From eb6559cc2e3a38e11fc7cacbcad5a56bd19457bb Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 30 Jan 2024 11:00:18 -0500 Subject: [PATCH 1/4] Content follow-up updates (8.0) --- .../blazor/components/built-in-components.md | 22 ++++++++++++++- aspnetcore/blazor/components/render-modes.md | 2 -- aspnetcore/blazor/forms/validation.md | 6 ++-- .../blazor/fundamentals/handle-errors.md | 10 +++---- aspnetcore/blazor/fundamentals/signalr.md | 4 --- aspnetcore/blazor/host-and-deploy/index.md | 4 --- .../webassembly-deployment-layout.md | 5 +--- aspnetcore/blazor/hybrid/security/index.md | 28 +++++++++---------- .../security/includes/authorize-client-app.md | 2 +- .../blazor/security/includes/troubleshoot.md | 4 +-- .../includes/wasm-aad-b2c-custom-policies.md | 2 +- aspnetcore/blazor/security/index.md | 20 ++++++------- .../security/server/additional-scenarios.md | 13 +++++---- aspnetcore/blazor/security/server/index.md | 4 +-- .../webassembly/additional-scenarios.md | 4 +-- .../blazor/security/webassembly/graph-api.md | 2 +- .../hosted-with-azure-active-directory-b2c.md | 22 +++++++-------- .../hosted-with-microsoft-entra-id.md | 22 +++++++-------- .../blazor/security/webassembly/index.md | 18 ++++++------ .../microsoft-entra-id-groups-and-roles.md | 26 ++++++++--------- .../standalone-with-authentication-library.md | 2 +- ...ndalone-with-azure-active-directory-b2c.md | 22 +++++++-------- .../standalone-with-microsoft-accounts.md | 16 +++++------ .../standalone-with-microsoft-entra-id.md | 14 +++++----- 24 files changed, 140 insertions(+), 134 deletions(-) diff --git a/aspnetcore/blazor/components/built-in-components.md b/aspnetcore/blazor/components/built-in-components.md index 02288a8ab494..23283e03ff82 100644 --- a/aspnetcore/blazor/components/built-in-components.md +++ b/aspnetcore/blazor/components/built-in-components.md @@ -16,14 +16,21 @@ The following built-in Razor components are provided by the Blazor framework: :::moniker range=">= aspnetcore-8.0" - + * [`App`](xref:blazor/project-structure) * [`AntiforgeryToken`](xref:blazor/forms/index#antiforgery-support) * [`Authentication`](xref:blazor/security/webassembly/index#authentication-component) * [`AuthorizeView`](xref:blazor/security/index#authorizeview-component) * [`CascadingValue`](xref:blazor/components/cascading-values-and-parameters#cascadingvalue-component) +* [`DataAnnotationsValidator`](xref:blazor/forms/validation#data-annotations-validator-component-and-custom-validation) * [`DynamicComponent`](xref:blazor/components/dynamiccomponent) +* [`Editor`](xref:blazor/forms/binding#nest-and-bind-forms) +* [`EditForm`](xref:blazor/forms/binding#editformeditcontext-model) * [`ErrorBoundary`](xref:blazor/fundamentals/handle-errors#error-boundaries) * [`FocusOnNavigate`](xref:blazor/fundamentals/routing#focus-an-element-on-navigation) * [`HeadContent`](xref:blazor/components/control-head-content) @@ -47,6 +54,7 @@ The following built-in Razor components are provided by the Blazor framework: * [`RouteView`](xref:blazor/fundamentals/routing#route-templates) * [`SectionContent`](xref:blazor/components/sections) * [`SectionOutlet`](xref:blazor/components/sections) +* [`ValidationSummary`](xref:blazor/forms/validation#validation-summary-and-validation-message-components) * [`Virtualize`](xref:blazor/components/virtualization) :::moniker-end @@ -57,7 +65,9 @@ The following built-in Razor components are provided by the Blazor framework: * [`Authentication`](xref:blazor/security/webassembly/index#authentication-component) * [`AuthorizeView`](xref:blazor/security/index#authorizeview-component) * [`CascadingValue`](xref:blazor/components/cascading-values-and-parameters#cascadingvalue-component) +* [`DataAnnotationsValidator`](xref:blazor/forms/validation#data-annotations-validator-component-and-custom-validation) * [`DynamicComponent`](xref:blazor/components/dynamiccomponent) +* [`EditForm`](xref:blazor/forms/binding#editformeditcontext-model) * [`ErrorBoundary`](xref:blazor/fundamentals/handle-errors#error-boundaries) * [`FocusOnNavigate`](xref:blazor/fundamentals/routing#focus-an-element-on-navigation) * [`HeadContent`](xref:blazor/components/control-head-content) @@ -79,6 +89,7 @@ The following built-in Razor components are provided by the Blazor framework: * [`QuickGrid`](xref:blazor/components/quickgrid) * [`Router`](xref:blazor/fundamentals/routing#route-templates) * [`RouteView`](xref:blazor/fundamentals/routing#route-templates) +* [`ValidationSummary`](xref:blazor/forms/validation#validation-summary-and-validation-message-components) * [`Virtualize`](xref:blazor/components/virtualization) :::moniker-end @@ -89,7 +100,9 @@ The following built-in Razor components are provided by the Blazor framework: * [`Authentication`](xref:blazor/security/webassembly/index#authentication-component) * [`AuthorizeView`](xref:blazor/security/index#authorizeview-component) * [`CascadingValue`](xref:blazor/components/cascading-values-and-parameters#cascadingvalue-component) +* [`DataAnnotationsValidator`](xref:blazor/forms/validation#data-annotations-validator-component-and-custom-validation) * [`DynamicComponent`](xref:blazor/components/dynamiccomponent) +* [`EditForm`](xref:blazor/forms/binding#editformeditcontext-model) * [`ErrorBoundary`](xref:blazor/fundamentals/handle-errors#error-boundaries) * [`FocusOnNavigate`](xref:blazor/fundamentals/routing#focus-an-element-on-navigation) * [`HeadContent`](xref:blazor/components/control-head-content) @@ -110,6 +123,7 @@ The following built-in Razor components are provided by the Blazor framework: * [`PageTitle`](xref:blazor/components/control-head-content) * [`Router`](xref:blazor/fundamentals/routing#route-templates) * [`RouteView`](xref:blazor/fundamentals/routing#route-templates) +* [`ValidationSummary`](xref:blazor/forms/validation#validation-summary-and-validation-message-components) * [`Virtualize`](xref:blazor/components/virtualization) :::moniker-end @@ -120,6 +134,8 @@ The following built-in Razor components are provided by the Blazor framework: * [`Authentication`](xref:blazor/security/webassembly/index#authentication-component) * [`AuthorizeView`](xref:blazor/security/index#authorizeview-component) * [`CascadingValue`](xref:blazor/components/cascading-values-and-parameters#cascadingvalue-component) +* [`DataAnnotationsValidator`](xref:blazor/forms/validation#data-annotations-validator-component-and-custom-validation) +* [`EditForm`](xref:blazor/forms/binding#editformeditcontext-model) * [`InputCheckbox`](xref:blazor/forms/input-components) * [`InputDate`](xref:blazor/forms/input-components) * [`InputFile`](xref:blazor/file-uploads) @@ -135,6 +151,7 @@ The following built-in Razor components are provided by the Blazor framework: * [`NavMenu`](xref:blazor/fundamentals/routing#navlink-and-navmenu-components) * [`Router`](xref:blazor/fundamentals/routing#route-templates) * [`RouteView`](xref:blazor/fundamentals/routing#route-templates) +* [`ValidationSummary`](xref:blazor/forms/validation#validation-summary-and-validation-message-components) * [`Virtualize`](xref:blazor/components/virtualization) :::moniker-end @@ -145,6 +162,8 @@ The following built-in Razor components are provided by the Blazor framework: * [`Authentication`](xref:blazor/security/webassembly/index#authentication-component) * [`AuthorizeView`](xref:blazor/security/index#authorizeview-component) * [`CascadingValue`](xref:blazor/components/cascading-values-and-parameters#cascadingvalue-component) +* [`DataAnnotationsValidator`](xref:blazor/forms/validation#data-annotations-validator-component-and-custom-validation) +* [`EditForm`](xref:blazor/forms/binding#editformeditcontext-model) * [`InputCheckbox`](xref:blazor/forms/input-components) * [`InputDate`](xref:blazor/forms/input-components) * [`InputNumber`](xref:blazor/forms/input-components) @@ -159,5 +178,6 @@ The following built-in Razor components are provided by the Blazor framework: * [`NavMenu`](xref:blazor/fundamentals/routing#navlink-and-navmenu-components) * [`Router`](xref:blazor/fundamentals/routing#route-templates) * [`RouteView`](xref:blazor/fundamentals/routing#route-templates) +* [`ValidationSummary`](xref:blazor/forms/validation#validation-summary-and-validation-message-components) :::moniker-end diff --git a/aspnetcore/blazor/components/render-modes.md b/aspnetcore/blazor/components/render-modes.md index 6f7446c7d7d2..69d171ae51ec 100644 --- a/aspnetcore/blazor/components/render-modes.md +++ b/aspnetcore/blazor/components/render-modes.md @@ -227,8 +227,6 @@ Additional information on render mode propagation is provided in the [Render mod Prerendering is enabled by default for interactive components. - - To disable prerendering for a *component instance*, pass the `prerender` flag with a value of `false` to the render mode: * `<... @rendermode="new InteractiveServerRenderMode(prerender: false)" />` diff --git a/aspnetcore/blazor/forms/validation.md b/aspnetcore/blazor/forms/validation.md index bb1d542ccf15..b8eecf1d7c39 100644 --- a/aspnetcore/blazor/forms/validation.md +++ b/aspnetcore/blazor/forms/validation.md @@ -331,7 +331,7 @@ The validation for the `Defense` ship classification only occurs on the server i > For more information on security, see: > > * (and the other articles in the Blazor *Security and Identity* node) -> * [Microsoft identity platform documentation](/azure/active-directory/develop/) +> * [Microsoft identity platform documentation](/entra/identity-platform/) `Controllers/StarshipValidation.cs`: @@ -911,9 +911,7 @@ Control the style of validation messages in the app's stylesheet (`wwwroot/css/a ## Determine if a form field is valid - - -Use `EditContext.IsValid(fieldIdentifier)` to determine if a field is valid without obtaining validation messages. +Use to determine if a field is valid without obtaining validation messages. Supported, but not recommended: diff --git a/aspnetcore/blazor/fundamentals/handle-errors.md b/aspnetcore/blazor/fundamentals/handle-errors.md index 41e624b53e0a..8c66def8e4e7 100644 --- a/aspnetcore/blazor/fundamentals/handle-errors.md +++ b/aspnetcore/blazor/fundamentals/handle-errors.md @@ -298,14 +298,14 @@ Use the options.DetailedErrors = true); +builder.Services.AddRazorComponents(options => + options.DetailedErrors = builder.Environment.IsDevelopment()); ``` - - > [!WARNING] -> Only enable detailed errors in the `Development` environment. +> **Only enable detailed errors in the `Development` environment.** Detailed errors may contain sensitive information about the app that malicious users can use in an attack. +> +> The preceding example provides a degree of safety by setting the value of based on the value returned by . When the app is in the `Development` environment, is set to `true`. This approach isn't foolproof because it's possible to host a production app on a public server in the `Development` environment. :::moniker-end diff --git a/aspnetcore/blazor/fundamentals/signalr.md b/aspnetcore/blazor/fundamentals/signalr.md index d6744f76cbea..c1db3b323071 100644 --- a/aspnetcore/blazor/fundamentals/signalr.md +++ b/aspnetcore/blazor/fundamentals/signalr.md @@ -283,10 +283,6 @@ Configure * (*Read only*) - - Place the call to `app.MapBlazorHub` after the call to `app.MapRazorComponents` in the app's `Program` file: ```csharp diff --git a/aspnetcore/blazor/host-and-deploy/index.md b/aspnetcore/blazor/host-and-deploy/index.md index ac3c0ca2b989..f5f618935c86 100644 --- a/aspnetcore/blazor/host-and-deploy/index.md +++ b/aspnetcore/blazor/host-and-deploy/index.md @@ -150,10 +150,6 @@ For the second option, which is the usual approach taken, the app sets the base ### Server-side Blazor - - Map the SignalR hub of a server-side Blazor app by passing the path to in the `Program` file: ```csharp diff --git a/aspnetcore/blazor/host-and-deploy/webassembly-deployment-layout.md b/aspnetcore/blazor/host-and-deploy/webassembly-deployment-layout.md index 74aeec6ac6ca..1462aad446af 100644 --- a/aspnetcore/blazor/host-and-deploy/webassembly-deployment-layout.md +++ b/aspnetcore/blazor/host-and-deploy/webassembly-deployment-layout.md @@ -32,10 +32,7 @@ The approach demonstrated in this article serves as a starting point for develop ## Experimental NuGet package and sample app - - -The approach described in this article is used by the *experimental* [`Microsoft.AspNetCore.Components.WebAssembly.MultipartBundle` package (NuGet.org)](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.MultipartBundle) for .NET 6 and 7 apps. The package contains MSBuild targets to customize the Blazor publish output and a [JavaScript initializer](xref:blazor/js-interop/index#javascript-initializers) to use a custom [boot resource loader](xref:blazor/fundamentals/startup#load-boot-resources), each of which are described in detail later in this article. +The approach described in this article is used by the *experimental* [`Microsoft.AspNetCore.Components.WebAssembly.MultipartBundle` package (NuGet.org)](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.MultipartBundle) for apps targeting .NET 6 or later. The package contains MSBuild targets to customize the Blazor publish output and a [JavaScript initializer](xref:blazor/js-interop/index#javascript-initializers) to use a custom [boot resource loader](xref:blazor/fundamentals/startup#load-boot-resources), each of which are described in detail later in this article. [Experimental code (includes the NuGet package reference source and `CustomPackagedApp` sample app)](https://github.com/aspnet/AspLabs/tree/main/src/BlazorWebAssemblyCustomInitialization) diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md index 1756e7fa0c31..6b271268b4bc 100644 --- a/aspnetcore/blazor/hybrid/security/index.md +++ b/aspnetcore/blazor/hybrid/security/index.md @@ -47,20 +47,20 @@ For additional guidance, see the following resources: :::zone pivot="wpf" -WPF apps use the [Microsoft identity platform](/azure/active-directory/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: +WPF apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: -* [Overview of the Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview) +* [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview) * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) -* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/azure/active-directory/develop/tutorial-v2-windows-desktop) -* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/azure/active-directory/develop/desktop-app-quickstart?pivots=devlang-windows-desktop) -* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/azure/active-directory-b2c/quickstart-native-app-desktop) -* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/azure/active-directory-b2c/configure-authentication-sample-wpf-desktop-app) +* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/develop/tutorial-v2-windows-desktop) +* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/develop/desktop-app-quickstart?pivots=devlang-windows-desktop) +* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/entra/identity-platform-b2c/quickstart-native-app-desktop) +* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/entra/identity-platform-b2c/configure-authentication-sample-wpf-desktop-app) :::zone-end :::zone pivot="winforms" -Windows Forms apps use the [Microsoft identity platform](/azure/active-directory/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview). +Windows Forms apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview). :::zone-end @@ -578,20 +578,20 @@ For additional guidance, see the following resources: :::zone pivot="wpf" -WPF apps use the [Microsoft identity platform](/azure/active-directory/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: +WPF apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: -* [Overview of the Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview) +* [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview) * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) -* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/azure/active-directory/develop/tutorial-v2-windows-desktop) -* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/azure/active-directory/develop/desktop-app-quickstart?pivots=devlang-windows-desktop) -* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/azure/active-directory-b2c/quickstart-native-app-desktop) -* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/azure/active-directory-b2c/configure-authentication-sample-wpf-desktop-app) +* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/develop/tutorial-v2-windows-desktop) +* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/develop/desktop-app-quickstart?pivots=devlang-windows-desktop) +* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/entra/identity-platform-b2c/quickstart-native-app-desktop) +* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/entra/identity-platform-b2c/configure-authentication-sample-wpf-desktop-app) :::zone-end :::zone pivot="winforms" -Windows Forms apps use the [Microsoft identity platform](/azure/active-directory/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/azure/active-directory/develop/msal-overview). +Windows Forms apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview). :::zone-end diff --git a/aspnetcore/blazor/security/includes/authorize-client-app.md b/aspnetcore/blazor/security/includes/authorize-client-app.md index e2f142e811eb..4851fb553ada 100644 --- a/aspnetcore/blazor/security/includes/authorize-client-app.md +++ b/aspnetcore/blazor/security/includes/authorize-client-app.md @@ -1,5 +1,5 @@ > [!IMPORTANT] > If you don't have the authority to grant admin consent to the tenant in the last step of **API permissions** configuration because consent to use the app is delegated to users, then you must take the following additional steps: > -> * The app must use a [trusted publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain). +> * The app must use a [trusted publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain). > * In the **`Server`** app's configuration in the Azure portal, select **Expose an API**. Under **Authorized client applications**, select the button to **Add a client application**. Add the **`Client`** app's Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). diff --git a/aspnetcore/blazor/security/includes/troubleshoot.md b/aspnetcore/blazor/security/includes/troubleshoot.md index 4d5da90c6ef9..d85afd3a25ee 100644 --- a/aspnetcore/blazor/security/includes/troubleshoot.md +++ b/aspnetcore/blazor/security/includes/troubleshoot.md @@ -51,8 +51,8 @@ To enable debug or trace logging for Blazor WebAssembly authentication, see , [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C custom policies](/azure/active-directory-b2c/user-flow-overview) by default. +The Microsoft Authentication Library (, [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C custom policies](/entra/identity-platform-b2c/user-flow-overview) by default. diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md index 161681613974..3be795ce6df1 100644 --- a/aspnetcore/blazor/security/index.md +++ b/aspnetcore/blazor/security/index.md @@ -863,11 +863,11 @@ The * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) @@ -879,11 +879,11 @@ The * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) diff --git a/aspnetcore/blazor/security/server/additional-scenarios.md b/aspnetcore/blazor/security/server/additional-scenarios.md index f75c2775bbc9..6f5e0645eaac 100644 --- a/aspnetcore/blazor/security/server/additional-scenarios.md +++ b/aspnetcore/blazor/security/server/additional-scenarios.md @@ -23,6 +23,11 @@ This article explains how to configure server-side Blazor for additional securit :::moniker range=">= aspnetcore-8.0" + + Tokens available outside of the Razor components in a server-side Blazor app can be passed to components with the approach described in this section. The example in this section focuses on passing access and refresh tokens, but the approach is valid for other HTTP context state provided by . > [!NOTE] @@ -83,10 +88,6 @@ builder.Services.AddScoped(); In the `App` component (`Components/App.razor`), resolve the service and initialize it with the data from [`HttpContext` as a cascaded parameter](xref:blazor/security/index#avoid-ihttpcontextaccessorhttpcontext-in-razor-components): - - ```razor @inject TokenProvider TokenProvider @@ -502,7 +503,7 @@ If tacking on a segment to the authority isn't appropriate for the app's OIDC pr ### Code changes -* The list of claims in the ID token changes for v2.0 endpoints. For more information, see [Why update to Microsoft identity platform (v2.0)?](/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison) in the Azure documentation. +* The list of claims in the ID token changes for v2.0 endpoints. For more information, see [Why update to Microsoft identity platform (v2.0)?](/entra/identity-platform/azuread-dev/azure-ad-endpoint-comparison) in the Azure documentation. * Since resources are specified in scope URIs for v2.0 endpoints, remove the property setting in : ```csharp @@ -514,7 +515,7 @@ If tacking on a segment to the authority isn't appropriate for the app's OIDC pr } ``` - For more information, see [Scopes, not resources](/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison#scopes-not-resources) in the Azure documentation. + For more information, see [Scopes, not resources](/entra/identity-platform/azuread-dev/azure-ad-endpoint-comparison#scopes-not-resources) in the Azure documentation. ### App ID URI diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index f6e80aa52057..cf4ef1212b3e 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -832,8 +832,8 @@ builder.Services.AddRazorComponents(options => ## Additional resources -* [Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app](/azure/active-directory/develop/quickstart-v2-aspnet-core-webapp) -* [Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform](/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api) +* [Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app](/entra/identity-platform/develop/quickstart-v2-aspnet-core-webapp) +* [Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform](/entra/identity-platform/develop/quickstart-v2-aspnet-core-web-api) * : Includes guidance on: * Using Forwarded Headers Middleware to preserve HTTPS scheme information across proxy servers and internal networks. * Additional scenarios and use cases, including manual scheme configuration, request path changes for correct request routing, and forwarding the request scheme for Linux and non-IIS reverse proxies. diff --git a/aspnetcore/blazor/security/webassembly/additional-scenarios.md b/aspnetcore/blazor/security/webassembly/additional-scenarios.md index 4566de1b4a43..4d0f0b7f9ae9 100644 --- a/aspnetcore/blazor/security/webassembly/additional-scenarios.md +++ b/aspnetcore/blazor/security/webassembly/additional-scenarios.md @@ -1097,7 +1097,7 @@ Users bound to the app can be customized. ### Customize the user with a payload claim -In the following example, the app's authenticated users receive an `amr` claim for each of the user's authentication methods. The `amr` claim identifies how the subject of the token was authenticated in Microsoft Identity Platform v1.0 [payload claims](/azure/active-directory/develop/access-tokens#amr-claim). The example uses a custom user account class based on . +In the following example, the app's authenticated users receive an `amr` claim for each of the user's authentication methods. The `amr` claim identifies how the subject of the token was authenticated in Microsoft Identity Platform v1.0 [payload claims](/entra/identity-platform/develop/access-tokens#amr-claim). The example uses a custom user account class based on . Create a class that extends the class. The following example sets the `AuthenticationMethod` property to the user's array of `amr` JSON property values. `AuthenticationMethod` is populated automatically by the framework when the user is authenticated. @@ -1456,7 +1456,7 @@ Alternatively, the setting can be made in the app settings (`appsettings.json`) If tacking on a segment to the authority isn't appropriate for the app's OIDC provider, such as with non-ME-ID providers, set the property directly. Either set the property in or in the app settings file (`appsettings.json`) with the `Authority` key. -The list of claims in the ID token changes for v2.0 endpoints. For more information, see [Why update to Microsoft identity platform (v2.0)?](/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison). +The list of claims in the ID token changes for v2.0 endpoints. For more information, see [Why update to Microsoft identity platform (v2.0)?](/entra/identity-platform/azuread-dev/azure-ad-endpoint-comparison). :::moniker range="< aspnetcore-8.0" diff --git a/aspnetcore/blazor/security/webassembly/graph-api.md b/aspnetcore/blazor/security/webassembly/graph-api.md index 3389d619d86d..cedfb505f839 100644 --- a/aspnetcore/blazor/security/webassembly/graph-api.md +++ b/aspnetcore/blazor/security/webassembly/graph-api.md @@ -1026,5 +1026,5 @@ The examples in this article pertain to using the Graph SDK or a named `HttpClie * [Microsoft Graph auth overview](/graph/auth/) * [Overview of Microsoft Graph permissions](/graph/permissions-overview) * [Microsoft Graph permissions reference](/graph/permissions-reference) -* [Enhance security with the principle of least privilege](/azure/active-directory/develop/secure-least-privileged-access) +* [Enhance security with the principle of least privilege](/entra/identity-platform/develop/secure-least-privileged-access) * [Azure privilege escalation articles on the Internet (Google search result)](https://www.google.com/search?q=%22Azure+Privilege+Escalation%22) diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md index 0d9ddab6b9e4..f7283c7818b5 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md @@ -10,7 +10,7 @@ uid: blazor/security/webassembly/hosted-with-azure-active-directory-b2c --- # Secure a hosted ASP.NET Core Blazor WebAssembly app with Azure Active Directory B2C -This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication. +This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/entra/identity-platform-b2c/overview) for authentication. For additional security scenario coverage after reading this article, see . @@ -27,9 +27,9 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) to create an AAD B2C tenant. +Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) to create an AAD B2C tenant. -Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). +Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). ### Register a server API app in Azure @@ -75,7 +75,7 @@ Register an AAD B2C app for the *Client app*: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/azure/active-directory/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). Record the *Client app* Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). @@ -97,7 +97,7 @@ In **API permissions** from the sidebar: [!INCLUDE[](~/blazor/security/includes/authorize-client-app.md)] -Return to **Azure AD B2C** in the Azure portal. Select **User flows** and use the following guidance: [Create a sign-up and sign-in user flow](/azure/active-directory-b2c/tutorial-create-user-flows). At a minimum, select **Application claims** for the sign-up/sign-in user flow and then the **Display Name** user attribute checkbox to populate the `context.User.Identity?.Name`/`context.User.Identity.Name` in the `LoginDisplay` component (`Shared/LoginDisplay.razor`). +Return to **Azure AD B2C** in the Azure portal. Select **User flows** and use the following guidance: [Create a sign-up and sign-in user flow](/entra/identity-platform-b2c/tutorial-create-user-flows). At a minimum, select **Application claims** for the sign-up/sign-in user flow and then the **Display Name** user attribute checkbox to populate the `context.User.Identity?.Name`/`context.User.Identity.Name` in the `LoginDisplay` component (`Shared/LoginDisplay.razor`). Record the sign-up and sign-in user flow name created for the app (for example, `B2C_1_signupsignin1`). @@ -283,7 +283,7 @@ Example: *This section pertains to the solution's **:::no-loc text="Client":::** app.* -When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -428,12 +428,12 @@ Due to changes in the framework across releases of ASP.NET Core, Razor markup fo ## Additional resources -* [Configure an app's publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain) -* [Microsoft Entra ID app manifest: identifierUris attribute](/azure/active-directory/develop/reference-app-manifest#identifieruris-attribute) +* [Configure an app's publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain) +* [Microsoft Entra ID app manifest: identifierUris attribute](/entra/identity-platform/develop/reference-app-manifest#identifieruris-attribute) * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * -* [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) -* [Tutorial: Register an application in Azure Active Directory B2C](/azure/active-directory-b2c/tutorial-register-applications) -* [Microsoft identity platform documentation](/azure/active-directory/develop/) +* [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) +* [Tutorial: Register an application in Azure Active Directory B2C](/entra/identity-platform-b2c/tutorial-register-applications) +* [Microsoft identity platform documentation](/entra/identity-platform/develop/) diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md index ec6110786723..67694cf60c5c 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md @@ -12,13 +12,13 @@ uid: blazor/security/webassembly/hosted-with-microsoft-entra-id This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Entra ID (ME-ID)](https://azure.microsoft.com/services/active-directory/) for authentication. This article focuses on a single tenant app with a single tenant Azure app registration. -This article doesn't cover a *multi-tenant ME-ID registration*. For more information, see [Making your application multi-tenant](/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant). +This article doesn't cover a *multi-tenant ME-ID registration*. For more information, see [Making your application multi-tenant](/entra/identity-platform/develop/howto-convert-app-to-be-multi-tenant). -This article focuses on the use of a **Microsoft Entra** tenant, as described in [Quickstart: Set up a tenant](/azure/active-directory/develop/quickstart-create-new-tenant). If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. For more information, see the [Use of an Azure Active Directory B2C tenant](#use-of-an-azure-active-directory-b2c-tenant) section of this article. +This article focuses on the use of a **Microsoft Entra** tenant, as described in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant). If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. For more information, see the [Use of an Azure Active Directory B2C tenant](#use-of-an-azure-active-directory-b2c-tenant) section of this article. For additional security scenario coverage after reading this article, see . @@ -36,7 +36,7 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Quickstart: Set up a tenant](/azure/active-directory/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. +Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. ### Register a server API app in Azure @@ -88,7 +88,7 @@ Register an ME-ID app for the *Client app*: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/azure/active-directory/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). Record the **:::no-loc text="Client":::** app Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). @@ -295,7 +295,7 @@ Example: *This section pertains to the solution's **:::no-loc text="Client":::** app.* -When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -434,7 +434,7 @@ Due to changes in the framework across releases of ASP.NET Core, Razor markup fo ## Use of an Azure Active Directory B2C tenant -If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. +If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. You can check the tenant type of an existing tenant by selecting the **Manage tenants** link at the top of the ME-ID organization **Overview**. Examine the **Tenant type** column value for the organization. This section pertains to apps that follow the guidance in this article but that are registered in an **Azure Active Directory B2C** tenant. @@ -498,13 +498,13 @@ Example App ID URI of `urn://custom-app-id-uri` and a scope name of `API.Access` ## Additional resources -* [Configure an app's publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain) -* [Microsoft Entra ID app manifest: identifierUris attribute](/azure/active-directory/develop/reference-app-manifest#identifieruris-attribute) +* [Configure an app's publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain) +* [Microsoft Entra ID app manifest: identifierUris attribute](/entra/identity-platform/develop/reference-app-manifest#identifieruris-attribute) * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * * -* [Microsoft identity platform documentation](/azure/active-directory/develop/) -* [Quickstart: Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app) -* [Security best practices for application properties in Microsoft Entra ID](/azure/active-directory/develop/security-best-practices-for-app-registration) +* [Microsoft identity platform documentation](/entra/identity-platform/develop/) +* [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/develop/quickstart-register-app) +* [Security best practices for application properties in Microsoft Entra ID](/entra/identity-platform/develop/security-best-practices-for-app-registration) diff --git a/aspnetcore/blazor/security/webassembly/index.md b/aspnetcore/blazor/security/webassembly/index.md index 26b13a71769d..3d1c91061be1 100644 --- a/aspnetcore/blazor/security/webassembly/index.md +++ b/aspnetcore/blazor/security/webassembly/index.md @@ -24,9 +24,9 @@ To protect .NET/C# code and use [ASP.NET Core Data Protection](xref:security/dat ## Authentication library -Blazor WebAssembly supports authenticating and authorizing apps using OIDC via the [`Microsoft.AspNetCore.Components.WebAssembly.Authentication`](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.Authentication) library using the [Microsoft Identity Platform](/azure/active-directory/develop/). The library provides a set of primitives for seamlessly authenticating against ASP.NET Core backends. The library can authenticate against any third-party Identity Provider (IP) that supports OIDC, which are called OpenID Providers (OP). +Blazor WebAssembly supports authenticating and authorizing apps using OIDC via the [`Microsoft.AspNetCore.Components.WebAssembly.Authentication`](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.Authentication) library using the [Microsoft Identity Platform](/entra/identity-platform/develop/). The library provides a set of primitives for seamlessly authenticating against ASP.NET Core backends. The library can authenticate against any third-party Identity Provider (IP) that supports OIDC, which are called OpenID Providers (OP). -The authentication support in the Blazor WebAssembly Library (`Authentication.js`) is built on top of the [Microsoft Authentication Library (MSAL, `msal.js`)](/azure/active-directory/develop/msal-overview), which is used to handle the underlying authentication protocol details. The Blazor WebAssembly Library only supports the Proof Key for Code Exchange (PKCE) authorization code flow. Implicit grant isn't supported. +The authentication support in the Blazor WebAssembly Library (`Authentication.js`) is built on top of the [Microsoft Authentication Library (MSAL, `msal.js`)](/entra/identity-platform/develop/msal-overview), which is used to handle the underlying authentication protocol details. The Blazor WebAssembly Library only supports the Proof Key for Code Exchange (PKCE) authorization code flow. Implicit grant isn't supported. Other options for authenticating SPAs exist, such as the use of SameSite cookies. However, the engineering design of Blazor WebAssembly uses OAuth and OIDC as the best option for authentication in Blazor WebAssembly apps. [Token-based authentication](xref:security/anti-request-forgery#token-based-authentication) based on [JSON Web Tokens (JWTs)](https://datatracker.ietf.org/doc/html/rfc7519) was chosen over [cookie-based authentication](xref:security/anti-request-forgery#cookie-based-authentication) for functional and security reasons: @@ -196,7 +196,7 @@ For hosted Blazor WebAssembly solutions, refresh tokens can be maintained and us For more information, see the following resources: -* [Microsoft identity platform refresh tokens: Refresh token lifetime](/azure/active-directory/develop/refresh-tokens#refresh-token-lifetime) +* [Microsoft identity platform refresh tokens: Refresh token lifetime](/entra/identity-platform/develop/refresh-tokens#refresh-token-lifetime) * [OAuth 2.0 for Browser-Based Apps (IETF specification)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-11#section-4) ## Establish claims for users @@ -323,21 +323,21 @@ Further configuration guidance is found in the following articles: ## Use the Authorization Code flow with PKCE -Microsoft identity platform's [Microsoft Authentication Library for JavaScript (MSAL)](/azure/active-directory/develop/msal-overview) v2.0 or later provides support for the [Authorization Code flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow) with [Proof Key for Code Exchange (PKCE)](https://oauth.net/2/pkce/) and [Cross-Origin Resource Sharing (CORS)](xref:security/cors) for single-page applications, including Blazor. +Microsoft identity platform's [Microsoft Authentication Library for JavaScript (MSAL)](/entra/identity-platform/develop/msal-overview) v2.0 or later provides support for the [Authorization Code flow](/entra/identity-platform/develop/v2-oauth2-auth-code-flow) with [Proof Key for Code Exchange (PKCE)](https://oauth.net/2/pkce/) and [Cross-Origin Resource Sharing (CORS)](xref:security/cors) for single-page applications, including Blazor. **Microsoft doesn't recommend using Implicit grant.** For more information, see the following resources: -* [Authentication flow support in MSAL: Implicit grant](/azure/active-directory/develop/msal-authentication-flows#implicit-grant) -* [Microsoft identity platform and implicit grant flow: Prefer the auth code flow](/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#prefer-the-auth-code-flow) -* [Microsoft identity platform and OAuth 2.0 authorization code flow](/azure/active-directory/develop/v2-oauth2-auth-code-flow) +* [Authentication flow support in MSAL: Implicit grant](/entra/identity-platform/develop/msal-authentication-flows#implicit-grant) +* [Microsoft identity platform and implicit grant flow: Prefer the auth code flow](/entra/identity-platform/develop/v2-oauth2-implicit-grant-flow#prefer-the-auth-code-flow) +* [Microsoft identity platform and OAuth 2.0 authorization code flow](/entra/identity-platform/develop/v2-oauth2-auth-code-flow) ## Additional resources * Microsoft identity platform documentation - * [General documentation](/azure/active-directory/develop/) - * [Access tokens](/azure/active-directory/develop/access-tokens) + * [General documentation](/entra/identity-platform/develop/) + * [Access tokens](/entra/identity-platform/develop/access-tokens) * * Using Forwarded Headers Middleware to preserve HTTPS scheme information across proxy servers and internal networks. * Additional scenarios and use cases, including manual scheme configuration, request path changes for correct request routing, and forwarding the request scheme for Linux and non-IIS reverse proxies. diff --git a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md index e4e13e4e0075..339a931e03c0 100644 --- a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md +++ b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md @@ -92,7 +92,7 @@ For more information, see the [Microsoft Graph permissions reference](/graph/per ## Group Membership Claims attribute -In the app's manifest in the Azure portal for **CLIENT** and **SERVER** apps, set the [`groupMembershipClaims` attribute](/azure/active-directory/develop/reference-app-manifest#groupmembershipclaims-attribute) to `All`. A value of `All` results in ME-ID sending all of the security groups, distribution groups, and roles of the signed-in user in the [well-known IDs claim (`wids`)](/azure/active-directory/develop/access-tokens#payload-claims): +In the app's manifest in the Azure portal for **CLIENT** and **SERVER** apps, set the [`groupMembershipClaims` attribute](/entra/identity-platform/develop/reference-app-manifest#groupmembershipclaims-attribute) to `All`. A value of `All` results in ME-ID sending all of the security groups, distribution groups, and roles of the signed-in user in the [well-known IDs claim (`wids`)](/entra/identity-platform/develop/access-tokens#payload-claims): 1. Open the app's Azure portal registration. 1. Select **Manage** > **Manifest** in the sidebar. @@ -112,8 +112,8 @@ The examples in this article: In the **CLIENT** app, extend to include properties for: * `Roles`: ME-ID App Roles array (covered in the [App Roles](#app-roles) section) -* `Wids`: ME-ID Administrator Roles in [well-known IDs claim (`wids`)](/azure/active-directory/develop/access-tokens#payload-claims) -* `Oid`: Immutable [object identifier claim (`oid`)](/azure/active-directory/develop/id-tokens#payload-claims) (uniquely identifies a user within and across tenants) +* `Wids`: ME-ID Administrator Roles in [well-known IDs claim (`wids`)](/entra/identity-platform/develop/access-tokens#payload-claims) +* `Oid`: Immutable [object identifier claim (`oid`)](/entra/identity-platform/develop/id-tokens#payload-claims) (uniquely identifies a user within and across tenants) `CustomUserAccount.cs`: @@ -344,7 +344,7 @@ public class CustomAccountFactory(IAccessTokenProviderAccessor accessor, The preceding code doesn't include transitive memberships. If the app requires direct and transitive group membership claims, replace the `MemberOf` property (`IUserMemberOfCollectionWithReferencesRequestBuilder`) with `TransitiveMemberOf` (`IUserTransitiveMemberOfCollectionWithReferencesRequestBuilder`). -The preceding code ignores group membership claims (`groups`) that are ME-ID Administrator Roles (`#microsoft.graph.directoryRole` type) because the GUID values returned by the Microsoft identity platform are ME-ID Administrator Role **entity IDs** and not [**Role Template IDs**](/azure/active-directory/roles/permissions-reference#role-template-ids). Entity IDs aren't stable across tenants in Microsoft identity platform and shouldn't be used to create authorization policies for users in apps. Always use **Role Template IDs** for ME-ID Administrator Roles **provided by `wids` claims**. +The preceding code ignores group membership claims (`groups`) that are ME-ID Administrator Roles (`#microsoft.graph.directoryRole` type) because the GUID values returned by the Microsoft identity platform are ME-ID Administrator Role **entity IDs** and not [**Role Template IDs**](/entra/identity-platform/roles/permissions-reference#role-template-ids). Entity IDs aren't stable across tenants in Microsoft identity platform and shouldn't be used to create authorization policies for users in apps. Always use **Role Template IDs** for ME-ID Administrator Roles **provided by `wids` claims**. In the **CLIENT** app, configure the MSAL authentication to use the custom user account factory. @@ -406,7 +406,7 @@ builder.Services.AddAuthorizationCore(options => }); ``` -For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/azure/active-directory/roles/permissions-reference#role-template-ids) in the Azure documentation. For more information on authorization policies, see . +For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/entra/identity-platform/roles/permissions-reference#role-template-ids) in the Azure documentation. For more information on authorization policies, see . In the following examples, the **CLIENT** app uses the preceding policy to authorize the user. @@ -491,7 +491,7 @@ builder.Services.AddAuthorization(options => }); ``` -For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/azure/active-directory/roles/permissions-reference#role-template-ids) in the Azure documentation. For more information on authorization policies, see . +For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/entra/identity-platform/roles/permissions-reference#role-template-ids) in the Azure documentation. For more information on authorization policies, see . Access to a controller in the **SERVER** app can be based on using an [`[Authorize]` attribute](xref:security/authorization/simple) with the name of the policy (API documentation: ). @@ -515,7 +515,7 @@ For more information, see . ## App Roles -To configure the app in the Azure portal to provide App Roles membership claims, see [How to: Add app roles in your application and receive them in the token](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) in the Azure documentation. +To configure the app in the Azure portal to provide App Roles membership claims, see [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/develop/howto-add-app-roles-in-azure-ad-apps) in the Azure documentation. The following example assumes that the **CLIENT** and **SERVER** apps are configured with two roles, and the roles are assigned to a test user: @@ -538,9 +538,9 @@ The following example assumes that the **CLIENT** and **SERVER** apps are config Although you can't assign roles to groups without an Microsoft Entra ID Premium account, you can assign roles to users and receive a `role` claim for users with a standard Azure account. The guidance in this section doesn't require an ME-ID Premium account. -If you have a Premium tier Azure account, **Manage** > **App roles** appears in the Azure portal app registration sidebar. Follow the guidance in [How to: Add app roles in your application and receive them in the token](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to configure the app's roles. +If you have a Premium tier Azure account, **Manage** > **App roles** appears in the Azure portal app registration sidebar. Follow the guidance in [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/develop/howto-add-app-roles-in-azure-ad-apps) to configure the app's roles. -If you don't have a Premium tier Azure account, edit the app's manifest in the Azure portal. Follow the guidance in [Application roles: Implementation](/azure/architecture/multitenant-identity/app-roles#implementation) to establish the app's roles manually in the `appRoles` entry of the manifest file. Save the changes to the file. +If you don't have a Premium tier Azure account, edit the app's manifest in the Azure portal. Follow the guidance in [Application roles: Implementation](/azure/architecture/guide/multitenant/considerations/identity#implementation) to establish the app's roles manually in the `appRoles` entry of the manifest file. Save the changes to the file. The following is an example `appRoles` entry that creates `Admin` and `Developer` roles. These example roles are used later in this section's example at the component level to implement access restrictions: @@ -776,10 +776,10 @@ Pascal case is typically used for role names (for example, `BillingAdministrator ## Additional resources -* [Role template IDs (Azure documentation)](/azure/active-directory/roles/permissions-reference#role-template-ids) -* [`groupMembershipClaims` attribute (Azure documentation)](/azure/active-directory/develop/reference-app-manifest#groupmembershipclaims-attribute) -* [How to: Add app roles in your application and receive them in the token (Azure documentation)](/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) -* [Application roles (Azure documentation)](/azure/architecture/multitenant-identity/app-roles) +* [Role template IDs (Azure documentation)](/entra/identity-platform/roles/permissions-reference#role-template-ids) +* [`groupMembershipClaims` attribute (Azure documentation)](/entra/identity-platform/develop/reference-app-manifest#groupmembershipclaims-attribute) +* [How to: Add app roles in your application and receive them in the token (Azure documentation)](/entra/identity-platform/develop/howto-add-app-roles-in-azure-ad-apps) +* [Application roles (Azure documentation)](/azure/architecture/guide/multitenant/considerations/identity) * * * diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md b/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md index f0052cdabc64..da1bdaf33a13 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md @@ -14,7 +14,7 @@ uid: blazor/security/webassembly/standalone-with-authentication-library This article explains how to secure an ASP.NET Core Blazor WebAssembly standalone app with the Blazor WebAssembly Authentication library. -The Blazor WebAssembly Authentication library (`Authentication.js`) only supports the Proof Key for Code Exchange (PKCE) authorization code flow via the [Microsoft Authentication Library (MSAL, `msal.js`)](/azure/active-directory/develop/msal-overview). To implement other grant flows, access the MSAL guidance to implement MSAL directly, but we don't support or recommend the use of grant flows other than PKCE for Blazor apps. +The Blazor WebAssembly Authentication library (`Authentication.js`) only supports the Proof Key for Code Exchange (PKCE) authorization code flow via the [Microsoft Authentication Library (MSAL, `msal.js`)](/entra/identity-platform/develop/msal-overview). To implement other grant flows, access the MSAL guidance to implement MSAL directly, but we don't support or recommend the use of grant flows other than PKCE for Blazor apps. *For Microsoft Entra (ME-ID) and Azure Active Directory B2C (AAD B2C) guidance, don't follow the guidance in this topic. See or .* diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md index 0738a13b568b..7a3fdc313058 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md @@ -12,7 +12,7 @@ uid: blazor/security/webassembly/standalone-with-azure-active-directory-b2c [!INCLUDE[](~/includes/not-latest-version.md)] -This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication. +This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/entra/identity-platform-b2c/overview) for authentication. For additional security scenario coverage after reading this article, see . @@ -27,9 +27,9 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) to create an AAD B2C tenant. +Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) to create an AAD B2C tenant. -Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). +Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). ### Register an app in Azure @@ -39,11 +39,11 @@ Register an AAD B2C app: 1. Provide a **Name** for the app (for example, **Blazor Standalone AAD B2C**). 1. For **Supported account types**, select the multi-tenant option: **Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C.** 1. Set the **Redirect URI** dropdown list to **Single-page application (SPA)** and provide the following redirect URI: `https://localhost/authentication/login-callback`. If you know the production redirect URI for the Azure default host (for example, `azurewebsites.net`) or the custom domain host (for example, `contoso.com`), you can also add the production redirect URI at the same time that you're providing the `localhost` redirect URI. Be sure to include the port number for non-`:443` ports in any production redirect URIs that you add. -1. If you're using an [unverified publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain), confirm that **Permissions** > **Grant admin consent to openid and offline_access permissions** is selected. If the publisher domain is verified, this checkbox isn't present. +1. If you're using an [unverified publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain), confirm that **Permissions** > **Grant admin consent to openid and offline_access permissions** is selected. If the publisher domain is verified, this checkbox isn't present. 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/azure/active-directory/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). Record the following information: @@ -60,7 +60,7 @@ In **Authentication** > **Platform configurations** > **Single-page application* In **Home** > **Azure AD B2C** > **User flows**: -[Create a sign-up and sign-in user flow](/azure/active-directory-b2c/tutorial-create-user-flows) +[Create a sign-up and sign-in user flow](/entra/identity-platform-b2c/tutorial-create-user-flows) At a minimum, select the **Application claims** > **Display Name** user attribute to populate the `context.User.Identity?.Name`/`context.User.Identity.Name` in the `LoginDisplay` component (`Shared/LoginDisplay.razor`). @@ -91,7 +91,7 @@ After creating the app, you should be able to: * Log into the app using an Microsoft Entra ID user account. * Request access tokens for Microsoft APIs. For more information, see: * [Access token scopes](#access-token-scopes) - * [Quickstart: Configure an application to expose web APIs](/azure/active-directory/develop/quickstart-configure-app-expose-web-apis). + * [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis). ### Run the app @@ -109,7 +109,7 @@ This section describes the parts of an app generated from the Blazor WebAssembly ### Authentication package -When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -223,6 +223,6 @@ For more information, see the following sections of the *Additional scenarios* a * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * -* [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) -* [Tutorial: Register an application in Azure Active Directory B2C](/azure/active-directory-b2c/tutorial-register-applications) -* [Microsoft identity platform documentation](/azure/active-directory/develop/) +* [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) +* [Tutorial: Register an application in Azure Active Directory B2C](/entra/identity-platform-b2c/tutorial-register-applications) +* [Microsoft identity platform documentation](/entra/identity-platform/develop/) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md index 3a5cacf40ad7..9b88e720d06f 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md @@ -12,7 +12,7 @@ uid: blazor/security/webassembly/standalone-with-microsoft-accounts [!INCLUDE[](~/includes/not-latest-version.md)] -This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Accounts with Microsoft Entra (ME-ID)](/azure/active-directory/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) for authentication. +This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Accounts with Microsoft Entra (ME-ID)](/entra/identity-platform/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) for authentication. For additional security scenario coverage after reading this article, see . @@ -27,7 +27,7 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Quickstart: Set up a tenant](/azure/active-directory/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. +Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. ### Register an app in Azure @@ -37,11 +37,11 @@ Register an ME-ID app: 1. Provide a **Name** for the app (for example, **Blazor Standalone ME-ID MS Accounts**). 1. In **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID directory – Multitenant)**. 1. Set the **Redirect URI** dropdown list to **Single-page application (SPA)** and provide the following redirect URI: `https://localhost/authentication/login-callback`. If you know the production redirect URI for the Azure default host (for example, `azurewebsites.net`) or the custom domain host (for example, `contoso.com`), you can also add the production redirect URI at the same time that you're providing the `localhost` redirect URI. Be sure to include the port number for non-`:443` ports in any production redirect URIs that you add. -1. If you're using an [unverified publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. +1. If you're using an [unverified publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/azure/active-directory/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). Record the Application (client) ID (for example, `41451fa7-82d9-4673-8fa5-69eff5a761fd`). @@ -85,7 +85,7 @@ This section describes the parts of an app generated from the Blazor WebAssembly ### Authentication package -When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -156,7 +156,7 @@ For more information, see the following sections of the *Additional scenarios* a * [Request additional access tokens](xref:blazor/security/webassembly/additional-scenarios#request-additional-access-tokens) * [Attach tokens to outgoing requests](xref:blazor/security/webassembly/additional-scenarios#attach-tokens-to-outgoing-requests) -* [Quickstart: Configure an application to expose web APIs](/azure/active-directory/develop/quickstart-configure-app-expose-web-apis) +* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis) :::moniker range=">= aspnetcore-5.0" @@ -200,5 +200,5 @@ For more information, see the following sections of the *Additional scenarios* a * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * -* [Quickstart: Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) -* [Quickstart: Configure an application to expose web APIs](/azure/active-directory/develop/quickstart-configure-app-expose-web-apis) +* [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) +* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md index e06efb488cf2..3c4141be8ec9 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md @@ -27,7 +27,7 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Quickstart: Set up a tenant](/azure/active-directory/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. +Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. ### Register an app in Azure @@ -37,11 +37,11 @@ Register an ME-ID app: 1. Provide a **Name** for the app (for example, **Blazor Standalone ME-ID**). 1. Choose a **Supported account types**. You may select **Accounts in this organizational directory only** for this experience. 1. Set the **Redirect URI** dropdown list to **Single-page application (SPA)** and provide the following redirect URI: `https://localhost/authentication/login-callback`. If you know the production redirect URI for the Azure default host (for example, `azurewebsites.net`) or the custom domain host (for example, `contoso.com`), you can also add the production redirect URI at the same time that you're providing the `localhost` redirect URI. Be sure to include the port number for non-`:443` ports in any production redirect URIs that you add. -1. If you're using an [unverified publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. +1. If you're using an [unverified publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/azure/active-directory/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). Record the following information: @@ -89,7 +89,7 @@ This section describes the parts of an app generated from the Blazor WebAssembly ### Authentication package -When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/azure/active-directory/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -160,7 +160,7 @@ For more information, see the following resources: * [Request additional access tokens](xref:blazor/security/webassembly/additional-scenarios#request-additional-access-tokens) * [Attach tokens to outgoing requests](xref:blazor/security/webassembly/additional-scenarios#attach-tokens-to-outgoing-requests) -* [Quickstart: Configure an application to expose web APIs](/azure/active-directory/develop/quickstart-configure-app-expose-web-apis) +* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis) * [Access token scopes for Microsoft Graph API](xref:blazor/security/webassembly/graph-api) ### Login mode @@ -202,5 +202,5 @@ For more information, see the following resources: * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * * -* [Microsoft identity platform documentation](/azure/active-directory/develop/) -* [Security best practices for application properties in Microsoft Entra ID](/azure/active-directory/develop/security-best-practices-for-app-registration) +* [Microsoft identity platform documentation](/entra/identity-platform/develop/) +* [Security best practices for application properties in Microsoft Entra ID](/entra/identity-platform/develop/security-best-practices-for-app-registration) From 317fb85939da88a166286ebf8bedc45135ea0b8c Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 30 Jan 2024 11:10:17 -0500 Subject: [PATCH 2/4] Updates --- aspnetcore/blazor/hybrid/security/index.md | 20 +++++++++---------- .../security/includes/authorize-client-app.md | 2 +- .../blazor/security/includes/troubleshoot.md | 4 ++-- aspnetcore/blazor/security/index.md | 20 +++++++++---------- aspnetcore/blazor/security/server/index.md | 4 ++-- .../webassembly/additional-scenarios.md | 2 +- .../blazor/security/webassembly/graph-api.md | 2 +- .../hosted-with-azure-active-directory-b2c.md | 10 +++++----- .../hosted-with-microsoft-entra-id.md | 20 +++++++++---------- .../blazor/security/webassembly/index.md | 18 ++++++++--------- .../microsoft-entra-id-groups-and-roles.md | 14 ++++++------- .../standalone-with-authentication-library.md | 2 +- ...ndalone-with-azure-active-directory-b2c.md | 10 +++++----- .../standalone-with-microsoft-accounts.md | 16 +++++++-------- .../standalone-with-microsoft-entra-id.md | 14 ++++++------- 15 files changed, 79 insertions(+), 79 deletions(-) diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md index 6b271268b4bc..803039beb28d 100644 --- a/aspnetcore/blazor/hybrid/security/index.md +++ b/aspnetcore/blazor/hybrid/security/index.md @@ -47,12 +47,12 @@ For additional guidance, see the following resources: :::zone pivot="wpf" -WPF apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: +WPF apps use the [Microsoft identity platform](/entra/identity-platform/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: -* [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview) +* [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview) * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) -* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/develop/tutorial-v2-windows-desktop) -* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/develop/desktop-app-quickstart?pivots=devlang-windows-desktop) +* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/tutorial-v2-windows-desktop) +* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/desktop-app-quickstart?pivots=devlang-windows-desktop) * [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/entra/identity-platform-b2c/quickstart-native-app-desktop) * [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/entra/identity-platform-b2c/configure-authentication-sample-wpf-desktop-app) @@ -60,7 +60,7 @@ WPF apps use the [Microsoft identity platform](/entra/identity-platform/develop/ :::zone pivot="winforms" -Windows Forms apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview). +Windows Forms apps use the [Microsoft identity platform](/entra/identity-platform/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview). :::zone-end @@ -578,12 +578,12 @@ For additional guidance, see the following resources: :::zone pivot="wpf" -WPF apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: +WPF apps use the [Microsoft identity platform](/entra/identity-platform/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For guidance and examples, see the following resources: -* [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview) +* [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview) * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) -* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/develop/tutorial-v2-windows-desktop) -* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/develop/desktop-app-quickstart?pivots=devlang-windows-desktop) +* [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/tutorial-v2-windows-desktop) +* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/desktop-app-quickstart?pivots=devlang-windows-desktop) * [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/entra/identity-platform-b2c/quickstart-native-app-desktop) * [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/entra/identity-platform-b2c/configure-authentication-sample-wpf-desktop-app) @@ -591,7 +591,7 @@ WPF apps use the [Microsoft identity platform](/entra/identity-platform/develop/ :::zone pivot="winforms" -Windows Forms apps use the [Microsoft identity platform](/entra/identity-platform/develop/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/develop/msal-overview). +Windows Forms apps use the [Microsoft identity platform](/entra/identity-platform/) to integrate with Microsoft Entra (ME-ID) and AAD B2C. For more information, see [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview). :::zone-end diff --git a/aspnetcore/blazor/security/includes/authorize-client-app.md b/aspnetcore/blazor/security/includes/authorize-client-app.md index 4851fb553ada..65dbe56f1252 100644 --- a/aspnetcore/blazor/security/includes/authorize-client-app.md +++ b/aspnetcore/blazor/security/includes/authorize-client-app.md @@ -1,5 +1,5 @@ > [!IMPORTANT] > If you don't have the authority to grant admin consent to the tenant in the last step of **API permissions** configuration because consent to use the app is delegated to users, then you must take the following additional steps: > -> * The app must use a [trusted publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain). +> * The app must use a [trusted publisher domain](/entra/identity-platform/howto-configure-publisher-domain). > * In the **`Server`** app's configuration in the Azure portal, select **Expose an API**. Under **Authorized client applications**, select the button to **Add a client application**. Add the **`Client`** app's Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). diff --git a/aspnetcore/blazor/security/includes/troubleshoot.md b/aspnetcore/blazor/security/includes/troubleshoot.md index d85afd3a25ee..e8422aaea2d8 100644 --- a/aspnetcore/blazor/security/includes/troubleshoot.md +++ b/aspnetcore/blazor/security/includes/troubleshoot.md @@ -51,8 +51,8 @@ To enable debug or trace logging for Blazor WebAssembly authentication, see * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) @@ -879,11 +879,11 @@ The * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index cf4ef1212b3e..37de48810215 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -832,8 +832,8 @@ builder.Services.AddRazorComponents(options => ## Additional resources -* [Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app](/entra/identity-platform/develop/quickstart-v2-aspnet-core-webapp) -* [Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform](/entra/identity-platform/develop/quickstart-v2-aspnet-core-web-api) +* [Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app](/entra/identity-platform/quickstart-v2-aspnet-core-webapp) +* [Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform](/entra/identity-platform/quickstart-v2-aspnet-core-web-api) * : Includes guidance on: * Using Forwarded Headers Middleware to preserve HTTPS scheme information across proxy servers and internal networks. * Additional scenarios and use cases, including manual scheme configuration, request path changes for correct request routing, and forwarding the request scheme for Linux and non-IIS reverse proxies. diff --git a/aspnetcore/blazor/security/webassembly/additional-scenarios.md b/aspnetcore/blazor/security/webassembly/additional-scenarios.md index 4d0f0b7f9ae9..6c1f330a5519 100644 --- a/aspnetcore/blazor/security/webassembly/additional-scenarios.md +++ b/aspnetcore/blazor/security/webassembly/additional-scenarios.md @@ -1097,7 +1097,7 @@ Users bound to the app can be customized. ### Customize the user with a payload claim -In the following example, the app's authenticated users receive an `amr` claim for each of the user's authentication methods. The `amr` claim identifies how the subject of the token was authenticated in Microsoft Identity Platform v1.0 [payload claims](/entra/identity-platform/develop/access-tokens#amr-claim). The example uses a custom user account class based on . +In the following example, the app's authenticated users receive an `amr` claim for each of the user's authentication methods. The `amr` claim identifies how the subject of the token was authenticated in Microsoft Identity Platform v1.0 [payload claims](/entra/identity-platform/access-tokens#amr-claim). The example uses a custom user account class based on . Create a class that extends the class. The following example sets the `AuthenticationMethod` property to the user's array of `amr` JSON property values. `AuthenticationMethod` is populated automatically by the framework when the user is authenticated. diff --git a/aspnetcore/blazor/security/webassembly/graph-api.md b/aspnetcore/blazor/security/webassembly/graph-api.md index cedfb505f839..0878763d4482 100644 --- a/aspnetcore/blazor/security/webassembly/graph-api.md +++ b/aspnetcore/blazor/security/webassembly/graph-api.md @@ -1026,5 +1026,5 @@ The examples in this article pertain to using the Graph SDK or a named `HttpClie * [Microsoft Graph auth overview](/graph/auth/) * [Overview of Microsoft Graph permissions](/graph/permissions-overview) * [Microsoft Graph permissions reference](/graph/permissions-reference) -* [Enhance security with the principle of least privilege](/entra/identity-platform/develop/secure-least-privileged-access) +* [Enhance security with the principle of least privilege](/entra/identity-platform/secure-least-privileged-access) * [Azure privilege escalation articles on the Internet (Google search result)](https://www.google.com/search?q=%22Azure+Privilege+Escalation%22) diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md index f7283c7818b5..7d671e4405f7 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md @@ -75,7 +75,7 @@ Register an AAD B2C app for the *Client app*: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the *Client app* Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). @@ -283,7 +283,7 @@ Example: *This section pertains to the solution's **:::no-loc text="Client":::** app.* -When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -428,12 +428,12 @@ Due to changes in the framework across releases of ASP.NET Core, Razor markup fo ## Additional resources -* [Configure an app's publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain) -* [Microsoft Entra ID app manifest: identifierUris attribute](/entra/identity-platform/develop/reference-app-manifest#identifieruris-attribute) +* [Configure an app's publisher domain](/entra/identity-platform/howto-configure-publisher-domain) +* [Microsoft Entra ID app manifest: identifierUris attribute](/entra/identity-platform/reference-app-manifest#identifieruris-attribute) * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * * [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) * [Tutorial: Register an application in Azure Active Directory B2C](/entra/identity-platform-b2c/tutorial-register-applications) -* [Microsoft identity platform documentation](/entra/identity-platform/develop/) +* [Microsoft identity platform documentation](/entra/identity-platform/) diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md index 67694cf60c5c..1831d1d321a1 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md @@ -12,13 +12,13 @@ uid: blazor/security/webassembly/hosted-with-microsoft-entra-id This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Entra ID (ME-ID)](https://azure.microsoft.com/services/active-directory/) for authentication. This article focuses on a single tenant app with a single tenant Azure app registration. -This article doesn't cover a *multi-tenant ME-ID registration*. For more information, see [Making your application multi-tenant](/entra/identity-platform/develop/howto-convert-app-to-be-multi-tenant). +This article doesn't cover a *multi-tenant ME-ID registration*. For more information, see [Making your application multi-tenant](/entra/identity-platform/howto-convert-app-to-be-multi-tenant). -This article focuses on the use of a **Microsoft Entra** tenant, as described in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant). If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. For more information, see the [Use of an Azure Active Directory B2C tenant](#use-of-an-azure-active-directory-b2c-tenant) section of this article. +This article focuses on the use of a **Microsoft Entra** tenant, as described in [Quickstart: Set up a tenant](/entra/identity-platform/quickstart-create-new-tenant). If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. For more information, see the [Use of an Azure Active Directory B2C tenant](#use-of-an-azure-active-directory-b2c-tenant) section of this article. For additional security scenario coverage after reading this article, see . @@ -36,7 +36,7 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. +Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/quickstart-create-new-tenant) to create a tenant in ME-ID. ### Register a server API app in Azure @@ -88,7 +88,7 @@ Register an ME-ID app for the *Client app*: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the **:::no-loc text="Client":::** app Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). @@ -295,7 +295,7 @@ Example: *This section pertains to the solution's **:::no-loc text="Client":::** app.* -When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -498,13 +498,13 @@ Example App ID URI of `urn://custom-app-id-uri` and a scope name of `API.Access` ## Additional resources -* [Configure an app's publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain) -* [Microsoft Entra ID app manifest: identifierUris attribute](/entra/identity-platform/develop/reference-app-manifest#identifieruris-attribute) +* [Configure an app's publisher domain](/entra/identity-platform/howto-configure-publisher-domain) +* [Microsoft Entra ID app manifest: identifierUris attribute](/entra/identity-platform/reference-app-manifest#identifieruris-attribute) * * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * * -* [Microsoft identity platform documentation](/entra/identity-platform/develop/) -* [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/develop/quickstart-register-app) -* [Security best practices for application properties in Microsoft Entra ID](/entra/identity-platform/develop/security-best-practices-for-app-registration) +* [Microsoft identity platform documentation](/entra/identity-platform/) +* [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app) +* [Security best practices for application properties in Microsoft Entra ID](/entra/identity-platform/security-best-practices-for-app-registration) diff --git a/aspnetcore/blazor/security/webassembly/index.md b/aspnetcore/blazor/security/webassembly/index.md index 3d1c91061be1..e103c1a5a73f 100644 --- a/aspnetcore/blazor/security/webassembly/index.md +++ b/aspnetcore/blazor/security/webassembly/index.md @@ -24,9 +24,9 @@ To protect .NET/C# code and use [ASP.NET Core Data Protection](xref:security/dat ## Authentication library -Blazor WebAssembly supports authenticating and authorizing apps using OIDC via the [`Microsoft.AspNetCore.Components.WebAssembly.Authentication`](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.Authentication) library using the [Microsoft Identity Platform](/entra/identity-platform/develop/). The library provides a set of primitives for seamlessly authenticating against ASP.NET Core backends. The library can authenticate against any third-party Identity Provider (IP) that supports OIDC, which are called OpenID Providers (OP). +Blazor WebAssembly supports authenticating and authorizing apps using OIDC via the [`Microsoft.AspNetCore.Components.WebAssembly.Authentication`](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.Authentication) library using the [Microsoft Identity Platform](/entra/identity-platform/). The library provides a set of primitives for seamlessly authenticating against ASP.NET Core backends. The library can authenticate against any third-party Identity Provider (IP) that supports OIDC, which are called OpenID Providers (OP). -The authentication support in the Blazor WebAssembly Library (`Authentication.js`) is built on top of the [Microsoft Authentication Library (MSAL, `msal.js`)](/entra/identity-platform/develop/msal-overview), which is used to handle the underlying authentication protocol details. The Blazor WebAssembly Library only supports the Proof Key for Code Exchange (PKCE) authorization code flow. Implicit grant isn't supported. +The authentication support in the Blazor WebAssembly Library (`Authentication.js`) is built on top of the [Microsoft Authentication Library (MSAL, `msal.js`)](/entra/identity-platform/msal-overview), which is used to handle the underlying authentication protocol details. The Blazor WebAssembly Library only supports the Proof Key for Code Exchange (PKCE) authorization code flow. Implicit grant isn't supported. Other options for authenticating SPAs exist, such as the use of SameSite cookies. However, the engineering design of Blazor WebAssembly uses OAuth and OIDC as the best option for authentication in Blazor WebAssembly apps. [Token-based authentication](xref:security/anti-request-forgery#token-based-authentication) based on [JSON Web Tokens (JWTs)](https://datatracker.ietf.org/doc/html/rfc7519) was chosen over [cookie-based authentication](xref:security/anti-request-forgery#cookie-based-authentication) for functional and security reasons: @@ -196,7 +196,7 @@ For hosted Blazor WebAssembly solutions, refresh tokens can be maintained and us For more information, see the following resources: -* [Microsoft identity platform refresh tokens: Refresh token lifetime](/entra/identity-platform/develop/refresh-tokens#refresh-token-lifetime) +* [Microsoft identity platform refresh tokens: Refresh token lifetime](/entra/identity-platform/refresh-tokens#refresh-token-lifetime) * [OAuth 2.0 for Browser-Based Apps (IETF specification)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-11#section-4) ## Establish claims for users @@ -323,21 +323,21 @@ Further configuration guidance is found in the following articles: ## Use the Authorization Code flow with PKCE -Microsoft identity platform's [Microsoft Authentication Library for JavaScript (MSAL)](/entra/identity-platform/develop/msal-overview) v2.0 or later provides support for the [Authorization Code flow](/entra/identity-platform/develop/v2-oauth2-auth-code-flow) with [Proof Key for Code Exchange (PKCE)](https://oauth.net/2/pkce/) and [Cross-Origin Resource Sharing (CORS)](xref:security/cors) for single-page applications, including Blazor. +Microsoft identity platform's [Microsoft Authentication Library for JavaScript (MSAL)](/entra/identity-platform/msal-overview) v2.0 or later provides support for the [Authorization Code flow](/entra/identity-platform/v2-oauth2-auth-code-flow) with [Proof Key for Code Exchange (PKCE)](https://oauth.net/2/pkce/) and [Cross-Origin Resource Sharing (CORS)](xref:security/cors) for single-page applications, including Blazor. **Microsoft doesn't recommend using Implicit grant.** For more information, see the following resources: -* [Authentication flow support in MSAL: Implicit grant](/entra/identity-platform/develop/msal-authentication-flows#implicit-grant) -* [Microsoft identity platform and implicit grant flow: Prefer the auth code flow](/entra/identity-platform/develop/v2-oauth2-implicit-grant-flow#prefer-the-auth-code-flow) -* [Microsoft identity platform and OAuth 2.0 authorization code flow](/entra/identity-platform/develop/v2-oauth2-auth-code-flow) +* [Authentication flow support in MSAL: Implicit grant](/entra/identity-platform/msal-authentication-flows#implicit-grant) +* [Microsoft identity platform and implicit grant flow: Prefer the auth code flow](/entra/identity-platform/v2-oauth2-implicit-grant-flow#prefer-the-auth-code-flow) +* [Microsoft identity platform and OAuth 2.0 authorization code flow](/entra/identity-platform/v2-oauth2-auth-code-flow) ## Additional resources * Microsoft identity platform documentation - * [General documentation](/entra/identity-platform/develop/) - * [Access tokens](/entra/identity-platform/develop/access-tokens) + * [General documentation](/entra/identity-platform/) + * [Access tokens](/entra/identity-platform/access-tokens) * * Using Forwarded Headers Middleware to preserve HTTPS scheme information across proxy servers and internal networks. * Additional scenarios and use cases, including manual scheme configuration, request path changes for correct request routing, and forwarding the request scheme for Linux and non-IIS reverse proxies. diff --git a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md index 339a931e03c0..ec8917a38f97 100644 --- a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md +++ b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md @@ -92,7 +92,7 @@ For more information, see the [Microsoft Graph permissions reference](/graph/per ## Group Membership Claims attribute -In the app's manifest in the Azure portal for **CLIENT** and **SERVER** apps, set the [`groupMembershipClaims` attribute](/entra/identity-platform/develop/reference-app-manifest#groupmembershipclaims-attribute) to `All`. A value of `All` results in ME-ID sending all of the security groups, distribution groups, and roles of the signed-in user in the [well-known IDs claim (`wids`)](/entra/identity-platform/develop/access-tokens#payload-claims): +In the app's manifest in the Azure portal for **CLIENT** and **SERVER** apps, set the [`groupMembershipClaims` attribute](/entra/identity-platform/reference-app-manifest#groupmembershipclaims-attribute) to `All`. A value of `All` results in ME-ID sending all of the security groups, distribution groups, and roles of the signed-in user in the [well-known IDs claim (`wids`)](/entra/identity-platform/access-tokens#payload-claims): 1. Open the app's Azure portal registration. 1. Select **Manage** > **Manifest** in the sidebar. @@ -112,8 +112,8 @@ The examples in this article: In the **CLIENT** app, extend to include properties for: * `Roles`: ME-ID App Roles array (covered in the [App Roles](#app-roles) section) -* `Wids`: ME-ID Administrator Roles in [well-known IDs claim (`wids`)](/entra/identity-platform/develop/access-tokens#payload-claims) -* `Oid`: Immutable [object identifier claim (`oid`)](/entra/identity-platform/develop/id-tokens#payload-claims) (uniquely identifies a user within and across tenants) +* `Wids`: ME-ID Administrator Roles in [well-known IDs claim (`wids`)](/entra/identity-platform/access-tokens#payload-claims) +* `Oid`: Immutable [object identifier claim (`oid`)](/entra/identity-platform/id-tokens#payload-claims) (uniquely identifies a user within and across tenants) `CustomUserAccount.cs`: @@ -515,7 +515,7 @@ For more information, see . ## App Roles -To configure the app in the Azure portal to provide App Roles membership claims, see [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/develop/howto-add-app-roles-in-azure-ad-apps) in the Azure documentation. +To configure the app in the Azure portal to provide App Roles membership claims, see [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/howto-add-app-roles-in-azure-ad-apps) in the Azure documentation. The following example assumes that the **CLIENT** and **SERVER** apps are configured with two roles, and the roles are assigned to a test user: @@ -538,7 +538,7 @@ The following example assumes that the **CLIENT** and **SERVER** apps are config Although you can't assign roles to groups without an Microsoft Entra ID Premium account, you can assign roles to users and receive a `role` claim for users with a standard Azure account. The guidance in this section doesn't require an ME-ID Premium account. -If you have a Premium tier Azure account, **Manage** > **App roles** appears in the Azure portal app registration sidebar. Follow the guidance in [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/develop/howto-add-app-roles-in-azure-ad-apps) to configure the app's roles. +If you have a Premium tier Azure account, **Manage** > **App roles** appears in the Azure portal app registration sidebar. Follow the guidance in [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/howto-add-app-roles-in-azure-ad-apps) to configure the app's roles. If you don't have a Premium tier Azure account, edit the app's manifest in the Azure portal. Follow the guidance in [Application roles: Implementation](/azure/architecture/guide/multitenant/considerations/identity#implementation) to establish the app's roles manually in the `appRoles` entry of the manifest file. Save the changes to the file. @@ -777,8 +777,8 @@ Pascal case is typically used for role names (for example, `BillingAdministrator ## Additional resources * [Role template IDs (Azure documentation)](/entra/identity-platform/roles/permissions-reference#role-template-ids) -* [`groupMembershipClaims` attribute (Azure documentation)](/entra/identity-platform/develop/reference-app-manifest#groupmembershipclaims-attribute) -* [How to: Add app roles in your application and receive them in the token (Azure documentation)](/entra/identity-platform/develop/howto-add-app-roles-in-azure-ad-apps) +* [`groupMembershipClaims` attribute (Azure documentation)](/entra/identity-platform/reference-app-manifest#groupmembershipclaims-attribute) +* [How to: Add app roles in your application and receive them in the token (Azure documentation)](/entra/identity-platform/howto-add-app-roles-in-azure-ad-apps) * [Application roles (Azure documentation)](/azure/architecture/guide/multitenant/considerations/identity) * * diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md b/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md index da1bdaf33a13..73a8acc3feca 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-authentication-library.md @@ -14,7 +14,7 @@ uid: blazor/security/webassembly/standalone-with-authentication-library This article explains how to secure an ASP.NET Core Blazor WebAssembly standalone app with the Blazor WebAssembly Authentication library. -The Blazor WebAssembly Authentication library (`Authentication.js`) only supports the Proof Key for Code Exchange (PKCE) authorization code flow via the [Microsoft Authentication Library (MSAL, `msal.js`)](/entra/identity-platform/develop/msal-overview). To implement other grant flows, access the MSAL guidance to implement MSAL directly, but we don't support or recommend the use of grant flows other than PKCE for Blazor apps. +The Blazor WebAssembly Authentication library (`Authentication.js`) only supports the Proof Key for Code Exchange (PKCE) authorization code flow via the [Microsoft Authentication Library (MSAL, `msal.js`)](/entra/identity-platform/msal-overview). To implement other grant flows, access the MSAL guidance to implement MSAL directly, but we don't support or recommend the use of grant flows other than PKCE for Blazor apps. *For Microsoft Entra (ME-ID) and Azure Active Directory B2C (AAD B2C) guidance, don't follow the guidance in this topic. See or .* diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md index 7a3fdc313058..ada39eb22b91 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md @@ -39,11 +39,11 @@ Register an AAD B2C app: 1. Provide a **Name** for the app (for example, **Blazor Standalone AAD B2C**). 1. For **Supported account types**, select the multi-tenant option: **Accounts in any organizational directory or any identity provider. For authenticating users with Azure AD B2C.** 1. Set the **Redirect URI** dropdown list to **Single-page application (SPA)** and provide the following redirect URI: `https://localhost/authentication/login-callback`. If you know the production redirect URI for the Azure default host (for example, `azurewebsites.net`) or the custom domain host (for example, `contoso.com`), you can also add the production redirect URI at the same time that you're providing the `localhost` redirect URI. Be sure to include the port number for non-`:443` ports in any production redirect URIs that you add. -1. If you're using an [unverified publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain), confirm that **Permissions** > **Grant admin consent to openid and offline_access permissions** is selected. If the publisher domain is verified, this checkbox isn't present. +1. If you're using an [unverified publisher domain](/entra/identity-platform/howto-configure-publisher-domain), confirm that **Permissions** > **Grant admin consent to openid and offline_access permissions** is selected. If the publisher domain is verified, this checkbox isn't present. 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the following information: @@ -91,7 +91,7 @@ After creating the app, you should be able to: * Log into the app using an Microsoft Entra ID user account. * Request access tokens for Microsoft APIs. For more information, see: * [Access token scopes](#access-token-scopes) - * [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis). + * [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/quickstart-configure-app-expose-web-apis). ### Run the app @@ -109,7 +109,7 @@ This section describes the parts of an app generated from the Blazor WebAssembly ### Authentication package -When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use an Individual B2C Account (`IndividualB2C`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -225,4 +225,4 @@ For more information, see the following sections of the *Additional scenarios* a * * [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) * [Tutorial: Register an application in Azure Active Directory B2C](/entra/identity-platform-b2c/tutorial-register-applications) -* [Microsoft identity platform documentation](/entra/identity-platform/develop/) +* [Microsoft identity platform documentation](/entra/identity-platform/) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md index 9b88e720d06f..90a68b0e20ab 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md @@ -12,7 +12,7 @@ uid: blazor/security/webassembly/standalone-with-microsoft-accounts [!INCLUDE[](~/includes/not-latest-version.md)] -This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Accounts with Microsoft Entra (ME-ID)](/entra/identity-platform/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) for authentication. +This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Accounts with Microsoft Entra (ME-ID)](/entra/identity-platform/quickstart-register-app#register-a-new-application-using-the-azure-portal) for authentication. For additional security scenario coverage after reading this article, see . @@ -27,7 +27,7 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. +Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/quickstart-create-new-tenant) to create a tenant in ME-ID. ### Register an app in Azure @@ -37,11 +37,11 @@ Register an ME-ID app: 1. Provide a **Name** for the app (for example, **Blazor Standalone ME-ID MS Accounts**). 1. In **Supported account types**, select **Accounts in any organizational directory (Any Microsoft Entra ID directory – Multitenant)**. 1. Set the **Redirect URI** dropdown list to **Single-page application (SPA)** and provide the following redirect URI: `https://localhost/authentication/login-callback`. If you know the production redirect URI for the Azure default host (for example, `azurewebsites.net`) or the custom domain host (for example, `contoso.com`), you can also add the production redirect URI at the same time that you're providing the `localhost` redirect URI. Be sure to include the port number for non-`:443` ports in any production redirect URIs that you add. -1. If you're using an [unverified publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. +1. If you're using an [unverified publisher domain](/entra/identity-platform/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the Application (client) ID (for example, `41451fa7-82d9-4673-8fa5-69eff5a761fd`). @@ -85,7 +85,7 @@ This section describes the parts of an app generated from the Blazor WebAssembly ### Authentication package -When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -156,7 +156,7 @@ For more information, see the following sections of the *Additional scenarios* a * [Request additional access tokens](xref:blazor/security/webassembly/additional-scenarios#request-additional-access-tokens) * [Attach tokens to outgoing requests](xref:blazor/security/webassembly/additional-scenarios#attach-tokens-to-outgoing-requests) -* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis) +* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/quickstart-configure-app-expose-web-apis) :::moniker range=">= aspnetcore-5.0" @@ -200,5 +200,5 @@ For more information, see the following sections of the *Additional scenarios* a * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * -* [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) -* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis) +* [Quickstart: Register an application with the Microsoft identity platform](/entra/identity-platform/quickstart-register-app#register-a-new-application-using-the-azure-portal) +* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/quickstart-configure-app-expose-web-apis) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md index 3c4141be8ec9..096bd7468d15 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md @@ -27,7 +27,7 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/develop/quickstart-create-new-tenant) to create a tenant in ME-ID. +Follow the guidance in [Quickstart: Set up a tenant](/entra/identity-platform/quickstart-create-new-tenant) to create a tenant in ME-ID. ### Register an app in Azure @@ -37,11 +37,11 @@ Register an ME-ID app: 1. Provide a **Name** for the app (for example, **Blazor Standalone ME-ID**). 1. Choose a **Supported account types**. You may select **Accounts in this organizational directory only** for this experience. 1. Set the **Redirect URI** dropdown list to **Single-page application (SPA)** and provide the following redirect URI: `https://localhost/authentication/login-callback`. If you know the production redirect URI for the Azure default host (for example, `azurewebsites.net`) or the custom domain host (for example, `contoso.com`), you can also add the production redirect URI at the same time that you're providing the `localhost` redirect URI. Be sure to include the port number for non-`:443` ports in any production redirect URIs that you add. -1. If you're using an [unverified publisher domain](/entra/identity-platform/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. +1. If you're using an [unverified publisher domain](/entra/identity-platform/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present. 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/develop/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the following information: @@ -89,7 +89,7 @@ This section describes the parts of an app generated from the Blazor WebAssembly ### Authentication package -When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/develop/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. +When an app is created to use Work or School Accounts (`SingleOrg`), the app automatically receives a package reference for the [Microsoft Authentication Library](/entra/identity-platform/msal-overview) ([`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal)). The package provides a set of primitives that help the app authenticate users and obtain tokens to call protected APIs. If adding authentication to an app, manually add the [`Microsoft.Authentication.WebAssembly.Msal`](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal) package to the app. @@ -160,7 +160,7 @@ For more information, see the following resources: * [Request additional access tokens](xref:blazor/security/webassembly/additional-scenarios#request-additional-access-tokens) * [Attach tokens to outgoing requests](xref:blazor/security/webassembly/additional-scenarios#attach-tokens-to-outgoing-requests) -* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/develop/quickstart-configure-app-expose-web-apis) +* [Quickstart: Configure an application to expose web APIs](/entra/identity-platform/quickstart-configure-app-expose-web-apis) * [Access token scopes for Microsoft Graph API](xref:blazor/security/webassembly/graph-api) ### Login mode @@ -202,5 +202,5 @@ For more information, see the following resources: * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * * -* [Microsoft identity platform documentation](/entra/identity-platform/develop/) -* [Security best practices for application properties in Microsoft Entra ID](/entra/identity-platform/develop/security-best-practices-for-app-registration) +* [Microsoft identity platform documentation](/entra/identity-platform/) +* [Security best practices for application properties in Microsoft Entra ID](/entra/identity-platform/security-best-practices-for-app-registration) From acde8d88b5976c4b26f760556dc5e25d9580a90c Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 30 Jan 2024 11:16:34 -0500 Subject: [PATCH 3/4] Updates --- aspnetcore/blazor/hybrid/security/index.md | 8 ++++---- .../includes/wasm-aad-b2c-custom-policies.md | 2 +- .../hosted-with-azure-active-directory-b2c.md | 12 ++++++------ .../webassembly/hosted-with-microsoft-entra-id.md | 4 ++-- .../standalone-with-azure-active-directory-b2c.md | 12 ++++++------ 5 files changed, 19 insertions(+), 19 deletions(-) diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md index 803039beb28d..97b72aefcafb 100644 --- a/aspnetcore/blazor/hybrid/security/index.md +++ b/aspnetcore/blazor/hybrid/security/index.md @@ -53,8 +53,8 @@ WPF apps use the [Microsoft identity platform](/entra/identity-platform/) to int * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) * [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/tutorial-v2-windows-desktop) * [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/desktop-app-quickstart?pivots=devlang-windows-desktop) -* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/entra/identity-platform-b2c/quickstart-native-app-desktop) -* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/entra/identity-platform-b2c/configure-authentication-sample-wpf-desktop-app) +* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/azure/active-directory-b2c/quickstart-native-app-desktop) +* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/azure/active-directory-b2c/configure-authentication-sample-wpf-desktop-app) :::zone-end @@ -584,8 +584,8 @@ WPF apps use the [Microsoft identity platform](/entra/identity-platform/) to int * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) * [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/tutorial-v2-windows-desktop) * [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/desktop-app-quickstart?pivots=devlang-windows-desktop) -* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/entra/identity-platform-b2c/quickstart-native-app-desktop) -* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/entra/identity-platform-b2c/configure-authentication-sample-wpf-desktop-app) +* [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/azure/active-directory-b2c/quickstart-native-app-desktop) +* [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/azure/active-directory-b2c/configure-authentication-sample-wpf-desktop-app) :::zone-end diff --git a/aspnetcore/blazor/security/includes/wasm-aad-b2c-custom-policies.md b/aspnetcore/blazor/security/includes/wasm-aad-b2c-custom-policies.md index d9b83860ec9f..f5988a5d08ac 100644 --- a/aspnetcore/blazor/security/includes/wasm-aad-b2c-custom-policies.md +++ b/aspnetcore/blazor/security/includes/wasm-aad-b2c-custom-policies.md @@ -1 +1 @@ -The Microsoft Authentication Library (, [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C custom policies](/entra/identity-platform-b2c/user-flow-overview) by default. +The Microsoft Authentication Library (, [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C custom policies](/azure/active-directory-b2c/user-flow-overview) by default. diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md index 7d671e4405f7..b7b7b9410119 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md @@ -10,7 +10,7 @@ uid: blazor/security/webassembly/hosted-with-azure-active-directory-b2c --- # Secure a hosted ASP.NET Core Blazor WebAssembly app with Azure Active Directory B2C -This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/entra/identity-platform-b2c/overview) for authentication. +This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication. For additional security scenario coverage after reading this article, see . @@ -27,9 +27,9 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) to create an AAD B2C tenant. +Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) to create an AAD B2C tenant. -Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). +Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). ### Register a server API app in Azure @@ -97,7 +97,7 @@ In **API permissions** from the sidebar: [!INCLUDE[](~/blazor/security/includes/authorize-client-app.md)] -Return to **Azure AD B2C** in the Azure portal. Select **User flows** and use the following guidance: [Create a sign-up and sign-in user flow](/entra/identity-platform-b2c/tutorial-create-user-flows). At a minimum, select **Application claims** for the sign-up/sign-in user flow and then the **Display Name** user attribute checkbox to populate the `context.User.Identity?.Name`/`context.User.Identity.Name` in the `LoginDisplay` component (`Shared/LoginDisplay.razor`). +Return to **Azure AD B2C** in the Azure portal. Select **User flows** and use the following guidance: [Create a sign-up and sign-in user flow](/azure/active-directory-b2c/tutorial-create-user-flows). At a minimum, select **Application claims** for the sign-up/sign-in user flow and then the **Display Name** user attribute checkbox to populate the `context.User.Identity?.Name`/`context.User.Identity.Name` in the `LoginDisplay` component (`Shared/LoginDisplay.razor`). Record the sign-up and sign-in user flow name created for the app (for example, `B2C_1_signupsignin1`). @@ -434,6 +434,6 @@ Due to changes in the framework across releases of ASP.NET Core, Razor markup fo * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * -* [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) -* [Tutorial: Register an application in Azure Active Directory B2C](/entra/identity-platform-b2c/tutorial-register-applications) +* [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) +* [Tutorial: Register an application in Azure Active Directory B2C](/azure/active-directory-b2c/tutorial-register-applications) * [Microsoft identity platform documentation](/entra/identity-platform/) diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md index 1831d1d321a1..b467e3445c35 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md @@ -18,7 +18,7 @@ This article doesn't cover a *multi-tenant ME-ID registration*. For more informa match the rest of the MS Entra ID branding? ANSWER: YES! It will be "Microsoft Entra tenant" now. --> -This article focuses on the use of a **Microsoft Entra** tenant, as described in [Quickstart: Set up a tenant](/entra/identity-platform/quickstart-create-new-tenant). If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. For more information, see the [Use of an Azure Active Directory B2C tenant](#use-of-an-azure-active-directory-b2c-tenant) section of this article. +This article focuses on the use of a **Microsoft Entra** tenant, as described in [Quickstart: Set up a tenant](/entra/identity-platform/quickstart-create-new-tenant). If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. For more information, see the [Use of an Azure Active Directory B2C tenant](#use-of-an-azure-active-directory-b2c-tenant) section of this article. For additional security scenario coverage after reading this article, see . @@ -434,7 +434,7 @@ Due to changes in the framework across releases of ASP.NET Core, Razor markup fo ## Use of an Azure Active Directory B2C tenant -If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. +If the app is registered in an **Azure Active Directory B2C** tenant, as described in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) but follows the guidance in this article, the App ID URI is managed differently by ME-ID. You can check the tenant type of an existing tenant by selecting the **Manage tenants** link at the top of the ME-ID organization **Overview**. Examine the **Tenant type** column value for the organization. This section pertains to apps that follow the guidance in this article but that are registered in an **Azure Active Directory B2C** tenant. diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md index ada39eb22b91..4e6d5e30eaab 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md @@ -12,7 +12,7 @@ uid: blazor/security/webassembly/standalone-with-azure-active-directory-b2c [!INCLUDE[](~/includes/not-latest-version.md)] -This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/entra/identity-platform-b2c/overview) for authentication. +This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication. For additional security scenario coverage after reading this article, see . @@ -27,9 +27,9 @@ The subsections of the walkthrough explain how to: ### Create a tenant in Azure -Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) to create an AAD B2C tenant. +Follow the guidance in [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) to create an AAD B2C tenant. -Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). +Before proceeding with this article's guidance, confirm that you've [selected the correct directory for the AAD B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant#select-your-b2c-tenant-directory). ### Register an app in Azure @@ -60,7 +60,7 @@ In **Authentication** > **Platform configurations** > **Single-page application* In **Home** > **Azure AD B2C** > **User flows**: -[Create a sign-up and sign-in user flow](/entra/identity-platform-b2c/tutorial-create-user-flows) +[Create a sign-up and sign-in user flow](/azure/active-directory-b2c/tutorial-create-user-flows) At a minimum, select the **Application claims** > **Display Name** user attribute to populate the `context.User.Identity?.Name`/`context.User.Identity.Name` in the `LoginDisplay` component (`Shared/LoginDisplay.razor`). @@ -223,6 +223,6 @@ For more information, see the following sections of the *Additional scenarios* a * [Build a custom version of the Authentication.MSAL JavaScript library](xref:blazor/security/webassembly/additional-scenarios#build-a-custom-version-of-the-authenticationmsal-javascript-library) * [Unauthenticated or unauthorized web API requests in an app with a secure default client](xref:blazor/security/webassembly/additional-scenarios#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client) * -* [Tutorial: Create an Azure Active Directory B2C tenant](/entra/identity-platform-b2c/tutorial-create-tenant) -* [Tutorial: Register an application in Azure Active Directory B2C](/entra/identity-platform-b2c/tutorial-register-applications) +* [Tutorial: Create an Azure Active Directory B2C tenant](/azure/active-directory-b2c/tutorial-create-tenant) +* [Tutorial: Register an application in Azure Active Directory B2C](/azure/active-directory-b2c/tutorial-register-applications) * [Microsoft identity platform documentation](/entra/identity-platform/) From 3b2ee979a08a6cd21b4c619e939e177fb818fd42 Mon Sep 17 00:00:00 2001 From: guardrex <1622880+guardrex@users.noreply.github.com> Date: Tue, 30 Jan 2024 11:41:52 -0500 Subject: [PATCH 4/4] Updates --- aspnetcore/blazor/hybrid/security/index.md | 4 ++-- aspnetcore/blazor/security/index.md | 4 ++-- .../security/server/additional-scenarios.md | 4 +--- .../security/webassembly/additional-scenarios.md | 2 +- .../hosted-with-azure-active-directory-b2c.md | 2 +- .../hosted-with-microsoft-entra-id.md | 2 +- .../microsoft-entra-id-groups-and-roles.md | 16 ++++++++-------- ...standalone-with-azure-active-directory-b2c.md | 2 +- .../standalone-with-microsoft-accounts.md | 2 +- .../standalone-with-microsoft-entra-id.md | 2 +- 10 files changed, 19 insertions(+), 21 deletions(-) diff --git a/aspnetcore/blazor/hybrid/security/index.md b/aspnetcore/blazor/hybrid/security/index.md index 97b72aefcafb..42f17a1953e0 100644 --- a/aspnetcore/blazor/hybrid/security/index.md +++ b/aspnetcore/blazor/hybrid/security/index.md @@ -52,7 +52,7 @@ WPF apps use the [Microsoft identity platform](/entra/identity-platform/) to int * [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview) * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) * [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/tutorial-v2-windows-desktop) -* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/desktop-app-quickstart?pivots=devlang-windows-desktop) +* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/index-desktop) * [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/azure/active-directory-b2c/quickstart-native-app-desktop) * [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/azure/active-directory-b2c/configure-authentication-sample-wpf-desktop-app) @@ -583,7 +583,7 @@ WPF apps use the [Microsoft identity platform](/entra/identity-platform/) to int * [Overview of the Microsoft Authentication Library (MSAL)](/entra/identity-platform/msal-overview) * [Add authentication to your Windows (WPF) app](/azure/developer/mobile-apps/azure-mobile-apps/quickstarts/wpf/authentication) * [Tutorial: Sign in users and call Microsoft Graph in Windows Presentation Foundation (WPF) desktop app](/entra/identity-platform/tutorial-v2-windows-desktop) -* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/desktop-app-quickstart?pivots=devlang-windows-desktop) +* [Quickstart: Acquire a token and call Microsoft Graph API from a desktop application](/entra/identity-platform/index-desktop) * [Quickstart: Set up sign in for a desktop app using Azure Active Directory B2C](/azure/active-directory-b2c/quickstart-native-app-desktop) * [Configure authentication in a sample WPF desktop app by using Azure AD B2C](/azure/active-directory-b2c/configure-authentication-sample-wpf-desktop-app) diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md index db4b0470f89b..bd940eb47dfd 100644 --- a/aspnetcore/blazor/security/index.md +++ b/aspnetcore/blazor/security/index.md @@ -864,7 +864,7 @@ The property setting in : ```csharp @@ -515,8 +515,6 @@ If tacking on a segment to the authority isn't appropriate for the app's OIDC pr } ``` - For more information, see [Scopes, not resources](/entra/identity-platform/azuread-dev/azure-ad-endpoint-comparison#scopes-not-resources) in the Azure documentation. - ### App ID URI * When using v2.0 endpoints, APIs define an *`App ID URI`*, which is meant to represent a unique identifier for the API. diff --git a/aspnetcore/blazor/security/webassembly/additional-scenarios.md b/aspnetcore/blazor/security/webassembly/additional-scenarios.md index 6c1f330a5519..a0f7faf8bb2b 100644 --- a/aspnetcore/blazor/security/webassembly/additional-scenarios.md +++ b/aspnetcore/blazor/security/webassembly/additional-scenarios.md @@ -1456,7 +1456,7 @@ Alternatively, the setting can be made in the app settings (`appsettings.json`) If tacking on a segment to the authority isn't appropriate for the app's OIDC provider, such as with non-ME-ID providers, set the property directly. Either set the property in or in the app settings file (`appsettings.json`) with the `Authority` key. -The list of claims in the ID token changes for v2.0 endpoints. For more information, see [Why update to Microsoft identity platform (v2.0)?](/entra/identity-platform/azuread-dev/azure-ad-endpoint-comparison). +The list of claims in the ID token changes for v2.0 endpoints. Microsoft documentation on the changes has been retired, but guidance on the claims in an ID token is available in the [ID token claims reference](/entra/identity-platform/id-token-claims-reference). :::moniker range="< aspnetcore-8.0" diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md index b7b7b9410119..698a5bd997c4 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md @@ -75,7 +75,7 @@ Register an AAD B2C app for the *Client app*: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Entra documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the *Client app* Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md index b467e3445c35..dae6dffeae6e 100644 --- a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md +++ b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md @@ -88,7 +88,7 @@ Register an ME-ID app for the *Client app*: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Entra documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the **:::no-loc text="Client":::** app Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`). diff --git a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md index ec8917a38f97..127ce2d5c61b 100644 --- a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md +++ b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md @@ -344,7 +344,7 @@ public class CustomAccountFactory(IAccessTokenProviderAccessor accessor, The preceding code doesn't include transitive memberships. If the app requires direct and transitive group membership claims, replace the `MemberOf` property (`IUserMemberOfCollectionWithReferencesRequestBuilder`) with `TransitiveMemberOf` (`IUserTransitiveMemberOfCollectionWithReferencesRequestBuilder`). -The preceding code ignores group membership claims (`groups`) that are ME-ID Administrator Roles (`#microsoft.graph.directoryRole` type) because the GUID values returned by the Microsoft identity platform are ME-ID Administrator Role **entity IDs** and not [**Role Template IDs**](/entra/identity-platform/roles/permissions-reference#role-template-ids). Entity IDs aren't stable across tenants in Microsoft identity platform and shouldn't be used to create authorization policies for users in apps. Always use **Role Template IDs** for ME-ID Administrator Roles **provided by `wids` claims**. +The preceding code ignores group membership claims (`groups`) that are ME-ID Administrator Roles (`#microsoft.graph.directoryRole` type) because the GUID values returned by the Microsoft identity platform are ME-ID Administrator Role **entity IDs** and not [**Role Template IDs**](/entra/identity/role-based-access-control/permissions-reference). Entity IDs aren't stable across tenants in Microsoft identity platform and shouldn't be used to create authorization policies for users in apps. Always use **Role Template IDs** for ME-ID Administrator Roles **provided by `wids` claims**. In the **CLIENT** app, configure the MSAL authentication to use the custom user account factory. @@ -406,7 +406,7 @@ builder.Services.AddAuthorizationCore(options => }); ``` -For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/entra/identity-platform/roles/permissions-reference#role-template-ids) in the Azure documentation. For more information on authorization policies, see . +For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/entra/identity/role-based-access-control/permissions-reference) in the Entra documentation. For more information on authorization policies, see . In the following examples, the **CLIENT** app uses the preceding policy to authorize the user. @@ -491,7 +491,7 @@ builder.Services.AddAuthorization(options => }); ``` -For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/entra/identity-platform/roles/permissions-reference#role-template-ids) in the Azure documentation. For more information on authorization policies, see . +For the complete list of IDs for ME-ID Administrator Roles, see [Role template IDs](/entra/identity/role-based-access-control/permissions-reference) in the Azure documentation. For more information on authorization policies, see . Access to a controller in the **SERVER** app can be based on using an [`[Authorize]` attribute](xref:security/authorization/simple) with the name of the policy (API documentation: ). @@ -515,7 +515,7 @@ For more information, see . ## App Roles -To configure the app in the Azure portal to provide App Roles membership claims, see [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/howto-add-app-roles-in-azure-ad-apps) in the Azure documentation. +To configure the app in the Azure portal to provide App Roles membership claims, see [Add app roles to your application and receive them in the token](/entra/identity-platform/howto-add-app-roles-in-apps) in the Entra documentation. The following example assumes that the **CLIENT** and **SERVER** apps are configured with two roles, and the roles are assigned to a test user: @@ -538,7 +538,7 @@ The following example assumes that the **CLIENT** and **SERVER** apps are config Although you can't assign roles to groups without an Microsoft Entra ID Premium account, you can assign roles to users and receive a `role` claim for users with a standard Azure account. The guidance in this section doesn't require an ME-ID Premium account. -If you have a Premium tier Azure account, **Manage** > **App roles** appears in the Azure portal app registration sidebar. Follow the guidance in [How to: Add app roles in your application and receive them in the token](/entra/identity-platform/howto-add-app-roles-in-azure-ad-apps) to configure the app's roles. +If you have a Premium tier Azure account, **Manage** > **App roles** appears in the Azure portal app registration sidebar. Follow the guidance in [Add app roles to your application and receive them in the token](/entra/identity-platform/howto-add-app-roles-in-apps) to configure the app's roles. If you don't have a Premium tier Azure account, edit the app's manifest in the Azure portal. Follow the guidance in [Application roles: Implementation](/azure/architecture/guide/multitenant/considerations/identity#implementation) to establish the app's roles manually in the `appRoles` entry of the manifest file. Save the changes to the file. @@ -776,9 +776,9 @@ Pascal case is typically used for role names (for example, `BillingAdministrator ## Additional resources -* [Role template IDs (Azure documentation)](/entra/identity-platform/roles/permissions-reference#role-template-ids) -* [`groupMembershipClaims` attribute (Azure documentation)](/entra/identity-platform/reference-app-manifest#groupmembershipclaims-attribute) -* [How to: Add app roles in your application and receive them in the token (Azure documentation)](/entra/identity-platform/howto-add-app-roles-in-azure-ad-apps) +* [Role template IDs (Entra documentation)](/entra/identity/role-based-access-control/permissions-reference) +* [`groupMembershipClaims` attribute (Entra documentation)](/entra/identity-platform/reference-app-manifest#groupmembershipclaims-attribute) +* [Add app roles to your application and receive them in the token (Entra documentation)](/entra/identity-platform/howto-add-app-roles-in-apps) * [Application roles (Azure documentation)](/azure/architecture/guide/multitenant/considerations/identity) * * diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md index 4e6d5e30eaab..188431f51249 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-azure-active-directory-b2c.md @@ -43,7 +43,7 @@ Register an AAD B2C app: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` AAD B2C redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Entra documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the following information: diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md index 90a68b0e20ab..2c9c430032fe 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-accounts.md @@ -41,7 +41,7 @@ Register an ME-ID app: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Entra documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the Application (client) ID (for example, `41451fa7-82d9-4673-8fa5-69eff5a761fd`). diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md index 096bd7468d15..e685bb375f39 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-microsoft-entra-id.md @@ -41,7 +41,7 @@ Register an ME-ID app: 1. Select **Register**. > [!NOTE] -> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Azure documentation)](/entra/identity-platform/reply-url#localhost-exceptions). +> Supplying the port number for a `localhost` ME-ID redirect URI isn't required. For more information, see [Redirect URI (reply URL) restrictions and limitations: Localhost exceptions (Entra documentation)](/entra/identity-platform/reply-url#localhost-exceptions). Record the following information: