsoft Entra Internet Access secures access to Microsoft 365, SaaS, and publi - Improve the precision of risk assessments on users, locations, and devices. - Deploy side-by-side with third party SSE solutions. - Acquire network traffic from the desktop client or from a remote network, such as a branch location. - -#### Private preview features - -The following new capabilities are available in the private preview of Microsoft Entra Internet Access. To request access to the private preview, complete [the private preview interest form](https://aka.ms/entra-ia-preview). - - Dedicated public internet traffic forwarding profile. - Protect user access to the public internet while leveraging Microsoft's cloud-delivered, identity-aware SWG solution. -- Enable web content filtering to regulate access to websites based on their content categories through secure web gateway. -- Apply universal Conditional Access policies for all internet destinations, even if not federated with Microsoft Entra ID. +- Enable web content filtering to regulate access to websites based on their content categories and domain names. +- Apply universal Conditional Access policies for all internet destinations, even if not federated with Microsoft Entra ID, through integration with Conditional Access session controls. ## Microsoft Entra Private Access Microsoft Entra Private Access provides your users - whether in an office or working remotely - secured access to your private, corporate resources. Microsoft Entra Private Access builds on the capabilities of Microsoft Entra application proxy and extends access to any private resource, port, and protocol. -Remote users can connect to private apps across hybrid and multicloud environments, private networks, and data centers from any device and network without requiring a VPN. The service offers per-app adaptive access based on Conditional Access policies, for more granular security than a VPN. +Remote users can connect to private apps across hybrid and multicloud environments, private networks, and data centers from any device and network without requiring a VPN. The service offers per-app adaptive access based on Conditional Access policies, for more granular security than a VPN. ### Key features @@ -59,7 +54,7 @@ Remote users can connect to private apps across hybrid and multicloud environmen - Modernize legacy app authentication with deep Conditional Access integration. - Provide a seamless end-user experience by acquiring network traffic from the desktop client and deploying side-by-side with your existing third-party SSE solutions. -[!INCLUDE [Public preview important note](./includes/public-preview-important-note.md)] +[!INCLUDE [Public preview important note](./includes/public-preview-important-note.md)] ## Next steps diff --git a/docs/global-secure-access/reference-web-content-filtering-categories.md b/docs/global-secure-access/reference-web-content-filtering-categories.md new file mode 100644 index 00000000000..1589ed1a67d --- /dev/null +++ b/docs/global-secure-access/reference-web-content-filtering-categories.md @@ -0,0 +1,122 @@ +--- +title: Global Secure Access Web content filtering categories +description: Global Secure Access Web content filtering categories +author: kenwith +ms.author: kenwith +manager: amycolannino +ms.topic: reference +ms.date: 11/03/2023 +ms.service: network-access +ms.custom: +--- +# Global Secure Access (preview) Web content filtering categories + +When you set up rules to filter web content, you can select based on a category. This article provides a list of categories along with explanations. + +## Liability + +|Category |Description | +|---------|---------| +|Alcohol + tobacco |Sites that are contain, promote, or sell alcohol- or tobacco-related products or services.| +|Child abuse images |Sites that present or discuss children in abusive or sexual acts.| +|Child inappropriate |Sites that are unsuitable for children, which might contain R-rated or tasteless content, profanity, or adult material.| +|Criminal activity|Sites that promote or advise on how to commit illegal or criminal activity. Sites that promote how to avoid detection of criminal activity. Criminal activity includes murder, building bombs, illegal manipulation of electronic devices, hacking, fraud, and illegal distribution of software.| +|Dating + personals |Sites that promote networking for relationships such as dating and marriage, such as matchmaking, online dating, and spousal introduction.| +|Gambling |Sites that offer or related to online gambling, lottery, betting agencies involving chance, and casinos.| +|Hacking |Sites that promote or advise gaining unauthorized access to proprietary computer systems. Sites that promote stealing information, perpetrating fraud, creating viruses, or committing other illegal activity related to theft or digital inform.| +|Hate + intolerance|Sites that promote a supremacist political agenda, encouraging oppression of people or groups of people based on their race, religion, gender, age, disability, sexual orientation, or nationality.| +|Illegal drug |Sites with information on the purchase, manufacture, and use of illegal or recreational drugs, and misuse of prescription drugs and other compounds.| +|Illegal software |Sites that illegally distribute software or copyrighted materials such as movies, music, software cracks, illicit serial numbers, illegal license key generators.| +|Lingerie + swimsuits|Sites that offer images of models in suggestive costume, with semi-nudity permitted. Includes sites offering lingerie or swimwear.| +|Marijuana |Sites that contain information, discussions, or sale of marijuana and associated products or services, including legalizing marijuana and/or using marijuana for medicinal purposes.| +|Nudity | Sites that contain full or partial nudity that are not necessarily overtly sexual in intent.| +|Pornography/sexually explicit |Sites that contain explicit sexual content. Includes adult products such as sex toys, CD-ROMs, and videos, adult services such as videoconferencing, escort services, and strip clubs, erotic stories, and textual descriptions of sexual acts. | +|School cheating | Sites that promote unethical practices such as cheating or plagiarism by providing test answers, written essays, research papers, or term papers. | +|Self-harm |Sites that promote actions that are relating to harming oneself, such as suicide, anorexia, bulimia, etc. | +|Sex education | Sites relating to sex education, including subjects such as respect for partner, abortion, contraceptives, sexually transmitted diseases, and pregnancy. | +|Tasteless |Sites with offensive or tasteless content, including profanity. | +|Violence | Sites that contain images or text depicting or advocating physical assault against humans, animals, or institutions. Sites of gruesome nature. | +|Weapons |Sites that depict, sell, review, or describe guns and weapons, including for sport. | + +## High bandwidth + +|Category |Description | +|---------|---------| +|Image sharing | Sites that host digital photographs and images, online photo albums, and digital photo exchanges. | +|Peer-to-peer | Sites that enable direct exchange of files between users without dependence on a central server. | +|Streaming media + downloads | Sites that deliver streaming content, such as Internet radio, Internet TV or MP3 and live or archived media download sites. Includes fan sites, or official sites run by musicians, bands, or record labels. | +|Download sites | Sites that contain downloadable software, whether shareware, freeware, or for a charge. | +|Entertainment | Sites containing programming guides to television, movies, music and video (including video on demand), celebrity sites, and entertainment news. | +| | | + +## Business use + +|Category |Description | +|---------|---------| +|Business | Sites that provide business related information such as corporate web sites. Information, services, or products that help businesses of all sizes to do their day-to-day commercial activities. | +|Computers + technology |Sites that contain information such as product reviews, discussions, and news about computers, software, hardware, peripheral, and computer services. | +|Education | Sites sponsored by educational institutions and schools of all types including distance education. Includes general educational and reference materials such as dictionaries, encyclopedias, online courses, teaching aids and discussion guides. | +|Finance | Sites related to banking, finance, payment or investment, including banks, brokerages, online stock trading, stock quotes, fund management, insurance companies, credit unions, credit card companies, and so on. | +|Forums + newsgroups | Sites for sharing information in the form of newsgroups, forums, bulletin boards. Does not include personal blogs. | +|Government | Sites run by governmental or military organizations, departments, or agencies, including police departments, fire departments, customs bureaus, emergency services, civil defense, and counterterrorism organizations. | +|Health + medicine | Sites containing information pertaining to health, healthcare services, fitness and well-being, including information about medical equipment, hospitals, drugstores, nursing, medicine, procedures, prescription medications, etc. | +|Information security | Sites that provide legitimate information about data protection, including newly discovered vulnerabilities and how to block them. | +|Job search | Sites containing job listings, career information, assistance with job searches (such as resume writing, interviewing tips, etc.), employment agencies or head hunters. | +|News | Sites covering news and current events such as newspapers, newswire services, personalized news services, broadcasting sites, and magazines. | +|Non-profits + NGOs | Sites devoted to clubs, communities, unions, and non-profit organizations. Many of these groups exist for educational or charitable purposes. | +|Personal sites | Sites about or hosted by personal individuals, including those hosted on commercial sites such as Blogger, AOL, etc. | +|Private IP addresses | Sites that are private IP addresses as defined in RFC 1918, that is, hosts that do not require access to hosts in other enterprises (or require limited access) and whose IP address might be ambiguous between enterprises but are well-defined within a certain enterprise. | +|Professional networking | Sites that enable professional networking for online communities. | +|Search engines + portals |Sites enabling the searching of the Web, newsgroups, images, directories, and other online content. Includes portal and directory sites such as white/yellow pages. | +|Translators | Sites that translate Web pages or phrases from one language to another. These sites bypass the proxy server, presenting the risk that unauthorized content might be accessed, similar to using an anonymizer. | +|Web repository + storage | Web pages including collections of shareware, freeware, open source, and other software downloads. | +|Web-based email | Sites that enable users to send and receive email through a web accessible email account. | +| | | + +## Productivity loss + +|Category |Description | +|---------|---------| +|Advertisements + popups | Sites that provide advertising graphics or other ad content files that appear on Web pages. | +|Chat | Sites that enable web-based exchange of real-time messages through chat services or chat rooms. | +|Cults | Sites relating to non-traditional religious practice typically known as "cults," that is, considered to be false, unorthodox, extremist, or coercive, with members often living under the direction of a charismatic leader. | +|Games | Sites relating to computer or other games, information about game producers, or how to obtain cheat codes. Game-related publication sites. | +|Instant messaging | Sites that enable logging in to instant messaging services such as ICQ, AOL Instant Messenger, IRC, MSN, Jabber, Yahoo Messenger, and the like. | +|Shopping | Sites for online shopping, catalogs, online ordering, auctions, classified ads. Excludes shopping for products and services exclusively covered by another category such as health & medicine. | +|Social networking | Sites that enable social networking for online communities of various topics, for friendship, or/and dating. | +| | | + +## General surfing + +|Category |Description | +|---------|---------| +|Arts | Sites with artistic content or relating to artistic institutions such as theaters, museums, galleries, dance companies, photography, and digital graphic resources. | +|Fashion + Beauty | Sites concerning fashion, jewelry, glamour, beauty, modeling, cosmetics, or related products or services. Includes product reviews, comparisons, and general consumer information. | +|General | Sites that do not clearly fall into other categories, for example, blank web pages. | +|Greeting cards |Sites that allow people to send and receive greeting cards and postcards. | +|Leisure + recreation | Sites relating to recreational activities and hobbies including zoos, public recreation centers, pools, amusement parks, and hobbies such as gardening, literature, arts & crafts, home improvement, home décor, family, etc. | +|Nature + conservation | Sites with information related to environmental issues, sustainable living, ecology, nature, and the environment. | +|Politics | Sites that promote political parties or political advocacy, or provide information about political parties, interest groups, elections, legislation, or lobbying. Also includes sites that offer legal information and advice. | +|Real estate |Sites relating to commercial or residential real estate services, including renting, purchasing, selling or financing homes, offices, etc. | +|Religion | Sites that deal with faith, human spirituality or religious beliefs, including sites of churches, synagogues, mosques, and other houses of worship. | +|Restaurants + dining |Sites that list, review, promote or advertise food, dining or catering services. Includes sites for recipes sites, cooking instruction and tips, food products, and wine advisors. | +|Sports | Sites relating to sports teams, fan clubs, scores, and sports news. Relates to all sports, whether professional or recreational. | +|Transportation | Sites that include information about motor vehicles such as cars, motorcycles, boats, trucks, RVs and the like, including online purchase sites. Includes manufacturer sites, dealerships, review sites, pricing, enthusiast’s clubs, and public transportation etc. | +|Travel | Sites that provide travel and tourism information or online booking or travel services such as airlines, accommodations, car rentals. Includes regional or city information sites. | +|Uncategorized |Sites that have not been categorized, such as new websites, personal sites, and so on. | +| | | + +## Security + +|Category |Description | +|---------|---------| +|Remote Desktop / Control | Sites used for remote computer control. | +|Keyloggers + Mobile Malware + BOT Phone Home + Malware + Spyware | Sites used by keyloggers, mobile malware, bots, malware, and spyware. | +|Cryptocurrency | Sites that relate to crypto currency. | +|Remote Proxies | Sites that are used for remote proxy connections. | +|Internet Telephony | Sites that can be used for Internet voice communications. | +|Web Conferencing | Sites for conducting web conferences. | +|Phishing Sites | Sites that are used to steal information through phishing attacks. | +|Parked Domains | Sites that are not in active use. | +|Botnets | Sites used by botnets. | +|SPAM | Sites known to produce SPAM email. | \ No newline at end of file diff --git a/docs/global-secure-access/toc.yml b/docs/global-secure-access/toc.yml index b6e69daa8f7..8b8a6222f30 100644 --- a/docs/global-secure-access/toc.yml +++ b/docs/global-secure-access/toc.yml @@ -10,11 +10,21 @@ items: href: how-to-get-started-with-global-secure-access.md - name: Network traffic dashboard href: concept-traffic-dashboard.md +- name: Concepts + expanded: true + items: + - name: Global Secure Access clients + href: concept-clients.md - name: How-to guides expanded: true items: - - name: Install the Windows client - href: how-to-install-windows-client.md + - name: Global Secure Access client + expanded: true + items: + - name: Install the Windows client + href: how-to-install-windows-client.md + - name: Install the Android client + href: how-to-install-android-client.md - name: Remote networks expanded: false items: @@ -74,6 +84,13 @@ items: href: how-to-configure-quick-access.md - name: Configure Per-app Access href: how-to-configure-per-app-access.md + - name: Internet Access + expanded: true + items: + - name: About Internet Access + href: concept-internet-access.md + - name: Configure web content filtering + href: how-to-configure-web-content-filtering.md - name: Logs and monitoring expanded: false items: @@ -98,6 +115,8 @@ items: href: reference-points-of-presence.md - name: Data storage and privacy href: reference-data-storage-and-privacy.md + - name: Web content filtering categories + href: reference-web-content-filtering-categories.md - name: Microsoft Graph APIs href: /graph/api/resources/networkaccess-global-secure-access-api-overview - name: FAQs diff --git a/docs/id-governance/access-reviews-downloadable-review-history.md b/docs/id-governance/access-reviews-downloadable-review-history.md index 194be8f2124..e852f1c3808 100644 --- a/docs/id-governance/access-reviews-downloadable-review-history.md +++ b/docs/id-governance/access-reviews-downloadable-review-history.md @@ -20,7 +20,7 @@ With access reviews, you can create a downloadable review history to help your o ## Who can access and request review history -Review history and request review history are available for any user if they're authorized to view access reviews. To see which roles can view and create access reviews, see [What resource types can be reviewed?](deploy-access-reviews.md#what-resource-types-can-be-reviewed). Global Administrator and Global Reader can see all access reviews. All other users are only allowed to see reports on access reviews that they've generated. +Review history and request review history are available for any user if they're authorized to view access reviews. To see which roles can view and create access reviews, see [What resource types can be reviewed?](deploy-access-reviews.md#what-resource-types-can-be-reviewed). Global Administrator and Global Reader can see history reports for all access reviews. All other users are only allowed to see reports on access reviews that they've generated. ## How to create a review history report diff --git a/docs/identity-platform/includes/register-app/spa-common/add-platform-redirect-spa-port-3000.md b/docs/identity-platform/includes/register-app/spa-common/add-platform-redirect-spa-port-3000.md new file mode 100644 index 00000000000..5a6164f954b --- /dev/null +++ b/docs/identity-platform/includes/register-app/spa-common/add-platform-redirect-spa-port-3000.md @@ -0,0 +1,20 @@ +--- +title: "Include file - Add a platform and redirect URI for a single-page application" +author: OwenRichards1 +manager: CelesteDG +ms.author: owenrichards +ms.custom: +ms.date: 12/13/2023 +ms.reviewer: +ms.service: active-directory +ms.subservice: develop +ms.topic: include +#Customer intent: +--- + +To specify your app type to your app registration, follow these steps: + +1. Under **Manage**, select **Authentication**. +1. On the **Platform configurations** page, select **Add a platform**, and then select **SPA** option. +1. For the **Redirect URIs** enter `http://localhost:3000`. +1. Select **Configure** to save your changes. diff --git a/docs/identity-platform/includes/register-app/spa-common/add-platform-redirect-spa-port-4200.md b/docs/identity-platform/includes/register-app/spa-common/add-platform-redirect-spa-port-4200.md new file mode 100644 index 00000000000..d298a0fd466 --- /dev/null +++ b/docs/identity-platform/includes/register-app/spa-common/add-platform-redirect-spa-port-4200.md @@ -0,0 +1,20 @@ +--- +title: "Include file - Add a platform and redirect URI for a single-page application" +author: OwenRichards1 +manager: CelesteDG +ms.author: owenrichards +ms.custom: +ms.date: 12/13/2023 +ms.reviewer: +ms.service: active-directory +ms.subservice: develop +ms.topic: include +#Customer intent: +--- + +To specify your app type to your app registration, follow these steps: + +1. Under **Manage**, select **Authentication**. +1. On the **Platform configurations** page, select **Add a platform**, and then select **SPA** option. +1. For the **Redirect URIs** enter `http://localhost:4200`. +1. Select **Configure** to save your changes. diff --git a/docs/identity-platform/includes/register-app/spa-common/register-application-spa-common.md b/docs/identity-platform/includes/register-app/spa-common/register-application-spa-common.md new file mode 100644 index 00000000000..55003648de3 --- /dev/null +++ b/docs/identity-platform/includes/register-app/spa-common/register-application-spa-common.md @@ -0,0 +1,31 @@ +--- +title: "Include file - Register a single-page application in the Microsoft identity platform" +author: OwenRichards1 +manager: CelesteDG +ms.author: owenrichards +ms.custom: +ms.date: 12/13/2023 +ms.reviewer: +ms.service: active-directory +ms.subservice: develop +ms.topic: include +#Customer intent: +--- + +To complete registration, provide the application a name, specify the supported account types, and add a redirect URI. Once registered, the application **Overview** pane displays the identifiers needed in the application source code. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). +1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="../../../media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application from the **Directories + subscriptions** menu. +1. Browse to **Identity** > **Applications** > **App registrations**, select **New registration**. +1. Enter a **Name** for the application, such as *identity-client-spa*. +1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. +1. Select **Register**. + + :::image type="content" source="../../../media/common-register-application/register-spa-common.png" alt-text="Screenshot that shows how to enter a name and select the account type in the Azure portal." lightbox="../../../media/common-register-application/record-identifiers-spa-common.png"::: + +1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code. + + :::image type="content" source="../../../media/common-register-application/record-identifiers-spa-common.png" alt-text="Screenshot that shows the identifier values on the overview page on the Azure portal." lightbox="../../../media/common-register-application/record-identifiers-spa-common.png"::: + + >[!NOTE] + > The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](../../../howto-modify-supported-accounts.md). diff --git a/docs/identity-platform/media/common-register-application/record-identifiers-spa-common.png b/docs/identity-platform/media/common-register-application/record-identifiers-spa-common.png new file mode 100644 index 00000000000..bb6d0a0a397 Binary files /dev/null and b/docs/identity-platform/media/common-register-application/record-identifiers-spa-common.png differ diff --git a/docs/identity-platform/media/common-register-application/register-spa-common.png b/docs/identity-platform/media/common-register-application/register-spa-common.png new file mode 100644 index 00000000000..1b2a56d022b Binary files /dev/null and b/docs/identity-platform/media/common-register-application/register-spa-common.png differ diff --git a/docs/identity-platform/media/common-spa/react-spa/display-api-call-results-react-spa.png b/docs/identity-platform/media/common-spa/react-spa/display-api-call-results-react-spa.png new file mode 100644 index 00000000000..2edc10e79a1 Binary files /dev/null and b/docs/identity-platform/media/common-spa/react-spa/display-api-call-results-react-spa.png differ diff --git a/docs/identity-platform/media/single-page-app-tutorial-01-register-app/record-identifiers.png b/docs/identity-platform/media/single-page-app-tutorial-01-register-app/record-identifiers.png deleted file mode 100644 index 6868faf7c96..00000000000 Binary files a/docs/identity-platform/media/single-page-app-tutorial-01-register-app/record-identifiers.png and /dev/null differ diff --git a/docs/identity-platform/media/single-page-app-tutorial-01-register-app/register-application.png b/docs/identity-platform/media/single-page-app-tutorial-01-register-app/register-application.png deleted file mode 100644 index 3a3c724013b..00000000000 Binary files a/docs/identity-platform/media/single-page-app-tutorial-01-register-app/register-application.png and /dev/null differ diff --git a/docs/identity-platform/quickstart-single-page-app-react-sign-in.md b/docs/identity-platform/quickstart-single-page-app-react-sign-in.md index abe3d2a891b..98b46d9d251 100644 --- a/docs/identity-platform/quickstart-single-page-app-react-sign-in.md +++ b/docs/identity-platform/quickstart-single-page-app-react-sign-in.md @@ -5,8 +5,8 @@ author: henrymbuguakiarie manager: CelesteDG ms.author: henrymbugua ms.custom: scenarios:getting-started, languages:JavaScript, devx-track-js -ms.date: 10/06/2023 -ms.reviewer: j-mantu +ms.date: 12/13/2023 +ms.reviewer: EmLauber ms.service: active-directory ms.subservice: develop ms.topic: quickstart @@ -23,36 +23,25 @@ This quickstart uses a sample React single-page app (SPA) to show you how to sig * [Node.js](https://nodejs.org/en/download/) * [Visual Studio 2022](https://visualstudio.microsoft.com/vs/) or [Visual Studio Code](https://code.visualstudio.com/) -## Register the application in the Microsoft Entra admin center +## Register the application and record identifiers -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Developer](~/identity/role-based-access-control/permissions-reference.md#application-developer). -1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application from the **Directories + subscriptions** menu. -1. Browse to **Identity** > **Applications** > **App registrations**. -1. Select **New registration**. -1. When the **Register an application** page appears, enter a name for your application, such as *identity-client-app*. -1. Under **Supported account types**, select **Accounts in any organizational directory and personal Microsoft accounts**. -1. Select **Register**. -1. The application's Overview pane displays upon successful registration. Record the **Application (client) ID** and **Directory (tenant) ID** to be used in your application source code. +[!INCLUDE [Register a single-page application](./includes/register-app/spa-common/register-application-spa-common.md)] -## Add a redirect URI +## Add a platform redirect URI -1. Under **Manage**, select **Authentication**. -1. Under **Platform configurations**, select **Add a platform**. In the pane that opens, select **Single-page application**. -1. Set the **Redirect URIs** value to `http://localhost:3000/`. -1. Select **Configure** to apply the changes. -1. Under **Platform Configurations** expand **Single-page application**. -1. Confirm that for **Grant types** ![Already configured](media/quickstart-v2-javascript/green-check.png), your **Redirect URI** is eligible for the Authorization Code Flow with PKCE. +[!INCLUDE [Add a platform redirect URI](./includes/register-app/spa-common/add-platform-redirect-spa-port-3000.md)] ## Clone or download the sample application To obtain the sample application, you can either clone it from GitHub or download it as a *.zip* file. -- To clone the sample, open a command prompt and navigate to where you wish to create the project, and enter the following command: +* To clone the sample, open a command prompt and navigate to where you wish to create the project, and enter the following command: ```console git clone https://github.com/Azure-Samples/ms-identity-docs-code-javascript.git ``` -- [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/tree/main). Extract it to a file path where the length of the name is fewer than 260 characters. + +* [Download the .zip file](https://github.com/Azure-Samples/ms-identity-docs-code-javascript/tree/main). Extract it to a file path where the length of the name is fewer than 260 characters. ## Configure the project @@ -75,11 +64,12 @@ Run the project with a web server by using Node.js: npm install npm start ``` + 1. Copy the `https` URL that appears in the terminal, for example, `https://localhost:3000`, and paste it into a browser. We recommend using a private or incognito browser session. 1. Follow the steps and enter the necessary details to sign in with your Microsoft account. You'll be requested an email address so a one time passcode can be sent to you. Enter the code when prompted. 1. The application will request permission to maintain access to data you have given it access to, and to sign you in and read your profile. Select **Accept**. The following screenshot appears, indicating that you have signed in to the application and have accessed your profile details from the Microsoft Graph API. - :::image type="content" source="./media/single-page-app-tutorial-04-call-api/display-api-call-results.png" alt-text="Screenshot of React App depicting the results of the API call."::: + :::image type="content" source="./media/common-spa/react-spa/display-api-call-results-react-spa.png" alt-text="Screenshot of JavaScript App depicting the results of the API call." lightbox="./media/common-spa/react-spa/display-api-call-results-react-spa.png"::: ## Sign out from the application @@ -90,6 +80,6 @@ A message appears indicating that you have signed out. You can now close the bro ## Related content -- [Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform](./quickstart-web-api-aspnet-core-protect-api.md) +* [Quickstart: Protect an ASP.NET Core web API with the Microsoft identity platform](./quickstart-web-api-aspnet-core-protect-api.md) -- Learn more by building this React SPA from scratch with the following series - [Tutorial: Sign in users and call Microsoft Graph](./tutorial-single-page-app-react-register-app.md) +* Learn more by building this React SPA from scratch with the following series - [Tutorial: Sign in users and call Microsoft Graph](./tutorial-single-page-app-react-register-app.md) \ No newline at end of file diff --git a/docs/identity-platform/tutorial-single-page-app-react-register-app.md b/docs/identity-platform/tutorial-single-page-app-react-register-app.md index fdb8f5be124..ce8f8f48371 100644 --- a/docs/identity-platform/tutorial-single-page-app-react-register-app.md +++ b/docs/identity-platform/tutorial-single-page-app-react-register-app.md @@ -4,7 +4,8 @@ description: Register an application in a Microsoft Entra tenant. author: OwenRichards1 manager: CelesteDG ms.author: owenrichards -ms.date: 02/27/2023 +ms.date: 12/13/2023 +ms.reviewer: EmLauber ms.service: active-directory ms.subservice: develop ms.topic: tutorial @@ -18,6 +19,7 @@ To interact with the Microsoft identity platform, Microsoft Entra ID must be mad In this tutorial: > [!div class="checklist"] +> > * Register the application in a tenant > * Add a Redirect URI to the application > * Record the application's unique identifiers @@ -32,28 +34,13 @@ In this tutorial: ## Register the application and record identifiers -[!INCLUDE [portal updates](~/includes/portal-update.md)] +[!INCLUDE [Register a single-page application](./includes/register-app/spa-common/register-application-spa-common.md)] -To complete registration, provide the application a name, specify the supported account types, and add a redirect URI. Once registered, the application **Overview** pane displays the identifiers needed in the application source code. +## Add a platform redirect URI -1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com). -1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="media/common/admin-center-settings-icon.png" border="false"::: in the top menu to switch to the tenant in which you want to register the application from the **Directories + subscriptions** menu. -1. Browse to **Identity** > **Applications** > **App registrations**, select **New registration**. -1. Enter a **Name** for the application, such as *NewSPA1*. -1. For **Supported account types**, select **Accounts in this organizational directory only**. For information on different account types, select the **Help me choose** option. -1. Under **Redirect URI (optional)**, use the drop-down menu to select **Single-page-application (SPA)** and enter `http://localhost:3000` into the text box. -1. Select **Register**. - - :::image type="content" source="./media/single-page-app-tutorial-01-register-app/register-application.png" alt-text="Screenshot that shows how to enter a name and select the account type in the Azure portal."::: - -1. The application's **Overview** pane is displayed when registration is complete. Record the **Directory (tenant) ID** and the **Application (client) ID** to be used in your application source code. - - :::image type="content" source="./media/single-page-app-tutorial-01-register-app/record-identifiers.png" alt-text="Screenshot that shows the identifier values on the overview page on the Azure portal."::: - - >[!NOTE] - > The **Supported account types** can be changed by referring to [Modify the accounts supported by an application](howto-modify-supported-accounts.md). +[!INCLUDE [Add a platform redirect URI](./includes/register-app/spa-common/add-platform-redirect-spa-port-3000.md)] ## Next steps > [!div class="nextstepaction"] -> [Tutorial: Prepare an application for authentication](tutorial-single-page-app-react-prepare-spa.md) +> [Tutorial: Prepare an application for authentication](tutorial-single-page-app-react-prepare-spa.md) \ No newline at end of file diff --git a/docs/identity-platform/v2-oauth2-client-creds-grant-flow.md b/docs/identity-platform/v2-oauth2-client-creds-grant-flow.md index 4ce8b3b80c2..54005963989 100644 --- a/docs/identity-platform/v2-oauth2-client-creds-grant-flow.md +++ b/docs/identity-platform/v2-oauth2-client-creds-grant-flow.md @@ -152,7 +152,7 @@ Content-Type: application/x-www-form-urlencoded client_id=535fb089-9ff3-47b6-9bfb-4f1264799865 &scope=https%3A%2F%2Fgraph.microsoft.com%2F.default -&client_secret=sampleCredentia1s +&client_secret=sampleCredentials &grant_type=client_credentials ``` diff --git a/docs/identity-platform/whats-new-docs.md b/docs/identity-platform/whats-new-docs.md index e9ef7c9a494..b16a0a82c03 100644 --- a/docs/identity-platform/whats-new-docs.md +++ b/docs/identity-platform/whats-new-docs.md @@ -1,11 +1,11 @@ --- title: "What's new in the Microsoft identity platform docs" -description: "New and updated documentation for the Microsoft identity platform." +description: "New and updated articles in the the Microsoft identity platform documentation." author: henrymbuguakiarie manager: CelesteDG ms.author: henrymbugua ms.custom: has-adal-ref -ms.date: 10/04/2023 +ms.date: 12/05/2023 ms.service: active-directory ms.subservice: develop ms.topic: reference @@ -14,7 +14,7 @@ ms.topic: reference # Microsoft identity platform docs: What's new -Welcome to what's new in the Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. +Welcome to what's new in the Microsoft identity platform documentation. This article lists new articles that were added or had significant updates in the last three months. ## November 2023 diff --git a/docs/identity/authentication/concept-certificate-based-authentication-migration.md b/docs/identity/authentication/concept-certificate-based-authentication-migration.md index 08aaafb3eb7..6be9f88ed67 100644 --- a/docs/identity/authentication/concept-certificate-based-authentication-migration.md +++ b/docs/identity/authentication/concept-certificate-based-authentication-migration.md @@ -24,7 +24,15 @@ This article explains how to migrate from running federated servers such as Acti ## Staged Rollout -[Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md) helps customers transition from AD FS to Microsoft Entra ID by testing cloud authentication with selected groups of users before switching the entire tenant. +A tenant admin could cut the federated domain fully over to Entra ID CBA without pilot testing by enabling the CBA auth method in Entra ID and converting the entire domain to managed authentication. However if customer wants to test a small batch of users authenticate against Entra ID CBA before the full domain cutover to managed, they can make use of staged rollout feature. + +[Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md) for Certificate-based Authentication (CBA) helps customers transition from performing CBA at a federated IdP to Microsoft Entra ID by selectively moving small set of users to use CBA at Entra ID (no longer being redirected to the federated IdP) with selected groups of users before then converting the domain configuration in Entra ID from federated to managed. Staged rollout is not designed for the domain to remain federated for long periods of time or for large amounts of users. + +Watch this quick video demonstrating the migration from ADFS certificate-based authentication to Microsoft Entra CBA +> [!VIDEO https://www.youtube.com/embed/jsKQxo-xGgA] + +>[!NOTE] +> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Microsoft Entra ID. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail. ## Enable Staged Rollout for certificate-based authentication on your tenant @@ -40,9 +48,6 @@ To configure Staged Rollout, follow these steps: For more information, see [Staged Rollout](~/identity/hybrid/connect/how-to-connect-staged-rollout.md). ->[!NOTE] -> When Staged rollout is enabled for a user, the user is considered a managed user and all authentication will happen at Microsoft Entra ID. For a federated Tenant, if CBA is enabled on Staged Rollout, password authentication only works if PHS is enabled too otherwise password authentication will fail. - ## Use Microsoft Entra Connect to update certificateUserIds attribute diff --git a/docs/identity/conditional-access/concept-conditional-access-session.md b/docs/identity/conditional-access/concept-conditional-access-session.md index 9ab88a3d722..8a6d4369891 100644 --- a/docs/identity/conditional-access/concept-conditional-access-session.md +++ b/docs/identity/conditional-access/concept-conditional-access-session.md @@ -89,6 +89,10 @@ Token protection (sometimes referred to as token binding in the industry) attemp The preview works for specific scenarios only. For more information, see the article [Conditional Access: Token protection (preview)](concept-token-protection.md). +## Use Global Secure Access security profile (preview) + +Using a security profile with Conditional Access unifies identity controls with network security in Microsoft's Security Service Edge (SSE) product, [Microsoft Entra Internet Access](../../global-secure-access/concept-internet-access.md#security-profiles). Selecting this Session control allows you to bring identity and context awareness to security profiles, which are groupings of various policies created and managed in Global Secure Access. + ## Next steps - [Conditional Access common policies](concept-conditional-access-policy-common.md) diff --git a/docs/identity/hybrid/configure.md b/docs/identity/hybrid/configure.md index 5a0fbe17b96..015d559ee2e 100644 --- a/docs/identity/hybrid/configure.md +++ b/docs/identity/hybrid/configure.md @@ -1,5 +1,5 @@ --- -title: 'Configure your integrating with Active Directory' +title: 'Configure your integration with Active Directory' description: This article describes how you can configure the synchronization tools with Active Directory. services: active-directory documentationcenter: '' @@ -16,7 +16,7 @@ ms.author: billmath ms.collection: M365-identity-device-management --- -# Configure your integrating with Active Directory +# Configure your integration with Active Directory How you configure your synchronization, depends on which synchronization tool you're using and what your business goals are. Use the tables to determine which features you would diff --git a/docs/identity/hybrid/connect/how-to-connect-fed-o365-certs.md b/docs/identity/hybrid/connect/how-to-connect-fed-o365-certs.md index 7c152ad9d33..97ca4e32691 100644 --- a/docs/identity/hybrid/connect/how-to-connect-fed-o365-certs.md +++ b/docs/identity/hybrid/connect/how-to-connect-fed-o365-certs.md @@ -22,7 +22,7 @@ ms.collection: M365-identity-device-management For successful federation between Microsoft Entra ID and Active Directory Federation Services (AD FS), the certificates used by AD FS to sign security tokens to Microsoft Entra ID should match what is configured in Microsoft Entra ID. Any mismatch can lead to broken trust. Microsoft Entra ID ensures that this information is kept in sync when you deploy AD FS and Web Application Proxy (for extranet access). > [!NOTE] -> This article provides information on manging your federation cerficates. For information on emergency rotation see [Emergency Rotation of the AD FS certificates](how-to-connect-emergency-ad-fs-certificate-rotation.md) +> This article provides information on managing your federation certificates. For information on emergency rotation see [Emergency Rotation of the AD FS certificates](how-to-connect-emergency-ad-fs-certificate-rotation.md) This article provides you additional information to manage your token signing certificates and keep them in sync with Microsoft Entra ID, in the following cases: diff --git a/docs/identity/hybrid/connect/migrate-from-federation-to-cloud-authentication.md b/docs/identity/hybrid/connect/migrate-from-federation-to-cloud-authentication.md index c86da0f252e..969a2f58b34 100644 --- a/docs/identity/hybrid/connect/migrate-from-federation-to-cloud-authentication.md +++ b/docs/identity/hybrid/connect/migrate-from-federation-to-cloud-authentication.md @@ -5,7 +5,7 @@ description: This article has information about moving your hybrid identity envi services: active-directory ms.service: active-directory ms.subservice: hybrid -ms.custom: has-azure-ad-ps-ref +ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done ms.topic: conceptual ms.date: 11/06/2023 ms.author: billmath @@ -138,8 +138,7 @@ The following table explains the behavior for each option. For more information, | enforceMfaByFederatedIdp | Microsoft Entra ID accepts MFA that federated identity provider performs. If the federated identity provider didn't perform MFA, it redirects the request to federated identity provider to perform MFA. | | rejectMfaByFederatedIdp | Microsoft Entra ID always performs MFA and rejects MFA that federated identity provider performs. | ->[!NOTE] -> The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-1.0&preserve-view=true). +The **federatedIdpMfaBehavior** setting is an evolved version of the **SupportsMfa** property of the [Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet](/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration?view=graph-powershell-1.0&preserve-view=true). For domains that have already set the **SupportsMfa** property, these rules determine how **federatedIdpMfaBehavior** and **SupportsMfa** work together: @@ -152,19 +151,8 @@ You can check the status of protection by running [Get-MgDomainFederationConfigu ```powershell Get-MgDomainFederationConfiguration -DomainId yourdomain.com -``` - -You can also check the status of your SupportsMfa flag with [Get-MsolDomainFederationSettings](/powershell/module/msonline/get-msoldomainfederationsettings): - -```powershell -Get-MsolDomainFederationSettings –DomainName yourdomain.com ``` ->[!NOTE] ->Microsoft MFA Server is nearing the end of support life, and if you're using it you must move to Microsoft Entra multifactor authentication. -For more information, see **[Migrate from Microsoft MFA Server to Azure multifactor authentication documentation](~/identity/authentication/how-to-migrate-mfa-server-to-azure-mfa.md)**. ->If you plan to use Microsoft Entra multifactor authentication, we recommend that you use **[combined registration for self-service password reset (SSPR) and multifactor authentication](~/identity/authentication/concept-registration-mfa-sspr-combined.md)** to have your users register their authentication methods once. - ## Plan for implementation This section includes prework before you switch your sign-in method and convert the domains. @@ -439,10 +427,7 @@ If you plan to keep using AD FS with on-premises & SaaS Applications using SAML You can move SaaS applications that are currently federated with ADFS to Microsoft Entra ID. Reconfigure to authenticate with Microsoft Entra ID either via a built-in connector from the [Azure App gallery](https://azuremarketplace.microsoft.com/marketplace/apps/category/azure-active-directory-apps), or by [registering the application in Microsoft Entra ID](~/identity-platform/quickstart-register-app.md). -For more information, see – - -- [Moving application authentication from Active Directory Federation Services to Microsoft Entra ID](~/identity/enterprise-apps/migrate-adfs-apps-stages.md) and -- [AD FS to Microsoft Entra application migration playbook for developers](/samples/azure-samples/ms-identity-adfs-to-aad/ms-identity-dotnet-adfs-to-aad/) +For more information, see [Moving application authentication from Active Directory Federation Services to Microsoft Entra ID](~/identity/enterprise-apps/migrate-adfs-apps-stages.md). ### Remove relying party trust diff --git a/docs/identity/saas-apps/cognism-tutorial.md b/docs/identity/saas-apps/cognism-tutorial.md new file mode 100644 index 00000000000..31d265004af --- /dev/null +++ b/docs/identity/saas-apps/cognism-tutorial.md @@ -0,0 +1,163 @@ +--- +title: Microsoft Entra SSO integration with Cognism +description: Learn how to configure single sign-on between Microsoft Entra ID and Cognism. +services: active-directory +author: jeevansd +manager: CelesteDG +ms.reviewer: CelesteDG +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.topic: how-to +ms.date: 12/12/2023 +ms.author: jeedes + +--- + +# Microsoft Entra SSO integration with Cognism + +In this tutorial, you'll learn how to integrate Cognism with Microsoft Entra ID. When you integrate Cognism with Microsoft Entra ID, you can: + +* Control in Microsoft Entra ID who has access to Cognism. +* Enable your users to be automatically signed-in to Cognism with their Microsoft Entra accounts. +* Manage your accounts in one central location. + +## Prerequisites + +To integrate Microsoft Entra ID with Cognism, you need: + +* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Cognism single sign-on (SSO) enabled subscription. + +## Scenario description + +In this tutorial, you configure and test Microsoft Entra SSO in a test environment. + +* Cognism supports only **IDP** initiated SSO. +* Cognism supports **Just In Time** user provisioning. + +## Add Cognism from the gallery + +To configure the integration of Cognism into Microsoft Entra ID, you need to add Cognism from the gallery to your list of managed SaaS apps. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Cognism** in the search box. +1. Select **Cognism** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. + +Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) + +## Configure and test Microsoft Entra SSO for Cognism + +Configure and test Microsoft Entra SSO with Cognism using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Cognism. + +To configure and test Microsoft Entra SSO with Cognism, perform the following steps: + +1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Cognism SSO](#configure-cognism-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Cognism test user](#create-cognism-test-user)** - to have a counterpart of B.Simon in Cognism that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. + +## Configure Microsoft Entra SSO + +Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Cognism** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. + + ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") + +1. On the **Basic SAML Configuration** section, perform the following steps: + + a. In the **Identifier** text box, type a URL using one of the following patterns: + + |**Environment**|**URL**| + |--------------|-------| + |Production|`https://app.cognism.com/`| + |Staging|`https://app-staging.cognism.com/`| + + b. In the **Reply URL** text box, type a URL using one of the following patterns: + + |**Environment**|**URL**| + |---------------|-------| + |Production|`https://app.cognism.com/api/users/sso/azureSamlResponse/`| + |Staging|`https://app-staging.cognism.com/api/users/sso/azureSamlResponse/`| + + > [!NOTE] + > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Cognism support team](mailto:help@cognism.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. + +1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. + + ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate") + +1. On the **Set up Cognism** section, copy the appropriate URL(s) based on your requirement. + + ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") + +### Create a Microsoft Entra ID test user + +In this section, you'll create a test user in the Microsoft Entra admin center called B.Simon. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. + +### Assign the Microsoft Entra ID test user + +In this section, you'll enable B.Simon to use Microsoft Entra single sign-on by granting access to Cognism. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Cognism**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. + +## Configure Cognism SSO + +1. Log in to Cognism company site as an administrator. + +1. Go to **Settings** > **Single sign-on** > **Microsoft Azure** and click **Configure**. + + ![Screenshot shows Settings for the configuration.](./media/cognism-tutorial/settings.png "Settings") + +1. In the **Microsoft Azure SSO Configuration** section, perform the following steps: + + ![Screenshot shows the Configuration.](./media/cognism-tutorial/configure.png "Configuration") + + 1. Copy the **Identifier (Entity ID)** and paste it in the **Identifier (Entity ID)** textbox in the **Basic SAML Configuration** section in the Microsoft Entra admin center. + + 1. Copy the **ACS URL** and paste it in the **Reply URL** textbox in the **Basic SAML Configuration** section in the Microsoft Entra admin center. + + 1. In the **Entity ID** textbox, paste the **Microsoft Entra Identifier** which you have copied from the Microsoft Entra admin center. + + 1. Open the downloaded **Certificate (Base64)** into Notepad and paste the content into the **X.509 Certificate** textbox. + + 1. Click **Enable**. + +### Create Cognism test user + +In this section, a user called B.Simon is created in Cognism. Cognism supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Cognism, a new one is created after authentication. + +## Test SSO + +In this section, you test your Microsoft Entra single sign-on configuration with following options. + +* Click on Test this application in Microsoft Entra admin center and you should be automatically signed in to the Cognism for which you set up the SSO. + +* You can use Microsoft My Apps. When you click the Cognism tile in the My Apps, you should be automatically signed in to the Cognism for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). + +## Next steps + +Once you configure Cognism you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). \ No newline at end of file diff --git a/docs/identity/saas-apps/media/cognism-tutorial/configure.png b/docs/identity/saas-apps/media/cognism-tutorial/configure.png new file mode 100644 index 00000000000..b3e28f0514f Binary files /dev/null and b/docs/identity/saas-apps/media/cognism-tutorial/configure.png differ diff --git a/docs/identity/saas-apps/media/cognism-tutorial/settings.png b/docs/identity/saas-apps/media/cognism-tutorial/settings.png new file mode 100644 index 00000000000..00b4672aaf2 Binary files /dev/null and b/docs/identity/saas-apps/media/cognism-tutorial/settings.png differ diff --git a/docs/identity/saas-apps/smartplan-tutorial.md b/docs/identity/saas-apps/smartplan-tutorial.md new file mode 100644 index 00000000000..7ec90585c2e --- /dev/null +++ b/docs/identity/saas-apps/smartplan-tutorial.md @@ -0,0 +1,153 @@ +--- +title: Microsoft Entra SSO integration with Smartplan +description: Learn how to configure single sign-on between Microsoft Entra ID and Smartplan. +services: active-directory +author: jeevansd +manager: CelesteDG +ms.reviewer: CelesteDG +ms.service: active-directory +ms.subservice: saas-app-tutorial +ms.workload: identity +ms.topic: how-to +ms.date: 12/12/2023 +ms.author: jeedes + +--- + +# Microsoft Entra SSO integration with Smartplan + +In this tutorial, you learn how to integrate Smartplan with Microsoft Entra ID. When you integrate Smartplan with Microsoft Entra ID, you can: + +* Control in Microsoft Entra ID who has access to Smartplan. +* Enable your users to be automatically signed-in to Smartplan with their Microsoft Entra accounts. +* Manage your accounts in one central location. + +## Prerequisites + +To integrate Microsoft Entra ID with Smartplan, you need: + +* A Microsoft Entra subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/). +* Smartplan single sign-on (SSO) enabled subscription. + +## Scenario description + +In this tutorial, you configure and test Microsoft Entra SSO in a test environment. + +* Smartplan supports both **SP and IDP** initiated SSO. +* Smartplan supports **Just In Time** user provisioning. + +> [!NOTE] +> Identifier of this application is a fixed string value so only one instance can be configured in one tenant. + +## Add Smartplan from the gallery + +To configure the integration of Smartplan into Microsoft Entra ID, you need to add Smartplan from the gallery to your list of managed SaaS apps. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **New application**. +1. In the **Add from the gallery** section, type **Smartplan** in the search box. +1. Select **Smartplan** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. + +Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, assign roles, and walk through the SSO configuration as well. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides) + +## Configure and test Microsoft Entra SSO for Smartplan + +Configure and test Microsoft Entra SSO with Smartplan using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between a Microsoft Entra user and the related user in Smartplan. + +To configure and test Microsoft Entra SSO with Smartplan, perform the following steps: + +1. **[Configure Microsoft Entra SSO](#configure-microsoft-entra-sso)** - to enable your users to use this feature. + 1. **[Create a Microsoft Entra ID test user](#create-a-microsoft-entra-id-test-user)** - to test Microsoft Entra single sign-on with B.Simon. + 1. **[Assign the Microsoft Entra ID test user](#assign-the-microsoft-entra-id-test-user)** - to enable B.Simon to use Microsoft Entra single sign-on. +1. **[Configure Smartplan SSO](#configure-smartplan-sso)** - to configure the single sign-on settings on application side. + 1. **[Create Smartplan test user](#create-smartplan-test-user)** - to have a counterpart of B.Simon in Smartplan that is linked to the Microsoft Entra ID representation of user. +1. **[Test SSO](#test-sso)** - to verify whether the configuration works. + +## Configure Microsoft Entra SSO + +Follow these steps to enable Microsoft Entra SSO in the Microsoft Entra admin center. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Smartplan** > **Single sign-on**. +1. On the **Select a single sign-on method** page, select **SAML**. +1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings. + + ![Screenshot shows how to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration") + +1. On the **Basic SAML Configuration** section, perform the following steps: + + a. In the **Identifier** text box, type the URL: + `https://www.trpcorp.com` + + b. In the **Reply URL** text box, type a URL using the following pattern: + `https://www.trpcorp.com/smartplan/sso//acs/` + +1. Perform the following step, if you wish to configure the application in **SP** initiated mode: + + In the **Sign-on URL** text box, type a URL using the following pattern: + `https://www.trpcorp.com/smartplan/sso//` + + > [!NOTE] + > These values are not real. Update these values with the actual Reply URL and Sign on URL. Contact [Smartplan support team](mailto:support@trpcorp.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Microsoft Entra admin center. + +1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. + + ![Screenshot shows the Certificate download link.](common/certificatebase64.png "Certificate") + +1. On the **Set up Smartplan** section, copy the appropriate URL(s) based on your requirement. + + ![Screenshot shows to copy configuration URLs.](common/copy-configuration-urls.png "Metadata") + +### Create a Microsoft Entra ID test user + +In this section, you create a test user in the Microsoft Entra admin center called B.Simon. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [User Administrator](~/identity/role-based-access-control/permissions-reference.md#user-administrator). +1. Browse to **Identity** > **Users** > **All users**. +1. Select **New user** > **Create new user**, at the top of the screen. +1. In the **User** properties, follow these steps: + 1. In the **Display name** field, enter `B.Simon`. + 1. In the **User principal name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`. + 1. Select the **Show password** check box, and then write down the value that appears in the **Password** box. + 1. Select **Review + create**. +1. Select **Create**. + +### Assign the Microsoft Entra ID test user + +In this section, you enable B.Simon to use Microsoft Entra single sign-on by granting access to Smartplan. + +1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Cloud Application Administrator](~/identity/role-based-access-control/permissions-reference.md#cloud-application-administrator). +1. Browse to **Identity** > **Applications** > **Enterprise applications** > **Smartplan**. +1. In the app's overview page, select **Users and groups**. +1. Select **Add user/group**, then select **Users and groups** in the **Add Assignment** dialog. + 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. + 1. If you're expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. + 1. In the **Add Assignment** dialog, click the **Assign** button. + +## Configure Smartplan SSO + +To configure single sign-on on **Smartplan** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Microsoft Entra admin center to [Smartplan support team](mailto:support@trpcorp.com). They set this setting to have the SAML SSO connection set properly on both sides. + +### Create Smartplan test user + +In this section, a user called Britta Simon is created in Smartplan. Smartplan supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Smartplan, a new one is created after authentication. + +## Test SSO + +In this section, you test your Microsoft Entra single sign-on configuration with following options. + +#### SP initiated: + +* Click on **Test this application** in Microsoft Entra admin center. This will redirect to Smartplan Sign on URL where you can initiate the login flow. + +* Go to Smartplan Sign-on URL directly and initiate the login flow from there. + +#### IDP initiated: + +* Click on **Test this application** in Microsoft Entra admin center and you should be automatically signed in to the Smartplan for which you set up the SSO. + +You can also use Microsoft My Apps to test the application in any mode. When you click the Smartplan tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Smartplan for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510). + +## Next steps + +Once you configure Smartplan you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app). \ No newline at end of file diff --git a/docs/identity/saas-apps/toc.yml b/docs/identity/saas-apps/toc.yml index 65187dadd5e..c6b4daa5816 100644 --- a/docs/identity/saas-apps/toc.yml +++ b/docs/identity/saas-apps/toc.yml @@ -584,6 +584,8 @@ href: cognidox-tutorial.md - name: Cognician href: cognician-tutorial.md + - name: Cognism + href: cognism-tutorial.md - name: CoLab href: colab-tutorial.md - name: Collaborative Innovation @@ -2499,6 +2501,8 @@ href: smartlook-tutorial.md - name: Smart Map Pro href: smart-map-pro-tutorial.md + - name: Smartplan + href: smartplan-tutorial.md - name: SmartRecruiters href: smartrecruiters-tutorial.md - name: smartvid.io diff --git a/docs/identity/users/groups-dynamic-membership.md b/docs/identity/users/groups-dynamic-membership.md index 7b1d096d632..4419a552d09 100644 --- a/docs/identity/users/groups-dynamic-membership.md +++ b/docs/identity/users/groups-dynamic-membership.md @@ -32,12 +32,13 @@ When the attributes of a user or a device change, the system evaluates all dynam Microsoft Entra ID provides a rule builder to create and update your important rules more quickly. The rule builder supports the construction of up to five expressions. The rule builder makes it easier to form a rule with a few simple expressions, however, it can't be used to reproduce every rule. If the rule builder doesn't support the rule you want to create, you can use the text box. -Here are some examples of advanced rules or syntax for which we recommend that you construct using the text box: +Here are some examples of advanced rules or syntax that require the use of the text box: - Rule with more than five expressions - The Direct reports rule +- Rules with -contains or -notContains operator - Setting [operator precedence](#operator-precedence) -- [Rules with complex expressions](#rules-with-complex-expressions); for example, `(user.proxyAddresses -any (_ -contains "contoso"))` +- [Rules with complex expressions](#rules-with-complex-expressions); for example, `(user.proxyAddresses -any (_ -startsWith "contoso"))` > [!NOTE] > The rule builder might not be able to display some rules constructed in the text box. You might see a message when the rule builder is not able to display the rule. The rule builder doesn't change the supported syntax, validation, or processing of dynamic group rules in any way. @@ -130,8 +131,8 @@ dirSyncEnabled |true false |user.dirSyncEnabled -eq true | Properties | Allowed values | Example | | --- | --- | --- | -| otherMails |Any string value | user.otherMails -contains "alias@domain" | -| proxyAddresses |SMTP: alias@domain smtp: alias@domain | user.proxyAddresses -contains "SMTP: alias@domain" | +| otherMails |Any string value | user.otherMails -startsWith "alias@domain" | +| proxyAddresses |SMTP: alias@domain smtp: alias@domain | user.proxyAddresses -startsWith "SMTP: alias@domain" | For the properties used for device rules, see [Rules for devices](#rules-for-devices). @@ -225,7 +226,7 @@ The following are examples of properly constructed membership rules with multipl ``` (user.department -eq "Sales") -or (user.department -eq "Marketing") -(user.department -eq "Sales") -and -not (user.jobTitle -contains "SDE") +(user.department -eq "Sales") -and -not (user.jobTitle -startsWith "SDE") ``` ### Operator precedence @@ -267,7 +268,7 @@ Multi-value properties are collections of objects of the same type. They can be | Properties | Values | Usage | | --- | --- | --- | | assignedPlans | Each object in the collection exposes the following string properties: capabilityStatus, service, servicePlanId |user.assignedPlans -any (assignedPlan.servicePlanId -eq "efb87545-963c-4e0d-99df-69c6916d9eb0" -and assignedPlan.capabilityStatus -eq "Enabled") | -| proxyAddresses| SMTP: alias@domain smtp: alias@domain | (user.proxyAddresses -any (\_ -contains "contoso")) | +| proxyAddresses| SMTP: alias@domain smtp: alias@domain | (user.proxyAddresses -any (\_ -startsWith "contoso")) | ### Using the -any and -all operators @@ -306,10 +307,10 @@ user.assignedPlans -all (assignedPlan.servicePlanId -ne null) The underscore (\_) syntax matches occurrences of a specific value in one of the multivalued string collection properties to add users or devices to a dynamic group. It's used with the -any or -all operators. -Here's an example of using the underscore (\_) in a rule to add members based on user.proxyAddress (it works the same for user.otherMails). This rule adds any user with proxy address that contains "contoso" to the group. +Here's an example of using the underscore (\_) in a rule to add members based on user.proxyAddress (it works the same for user.otherMails). This rule adds any user with proxy address that starts with "contoso" to the group. ``` -(user.proxyAddresses -any (_ -contains "contoso")) +(user.proxyAddresses -any (_ -startsWith "contoso")) ``` ## Other properties and common rules @@ -415,10 +416,10 @@ The following device attributes can be used. deviceManufacturer | any string value | device.deviceManufacturer -eq "Samsung" deviceModel | any string value | device.deviceModel -eq "iPad Air" displayName | any string value | device.displayName -eq "Rob iPhone" - deviceOSType | any string value | (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone")
device.deviceOSType -contains "AndroidEnterprise"
device.deviceOSType -eq "AndroidForWork"
device.deviceOSType -eq "Windows" + deviceOSType | any string value | (device.deviceOSType -eq "iPad") -or (device.deviceOSType -eq "iPhone")
device.deviceOSType -startsWith "AndroidEnterprise"
device.deviceOSType -eq "AndroidForWork"
device.deviceOSType -eq "Windows" deviceOSVersion | any string value | device.deviceOSVersion -eq "9.1"
device.deviceOSVersion -startsWith "10.0.1" deviceOwnership | Personal, Company, Unknown | device.deviceOwnership -eq "Company" - devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID | device.devicePhysicalIDs -any _ -contains "[ZTDId]"
(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881"
(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342" + devicePhysicalIds | any string value used by Autopilot, such as all Autopilot devices, OrderID, or PurchaseOrderID | device.devicePhysicalIDs -any _ -startsWith "[ZTDId]"
(device.devicePhysicalIds -any _ -eq "[OrderID]:179887111881"
(device.devicePhysicalIds -any _ -eq "[PurchaseOrderId]:76222342342" deviceTrustType | AzureAD, ServerAD, Workplace | device.deviceTrustType -eq "AzureAD" enrollmentProfileName | Apple Device Enrollment Profile name, Android Enterprise Corporate-owned dedicated device Enrollment Profile name, or Windows Autopilot profile name | device.enrollmentProfileName -eq "DEP iPhones" extensionAttribute1 | any string value | device.extensionAttribute1 -eq "some string value" @@ -441,7 +442,7 @@ The following device attributes can be used. memberOf | Any string value (valid group object ID) | device.memberof -any (group.objectId -in ['value']) objectId | a valid Microsoft Entra object ID | device.objectId -eq "76ad43c9-32c5-45e8-a272-7b58b58f596d" profileType | a valid [profile type](/graph/api/resources/device?view=graph-rest-1.0&preserve-view=true#properties) in Microsoft Entra ID | device.profileType -eq "RegisteredDevice" - systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | device.systemLabels -contains "M365Managed" + systemLabels | any string matching the Intune device property for tagging Modern Workplace devices | device.systemLabels -startsWith "M365Managed" diff --git a/docs/identity/users/groups-dynamic-rule-more-efficient.md b/docs/identity/users/groups-dynamic-rule-more-efficient.md index a1d899198f2..8a3684120c5 100644 --- a/docs/identity/users/groups-dynamic-rule-more-efficient.md +++ b/docs/identity/users/groups-dynamic-rule-more-efficient.md @@ -24,7 +24,7 @@ The team for Microsoft Entra ID, part of Microsoft Entra, receives reports of in ## Minimize use of MATCH -Minimize the usage of the `match` operator in rules as much as possible. Instead, explore if it's possible to use the `contains`, `startswith`, or `-eq` operators. Considering using other properties that allow you to write rules to select the users you want to be in the group without using the `-match` operator. For example, if you want a rule for the group for all users whose city is Lagos, then instead of using rules like: +Minimize the usage of the `match` operator in rules as much as possible. Instead, explore if it's possible to use the `startswith` or `-eq` operators. Considering using other properties that allow you to write rules to select the users you want to be in the group without using the `-match` operator. For example, if you want a rule for the group for all users whose city is Lagos, then instead of using rules like: - `user.city -match "ago"` - `user.city -match ".*?ago.*"`