Skip to content

Commit

Permalink
Merge pull request #887 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history
Merge main to live, 4 AM
  • Loading branch information
v-ccolin authored Dec 17, 2023
2 parents 8c1718f + 33e3378 commit 88bdff3
Show file tree
Hide file tree
Showing 26 changed files with 292 additions and 231 deletions.
4 changes: 2 additions & 2 deletions docs/identity-platform/app-objects-and-service-principals.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ author: rwike77
manager: CelesteDG
ms.author: ryanwi
ms.custom: has-azure-ad-ps-ref
ms.date: 05/22/2023
ms.date: 12/15/2023
ms.reviewer: sureshja
ms.service: active-directory
ms.subservice: develop
ms.topic: conceptual
#Customer intent:
# Customer intent: As an application developer, I want to understand the relationship between application objects and service principal objects in Microsoft Entra ID, so that I can properly register and manage my application's identity and access management functions.
---

# Application and service principal objects in Microsoft Entra ID
Expand Down
26 changes: 15 additions & 11 deletions docs/identity-platform/apple-sso-plugin.md
Original file line number Diff line number Diff line change
Expand Up @@ -338,20 +338,24 @@ For the SSO plug-in to function properly, Apple devices should be allowed to rea

Here is the minimum set of URLs that need to be allowed for the SSO plug-in to function:

- `*.cdn-apple.com`
- `*.networking.apple`
- `login.microsoftonline.com`
- `login.microsoft.com`
- `sts.windows.net`
- `login.partner.microsoftonline.cn`
- `login.chinacloudapi.cn`
- `login.microsoftonline.us`
- `login-us.microsoftonline.com`
- `app-site-association.cdn-apple.com`
- `app-site-association.networking.apple`
- `login.microsoftonline.com`(*)
- `login.microsoft.com`(*)
- `sts.windows.net`(*)
- `login.partner.microsoftonline.cn`(*)(**)
- `login.chinacloudapi.cn`(*)(**)
- `login.microsoftonline.us`(*)(**)
- `login-us.microsoftonline.com`(*)(**)

(*) Allowing Microsoft domains is only required on operating system versions released before 2022. On the latest operating system versions, Apple relies fully on its CDN.

(**) You only need to allow sovereign cloud domains if you rely on those in your environment.

> [!WARNING]
> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.
> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs will cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access. SSO plugin will not work reliably without fully excluding Apple CDN domains from interception, and you will experience intermittent issues until you do so.
If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error` or `1000 com.apple.AuthenticationServices.AuthorizationError`.
If your organization blocks these URLs users may see errors like `1012 NSURLErrorDomain error`, `1000 com.apple.AuthenticationServices.AuthorizationError` or `1001 Unexpected`.

Other Apple URLs that may need to be allowed are documented in their support article, [Use Apple products on enterprise networks](https://support.apple.com/HT210060).

Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/configurable-token-lifetimes.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: joroja
ms.service: active-directory
ms.subservice: develop
ms.topic: conceptual
#Customer intent:
#Customer intent: As an IT admin, I want to configure the lifetime of access, ID, and SAML tokens for different types of applications, so that I can help mitigate the actions of a malicous actor who has obtained a token.
---
# Configurable token lifetimes in the Microsoft identity platform (preview)

Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/configure-token-lifetimes.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: joroja
ms.service: active-directory
ms.subservice: develop
ms.topic: how-to
#Customer intent:
#Customer intent: As an IT admin, I want to create and assign token lifetime policies to apps and service principals, so that I can control the lifetime of access, SAML, or ID tokens for improved security and authentication management.
---
# Configure token lifetime policies (preview)

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: mahender, jukullam
ms.service: active-directory
ms.subservice: develop
ms.topic: how-to
#Customer intent:
#Customer intent: As a developer, I want to deploy a web app in a pipeline and configure App Service authentication using Azure Pipelines, so that I can automate the deployment process and secure access to the web app.
---

# Deploy a web app in a pipeline and configure App Service authentication
Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/developer-glossary.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ ms.reviewer:
ms.service: active-directory
ms.subservice: develop
ms.topic: reference
#Customer intent:
#Customer intent: As a developer integrating with the Microsoft identity platform, I want to understand the terminology and concepts related to authentication and authorization, so that I can effectively implement secure access to protected resources in my application.
---

# Glossary: Microsoft identity platform
Expand Down
4 changes: 2 additions & 2 deletions docs/identity-platform/federation-metadata.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@ ms.reviewer: ludwignick
ms.service: active-directory
ms.subservice: azuread-dev
ms.topic: conceptual
#Customer intent:
#Customer intent: As a developer integrating with Microsoft Entra ID, I want to understand the federation metadata document format and endpoints, so that I can configure my application to validate the issuer and token signing certificates of security tokens issued by Microsoft Entra ID.
---

# Federation metadata

Microsoft Entra ID publishes a federation metadata document for services that is configured to accept the security tokens that Microsoft Entra ID issues. The federation metadata document format is described in the [Web Services Federation Language (WS-Federation) Version 1.2](https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html), which extends [Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf).
Microsoft Entra ID publishes a federation metadata document for services that are configured to accept the security tokens that Microsoft Entra ID issues. The federation metadata document format is described in the [Web Services Federation Language (WS-Federation) Version 1.2](https://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html), which extends [Metadata for the OASIS Security Assertion Markup Language (SAML) v2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf).

## Tenant-specific and tenant-independent metadata endpoints

Expand Down
3 changes: 2 additions & 1 deletion docs/identity-platform/howto-add-branding-in-apps.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,12 @@ author: rwike77
manager: CelesteDG
ms.author: ryanwi
ms.custom: signin_art
ms.date: 07/26/2023
ms.date: 12/15/2023
ms.reviewer: arielgo
ms.service: active-directory
ms.subservice: develop
ms.topic: conceptual
#Customer intent: As a developer integrating with Microsoft Entra ID, I want to understand the branding guidelines for applications, so that I can correctly use the appropriate Microsoft logo and images in my app.
---

# Sign in with Microsoft: Branding guidelines for applications
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ author: rwike77
manager: CelesteDG
ms.author: ryanwi
ms.custom:
ms.date: 03/07/2023
ms.date: 12/15/2023
ms.reviewer: sureshja
ms.service: active-directory
ms.subservice: develop
ms.topic: how-to
#Customer intent:
#Customer intent: As an application developer building a multi-tenant app, I want to configure the terms of service and privacy statement for my app, so that I can help gain user's trust and encourage them to consent to using my app.
---

# Configure terms of service and privacy statement for an app
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@ author: rwike77
manager: CelesteDG
ms.author: ryanwi
ms.custom: devx-track-azurepowershell
ms.date: 03/07/2023
ms.date: 12/15/2023
ms.reviewer: tomfitz
ms.service: active-directory
ms.subservice: develop
ms.tgt_pltfrm: multiple
ms.topic: how-to
#Customer intent:
#Customer intent: As a developer, I want to create a service principal with a certificate, so my app or script can authenticate and access resources with its own credentials.
---

# Use Azure PowerShell to create a service principal with a certificate
Expand Down
22 changes: 11 additions & 11 deletions docs/identity-platform/mark-app-as-publisher-verified.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,52 +10,52 @@ ms.reviewer: xurobert
ms.service: active-directory
ms.subservice: develop
ms.topic: how-to
#Customer intent:
#Customer intent: As a developer integrating my app with the Microsoft identity platform, I want to complete the publisher verification process for my app registration, so that users can see that my app is publisher verified and trust its authenticity.
---

# Mark your app as publisher verified

When an app registration has a verified publisher, it means that the publisher of the app has [verified](/partner-center/verification-responses) their identity using their Cloud Partner Program (CPP) account and has associated this CPP account with their app registration. This article describes how to complete the [publisher verification](publisher-verification-overview.md) process.

## Quickstart
If you are already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [pre-requisites](publisher-verification-overview.md#requirements), you can get started right away:
If you're already enrolled in the [Cloud Partner Program (CPP)](/partner-center/intro-to-cloud-partner-program-membership) and have met the [prerequisites](publisher-verification-overview.md#requirements), you can get started right away:

1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md)
1. Sign into the [App Registration portal](https://aka.ms/PublisherVerificationPreview) using [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md)

1. Choose an app and click **Branding & properties**.
1. Choose an app and select **Branding & properties**.

1. Click **Add Partner One ID to verify publisher** and review the listed requirements.
1. Select **Add Partner One ID to verify publisher** and review the listed requirements.

1. Enter your Partner One ID and click **Verify and save**.
1. Enter your Partner One ID and select **Verify and save**.

For more details on specific benefits, requirements, and frequently asked questions see the [overview](publisher-verification-overview.md).

## Mark your app as publisher verified
Make sure you meet the [pre-requisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified.
Make sure you meet the [prerequisites](publisher-verification-overview.md#requirements), then follow these steps to mark your app(s) as Publisher Verified.

1. Sign in using [multi-factor authentication](~/identity/authentication/concept-mfa-licensing.md) to an organizational (Microsoft Entra) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center.
1. Sign in using [multifactor authentication](~/identity/authentication/concept-mfa-licensing.md) to an organizational (Microsoft Entra) account authorized to make changes to the app you want to mark as Publisher Verified and on the CPP Account in Partner Center.

- The Microsoft Entra user must have one of the following [roles](~/identity/role-based-access-control/permissions-reference.md): Application Admin, Cloud Application Admin, or Global Administrator.

- The user in Partner Center must have the following [roles](/partner-center/permissions-overview): CPP Admin, Accounts Admin, or a Global Administrator (a shared role mastered in Microsoft Entra ID).

1. Navigate to the **App registrations** blade:

1. Click on an app you would like to mark as Publisher Verified and open the **Branding & properties** blade.
1. Select on an app you would like to mark as Publisher Verified and open the **Branding & properties** blade.

1. Ensure the app’s [publisher domain](howto-configure-publisher-domain.md) is set.

1. Ensure that either the publisher domain or a DNS-verified [custom domain](~/fundamentals/add-custom-domain.md) on the tenant matches the domain of the email address used during the verification process for your CPP account.

1. Click **Add Partner One ID to verify publisher** near the bottom of the page.
1. Select **Add Partner One ID to verify publisher** near the bottom of the page.

1. Enter the **Partner One ID** for:

- A valid Cloud Partner Program account that has completed the verification process.

- The Partner global account (PGA) for your organization.

1. Click **Verify and save**.
1. Select **Verify and save**.

1. Wait for the request to process, this may take a few minutes.

Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/publisher-verification-overview.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: xurobert
ms.service: active-directory
ms.subservice: develop
ms.topic: conceptual
#Customer intent:
#Customer intent: As a developer integrating my app with the Microsoft identity platform, I want to learn about the publisher verification process, so that my organization can be identified as authentic by Microsoft and my app can gain increased transparency, improved branding, and smoother enterprise adoption.
---

# Publisher verification
Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/reference-app-manifest.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: sureshja
ms.service: active-directory
ms.subservice: develop
ms.topic: reference
#Customer intent:
#Customer intent: As an application developer, I want to configure the attributes of an application in the Microsoft Entra admin center or programmatically, so that I can update the application object and define permissions and roles for the app.
---

# Microsoft Entra app manifest
Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/reference-breaking-changes.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: ludwignick
ms.service: active-directory
ms.subservice: develop
ms.topic: reference
#Customer intent:
#Customer intent: As a developer, I want to stay updated on the changes and updates to the Microsoft identity platform, so that I can ensure the security, usability, and compliance of my applications.
---

# What's new for authentication?
Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/reference-error-codes.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: ludwignick
ms.service: active-directory
ms.subservice: develop
ms.topic: reference
#Customer intent:
#Customer intent: As a developer troubleshooting authentication errors, I want to understand the meaning and possible resolutions for the AADSTS error codes returned by the Microsoft Entra security token service, so that I can effectively debug and fix authentication issues in my application.
---

# Microsoft Entra authentication and authorization error codes
Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/signing-key-rollover.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: paulgarn, ludwignick
ms.service: active-directory
ms.subservice: develop
ms.topic: conceptual
#Customer intent:
#Customer intent: As a developer using the Microsoft identity platform for authentication in my web application, I want to ensure that my application can handle public key rollover automatically, so that my application will continue to validate token signatures without manual intervention.
---

# Signing key rollover in the Microsoft identity platform
Expand Down
2 changes: 1 addition & 1 deletion docs/identity-platform/single-and-multi-tenant-apps.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ms.reviewer: justhu
ms.service: active-directory
ms.subservice: develop
ms.topic: conceptual
#Customer intent:
#Customer intent: As a developer, I want to understand the concept of tenancy in Microsoft Entra ID, so that I can configure my app to be either single-tenant or multi-tenant during app registration and determine who can sign in to my app.
---

# Tenancy in Microsoft Entra ID
Expand Down
Loading

0 comments on commit 88bdff3

Please sign in to comment.