Merge pull request #6746 from MicrosoftDocs/main

01/30/2025 PM Publishing

docs/external-id/customers/concept-supported-features-customers.md

@@ -8,7 +8,7 @@ ms.service: entra-external-id
 
 ms.subservice: external
 ms.topic: concept-article
-ms.date: 12/03/2024
+ms.date: 01/29/2025
 ms.author: mimart
 ms.custom: it-pro, seo-july-2024
 
@@ -82,7 +82,7 @@ The following table compares the features available for [Application registratio
 
 |Feature  |Workforce tenant  | External tenant |
 |---------|---------|---------|
-|   **Protocol**     |   SAML relying parties, OpenID Connect, and OAuth2    |   OpenID Connect and OAuth2    |
+|   **Protocol** |  SAML relying parties, OpenID Connect, and OAuth2  |  [SAML relying parties](how-to-register-saml-app.md), [OpenID Connect](how-to-register-ciam-app.md), and OAuth2 |
 | **Supported account types**| The following [account types](~/identity-platform/quickstart-register-app.md#register-an-application): <ul><li>Accounts in this organizational directory only (Single tenant)</li><li>Accounts in any organizational directory (Any Microsoft Entra tenant - Multitenant)</li><li>Accounts in any organizational directory (Any Microsoft Entra tenant - Multitenant) and personal Microsoft accounts (such as Skype, Xbox)</li><li>Personal Microsoft accounts only</li></ul> | Always use *Accounts in this organizational directory only (Single tenant)*. |
 | **Platform** | The following [platforms](~/identity-platform/quickstart-register-app.md#configure-platform-settings): <ul><li>Public client/native (mobile & desktop)</li><li>Web</li><li>Single page application (SPA)</li><ul>| The following [platforms](~/identity-platform/quickstart-register-app.md#configure-platform-settings): <ul><li>Public client (mobile & desktop)</li><li>[Native authentication mobile](concept-native-authentication.md) </li><li>Web</li><li>Single page application (SPA)</li><ul>|
 | **Authentication** > **Redirect URIs**| The URIs Microsoft Entra ID accepts as destinations when returning authentication responses (tokens) after successfully authenticating or signing out users. | Same as workforce.|

docs/external-id/customers/how-to-register-ciam-app.md

@@ -23,7 +23,7 @@ During app registration, you specify the redirect URI. The redirect URI is the e
 
 External ID supports authentication for various modern application architectures, for example web app or single-page app. The interaction of each application type with the external tenant is different, therefore, you must specify the type of application you want to register.
 
-In this article, you learn how to register an application in your external tenant.
+In this article, you learn how to register an OpenID Connect (OIDC) application in your external tenant. You can also register a SAML app in your external tenant by adding it to your enterprise applications ([learn more](how-to-register-saml-app.md)).
 
 ## Prerequisites
 

docs/external-id/customers/how-to-register-saml-app.md

@@ -0,0 +1,79 @@
+---
+title: Register a SAML app
+description: Learn how to create and register a SAML app with External ID for customer identity and access management (CIAM). Choose your app type and get detailed steps. 
+author: msmimart
+ms.author: mimart
+manager: CelesteDG
+ms.service: entra-external-id 
+ms.subservice: external
+ms.topic: how-to
+ms.date: 01/29/2025
+ms.custom: it-pro
+
+#Customer intent: As a dev, devops, or it admin, I want to learn about how to register a SAML app through the Microsoft Entra admin center.
+---
+# Register a SAML app in your external tenant (preview)
+
+[!INCLUDE [applies-to-external-only](../includes/applies-to-external-only.md)]
+
+In external tenants, you can register applications that use the OpenID Connect (OIDC) or Security Assertion Markup Language (SAML) protocol for authentication and single sign-on. The [app registration](how-to-register-ciam-app.md) process is designed specifically for OIDC apps. But you can use the Enterprise applications feature to create and register your SAML app. This process generates a unique application ID (client ID) and adds your app to the App registrations, where you can view and manage its properties.
+
+This article describes how to register your own SAML application in your external tenant by creating a *non-gallery* app in **Enterprise applications**.
+
+> [!NOTE]
+> The following capabilities aren't supported for SAML apps in external tenants:
+>- Preintegrated SAML applications in the Microsoft Entra gallery aren't supported in external tenants.
+>- The availability of the **Provisioning** tab in the SAML app settings is a known issue. Provisioning isn't supported for apps in external tenants.
+>- IdP initiated flow isn't supported.
+
+## Prerequisites
+
+- An Azure account that has an active subscription. <a href="https://azure.microsoft.com/free/?WT.mc_id=A261C142F" target="_blank">Create an account for free</a>.
+- A Microsoft Entra [external tenant](how-to-create-external-tenant-portal.md).
+- [A sign-up and sign-in user flow](how-to-user-flow-sign-up-sign-in-customers.md).
+
+## Create and register a SAML app
+
+1. Sign in to the Microsoft Entra admin center as at least an Application Administrator.
+1. If you have access to multiple tenants, use the **Settings** icon :::image type="icon" source="media/common/admin-center-settings-icon.png" border="false"::: in the top menu and switch to your external tenant from the **Directories** menu.
+1. Go to **Identity** > **Applications** > **Enterprise Applications (Preview)**.
+1. Select **New application**.
+
+1. Select **Create your own application**.
+
+      :::image type="content" source="media/how-to-register-saml-app/create-your-own-application.png" alt-text="Screenshot of the Create your own application option in the Microsoft Entra Gallery.":::
+
+1. On the **Create your own application** pane, enter a name for your app.
+
+   > [!NOTE]
+   > You might see a gallery app selector, but you can disregard it as gallery apps aren't supported in external tenants.
+
+1. Select "**(Preview) Integrate any other application you don't find in the gallery (Non-gallery)**".
+
+1. Select **Create**.
+
+1. The app **Overview** page opens. In the left menu under **Manage**, select **Properties**. Switch the **Assignment required?** toggle to **No** so that users can use self-service sign-up, and then select **Save**.
+
+      :::image type="content" source="media/how-to-register-saml-app/assignment-toggle-no.png" alt-text="Screenshot of the Assignment required toggle.":::
+
+1. In the left menu under **Manage**, select **Single sign-on (Preview)**.
+1. Under **Select a single sign-on method**, select **SAML (preview)**.
+
+    :::image type="content" source="media/how-to-register-saml-app/select-single-sign-on-method.png" alt-text="Screenshot of the Single sign-on method tile.":::
+
+1. On the **SAML-based Sign-on (Preview)** page, do one of the following:
+
+   - Select **Upload metadata file**, browse to the file containing your metadata, and then select **Add**. Select **Save**.
+   - Or, use the **Edit** pencil option to update each section, and then select **Save**.
+
+   > [!NOTE]
+   > Make sure your SAML app uses your `ciamlogin` endpoint, for example `domainname.ciamlogin.com`, instead of `login.microsoft.com`. If you're downloading the federation metadata URL, it should be in the form `domain.ciamlogin.com/<tenantid>/federationmetadata/2007-06/federationmetadata.xml?appid=<appid>`.
+
+1. Select **Test**, and then select the **Test sign-in** button to see if single sign-on is working. This test verifies that your current admin account can sign in using the `https://login.microsoftonline.com` endpoint.  
+
+    :::image type="content" source="media/how-to-register-saml-app/test-application.png" alt-text="Screenshot of the test single sign-on option.":::
+
+   You can test external user sign-in with these steps:
+   - [Create a sign-up and sign-in user flow](~/external-id/customers/how-to-user-flow-sign-up-sign-in-customers.md) if you haven't already.
+   - [Add your SAML application to the user flow](~/external-id/customers/how-to-user-flow-add-application.md).
+   - Run your application.

docs/external-id/customers/how-to-test-user-flows.md

@@ -9,7 +9,7 @@ ms.service: entra-external-id
 ms.subservice: external
 
 ms.topic: how-to
-ms.date: 02/15/2024
+ms.date: 01/22/2025
 ms.author: mimart
 ms.custom: it-pro
 
@@ -22,7 +22,10 @@ ms.custom: it-pro
 
 The **Run user flow** feature allows you to test your user flows by simulating a user’s sign-up or sign-in experience with your application. You can use this feature to verify that your user flow is working as expected. To use this feature, you select the user flow associated with your application, run the user flow, and enter the requested sign-up or sign-in information.
 
-This feature obtains most of the values it needs to run from the application registration. You can select the application you want to test and specify the browser language for the user interface, but you can generally leave the other fields at their default values.
+This feature obtains most of the values it needs to run from the application registration. You can select the application you want to test and specify the browser language for the user interface, but you can generally leave the other fields at their default values. 
+
+> [!NOTE]
+> This feature doesn't support SAML apps. However, you can still test the end-user experience by running your SAML app.
 
 ## Prerequisites
 
@@ -54,7 +57,7 @@ Follow these steps to use the **Run user flow** feature to test your user flow.
    |Field    |Description  |
    |---------|---------|
    |**Open Id Configuration URL**     | This value is retrieved from the application registration. It's the publicly accessible URL that was assigned to your application when you registered it with Microsoft Entra ID. This URL points to the OpenID configuration document used by client applications to find authentication URLs and public signing keys. The format is: `https://{tenant}.ciamlogin.com/{tenant}.onmicrosoft.com/v2.0/.well-known/openid-configuration?appid=00001111-aaaa-2222-bbbb-3333cccc4444`        |
-   |**Application**     | This menu lists the applications that are associated with this user flow. At least one application is required. If there are multiple applications, select the one you want to test.       |
+   |**Application**     | This menu lists the applications that are associated with this user flow. At least one application is required. If there are multiple applications, select the one you want to test. Note that the **Run user flow** feature doesn't support SAML applications.      |
    |**Reply URL** / **Redirect URI**   | This value is retrieved from the application registration, and is required for the Run user flow feature to work. Keep the current setting, which is the reply URL or redirect URI (depending on the protocol) that is configured for your application. [Learn more](how-to-register-ciam-app.md?tabs=spa#about-redirect-uri)       |
    |**Resource**     | This value is retrieved from the application registration for a protected web API and applies to access tokens. The **Resource** is the globally unique **Application ID URI** that was assigned to the API when it was exposed during app registration ([learn more](~/identity-platform/quickstart-configure-app-expose-web-apis.md)). The access token must contain both the **Resource** and **Scopes** values to allow secure access to the web API.  |
    |**Scopes**     | This value is retrieved from the application registration for a protected web API and applies to access tokens. The **Scopes** are the permissions needed by an application to access the data and functionality in the API. These values are defined when you expose the API during app registration ([learn more](~/identity-platform/quickstart-configure-app-expose-web-apis.md)). The access token must contain both the **Resource** and **Scopes** values to allow secure access to the web API. |

docs/external-id/customers/toc.yml

@@ -339,6 +339,8 @@ items:
         href: how-to-create-external-tenant-portal.md
       - name: Register an app
         href: how-to-register-ciam-app.md
+      - name: Register a SAML app
+        href: how-to-register-saml-app.md
       - name: Add a sign-up and sign-in flow
         href: how-to-user-flow-sign-up-sign-in-customers.md
         displayName: disable sign-up, disable sign up 

docs/id-governance/my-access-portal-overview.md

@@ -27,7 +27,7 @@ Administrators, via the Microsoft Entra admin center, can configure:
 - Access packages that users can request
 - Access reviews for access packages
 - Access reviews for groups and applications
-- An overview page (preview)
+- An overview page
 
 ## License requirements
 

docs/identity/authentication/concept-mandatory-multifactor-authentication.md

@@ -4,7 +4,7 @@ description: Plan for mandatory multifactor authentication for users who sign in
 ms.service: entra-id
 ms.subservice: authentication
 ms.topic: conceptual
-ms.date: 01/29/2025
+ms.date: 01/30/2025
 ms.author: justinha
 author: najshahid
 manager: amycolannino
@@ -82,9 +82,9 @@ For example, if your organization chose to retain Microsoft’s [security defaul
 
 The enforcement of MFA rolls out in two phases: 
 
-- **Phase 1**: Starting in October 2024, MFA is required to sign in to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. The enforcement will gradually roll out to all tenants worldwide. This phase won't impact other Azure clients such as Azure CLI, Azure PowerShell, Azure mobile app, or IaC tools.  
+- **Phase 1**: Starting in October 2024, MFA is required to sign in to the Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center. The enforcement will gradually roll out to all tenants worldwide. Starting in February 2025, MFA enforcement gradually begins for sign in to Microsoft 365 admin center. This phase won't impact other Azure clients such as Azure CLI, Azure PowerShell, Azure mobile app, or IaC tools.  
 
-- **Phase 2**: Starting in February 2025, MFA enforcement gradually begins for sign in to Microsoft 365 admin center, Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools. Some customers may use a user account in Microsoft Entra ID as a service account. It's recommended to migrate these user-based service accounts to [secure cloud based service accounts](/entra/architecture/secure-service-accounts) with [workload identities](~/workload-id/workload-identities-overview.md). 
+- **Phase 2**: Later in 2025, MFA enforcement will gradually begin for Azure CLI, Azure PowerShell, Azure mobile app, and IaC tools. Some customers may use a user account in Microsoft Entra ID as a service account. It's recommended to migrate these user-based service accounts to [secure cloud based service accounts](/entra/architecture/secure-service-accounts) with [workload identities](~/workload-id/workload-identities-overview.md). 
 
 ## Notification channels