►
From YouTube: Azure Portal App registration improvements
Description
In the March community call, we discussed some of the improvements to the Azure Portal App registration. Included in this are the new quickstarts, end of life app registrations, per-application RBAC and token configuration.
Documentation https://aka.ms/AA7yo21
End of life app registration blog https://aka.ms/AA7wu1c
Get started with Microsoft identity platform https://aka.ms/AA7yqha
Stay connected:
Twitter https://twitter.com/microsoft365dev
YouTube https://aka.ms/M365DevYouTube
Blogs https://aka.ms/M365DevBlog
A
Thank
you.
Everyone
for
joining
today
me
myself,
Archie
accrual,
along
with
Vincent
Kevin.
We
are
gonna
talk
you
about
app
registration
improvements,
I'm
gonna,
start
first
and
I'm.
Gonna
cover
quick
starts
as
well
as
application
of
our
developer
experiences.
A
few
other
developer
experiences.
So
starting
with
quick,
starts
with
the
recent
improvements
we
have
made
in
quick
starts.
We've
made
it
even
easier
to
help
you
get
started
with
the
Microsoft
identity
platform.
A
I'm
gonna
get
into
the
quick,
starts
plate
and
then
I'm
gonna
try
out
the
asp.net
core
pick
start.
So,
as
you
can
see,
it's
spread
up
into
three
sections
step.
One
I
would
go
ahead
and
configure
my
application,
so
this
little
thing
will
do
the
magic
of
configuring
all
of
these
value
automatically.
Just
by
clicking
this
button
once
that
is
done,
I'm
gonna
download
the
good
sample.
A
A
A
I
would
take
that
feedback,
but
definitely
try
this
out.
It's
super
simple.
We
promise
that
it
only
takes
a
few
step
and
it
does
and
feel
free
to
leave
us
feedback
from
either
this
section
right
here
where,
if
you
want
to
see
any
other
content
or
directly
from
the
QuickStart
itself,
just
by
filling
this
out
our
as
well
as
putting
any
verbal
comments
you
may
have
here
any
other
questions.
A
C
A
A
A
A
A
Oh,
when
we
announce
general
availability
of
our
new
registration
experience
in
built
2019,
the
last
main
we
shared
our
plant
and
end-of-life
for
the
other
developer
portals
we
have,
which
is
apt.
Illustration
portal,
as
well
as
a
registration
legacy,
experience
AB
reporter
so
well,
now
that
we
have
a
single
place
where
developers
can
configure
all
their
apps
that
sign
in
our
Active
Directory
accounts
and
personally
Microsoft
account.
A
We
wanted
to
share
again
once
again
the
timelines
and
remind
you
that
please
start
using
the
new
experience
so
for
the
app
registration
portal
experience,
which
is
app
start
F,
dot,
Microsoft,
calm,
end-of-life
happened
on
December
15
2019
for
users
with
Azure
ad
accounts
and
personal
Microsoft
accounts,
except
for
Life
SDK
apps.
These
type
of
apps
are
not
yet
supported
in
the
new
experience,
but
we
expect
support
in
the
future.
A
So
if
you
continue
using
absurd
F
dot
microsoft.com
for
Life
SDK
apps,
you
would
soon
move
on
to
reporter
as
well,
and
the
next
section
here
is
a
registration
legacy,
experience
and
Asha
portal.
So
the
end-of-life
happened
very
recently
on
March
1
2024
users
with
Azure
ad
accounts
and
personal
Microsoft
accounts,
except
for
our
ad
b2c
accounts.
The
application
of
p2c
accounts
will
soon
follow
the
journal.
Availability
of
the
new
experience
in
b2c,
tenants
and
then
I
have
linked
ad
application
block
that
will
help
you
navigate
the
timelines
better.
A
A
C
D
Hi
folks,
my
name
is
Vince
I.
Think
some
of
you
may
know
me
over
the
years
from
working
on
access
control
scenarios
and
what
I'm
going
to
walk
through
today
is
we
call
per
application
role
based
access
control,
one
of
the
things
we've
heard
from
customers
for
for
some
time
now
is
the
challenge
around
delegating
permissions
to
manage
specific
parts
of
applications
in
particular.
D
The
most
common
scenario
we
hear
is
around
I
have
a
help
desk
support
team
or
a
set
of
developer
services
in
my
organization
and
I
need
to
grant
them
the
ability
to
roll
certificates
on
an
application
without
the
ability
to
do
other
things
like
configure,
display
names
or
requested
permissions,
or
these
authentication
settings.
Those
kinds
of
things
are
around
the
application.
So
let
me
go
ahead
and
I'll
just
walk
through
and
I
love,
I,
love,
doing
MVP
demos,
particularly
because
we
get
such
great,
enthusiastic
interaction.
So
I
just
encourage
you
all.
D
If
you
have
questions
or
if
you
want
to
talk
about
specific
things,
don't
hesitate
feel
free
to
interrupt
me
or
just
shout
and
stuff
out,
I
sort
of
love
that
that
level
of
chaos.
We
sometimes
get
I'm
going
to
share
my
screen.
So
here
I
am
and
I'm
just
in
the
Asscher
portal
on
the
app
registrations
tab
here
in.
B
D
Ad
I'm,
going
to
click
click
on
an
application.
This
is
an
application
registration
and
from
here
you'll
see
we
have
a
new
tab,
called
roles
and
administrators
when
I
go
here.
This
is
a
place.
We're
going
to
move
all
our
access,
control
to
and
you'll
find
that
this
tab
exists
both
at
the
tenant
level,
as
well
as
on
each
individual,
app
registration
and
so
from
here.
D
I
can
click
new
role,
and
what
I'm
going
to
do
is
I'm
actually
going
to
set
up
the
role
to
grant
the
permissions
that
we
just
talked
about,
which
is
I
in
my
steel
company
I
have
a
set
of
support.
Folks
who
manage
certificates
for
applications
now
I
could
hit
that
that
new
role,
button'
at
the
tenant
level
or
I
can
hit
that
new
role
button
here,
and
it
actually
does
the
same
thing.
D
Let's
call
this:
credential
manager
can
manage
for
them
shoals
of
app
registrations
now
Hut
next
and
here
I'm
presented
with
a
list
of
permissions.
So
this
is
our
and
I
say
this
is
our
initial
experience.
This
experience
will
improve
over
time
to
do
better
grouping
and
better
filtering
abilities,
but
for
now
I
just
look
up
the
credential
permission.
I
can
see
that
I
have
application
credentials
and
what
are
called
my
organizational
apps
credentials.
D
Here
is
the
permission.
Our
excuse
me
to
roll
I
just
created,
with
the
specific
permission
of
the
ability
to
update
credentials
on
a
pedestrian's
when
I
han't
create
you'll,
see
that
that
new
role
shows
up
in
my
list
of
available
roles
that
I
can
assign
to
users
into
service
principles.
So
I'll
go
ahead
and
I'll
go
in
here
and
I'll
add
a
new
assignment.
D
Let's
add
it
to
Chang,
so
I've
added
Chang
as
a
credential
manager
and
what
I've
done.
This
is
be
very,
very
clear
here.
I've
made
this
assignment
at
the
postman
app
right,
so
I
could
have
signed
Chang
this
role,
even
even
out
here,
the
at
the
tenant
level
right
you'll
find
it
will
have
a
whole
bunch
of
rules
here.
But
if
you
go
here,
she
actually
known
as
a
sign
this
brand-new
role,
I
created
at
the
tenant
level,
but
but
Shen
is
assigned
at
the.
D
D
D
So
here,
I
am
signed
in
and
I
can
go
to.
Average
associations
and
I
can
go
to
and
go
to
post
man,
so
post
man
is
the
app
on
which
is
Chang
have
access,
but
the
specific
access
I
have
is
around
the
ability
to
to
manage
certificates
immense
credentials.
So
if
I
go
here
under
postman
certificates
and
secrets,
I
can
go
ahead
and
can
create
a
new
client
secret
and
you'll
see
that
that
will
actually
work
right.
D
I
just
created
that,
but
if
I
go
up
to
authentication,
for
example,
on
the
postman
out,
I'm,
actually
not
able
to
do
anything
in
terms
of
manage
the
authentication
for
postman
nor
my
good
can
I
go.
For
example,
go
try
to
request
new
permissions
for
the
postman
out
right
so
because
we've
just
granted
in
this
credential
manager
rule
we've
only
granted
this
specific
permission,
that's
the
only
permission
that
the
Chiang
has
likewise,
because
we've
done
the
role
assignment
we've
granted
Chang
the
credential
manager
role
over
the
postman
app
as
Chang.
D
If
I
go
out
to
say,
for
example,
you
know
the
company
payroll
out
and
I
go
try
to
manage
certificates
on
the
on
a
different
app
again,
shame
doesn't
have
access
here
now,
I
could
go
back
and
I
could
actually
grant
saying
access
say
on
company
payroll
and
here's
where
I
could
actually
you'll
see.
There's
the
same
role
and
I
can
actually
grant
that
role
again
to
somebody
like
Bianca
and
now
Bianca
would
be
able
to
manage
credentials
on
the
company
payroll
out
and
Shang
will
be
able
to
manage
credentials
on
the
postman
app.
D
But,
but
neither
could
do
the
universe
so
opening
that,
with
this
functionality,
we
can
help
with
that.
That
would
would
turn
out
to
be
a
rather
challenging
delegation
problem
for
our
customers,
as
well
as
as
we
move
forward
even
out
of
the
app
registration
space.
The
next
place
we're
going
to
start
exposing
this
level
of
granularity
is
enterprise
apps
and
then
in
the
consent
model,
and
then
eventually
into
groups
and
devices
and
users,
and
until
we
cover
the
entire
directory.
D
Feel
free:
this
is
an
opportunity.
I'll
answer
this
in
the
chat
but
feel
free
to
also,
you
know,
ask
me
any
questions
you
like
around
hey.
Why
aren't
you
guys
doing
this
or
hey
once
the
timeline
for
that
those
kinds
of
questions?
I
love,
because
we
can
be
very
open
with
you
with
seven
roles
prior
to
create
roles,
interspecific
gap,
so
great
so
today,
the
global
administrator
and
what
we
call
the
privileged
role
administrator
can
manage
all
permissions.
D
So
we
don't
have
anything,
that's
specific
for
on
a
per
app
basis,
but
it
is
something
in
our
backlog
to
be
able
to
grant
just
the
ability
to
do
to
create
manage
role
assignments
at
specific
scopes,
also
what
it
is,
what,
if
access
to
Azure
ad
play,
districtÃs
or
not?
Yes,
so
if
access
to
a
serrated
blade
is
restricted
for
non
admin
users,
that
is
certainly
a
challenge
for
us.
This
is
it's
a
great
question.
This
is
the
kind
of
MVT
questions.
D
I
love
we
here
today
the
bats
which
will
actually
block
access
and
that
switches
are
really
it's
it's
a
kind
of
a
it's
a
it's
been
a
thorn
in
my
paw
for
for
quite
a
while,
we
will
in
the
fullness
of
time
we
will
support
the
ability
to
grant
or
revoke
read
permissions
across
the
directory.
So
you
can
actually
revoke
someone's
ability
to
read
specific
parts
of
the
directory.
That's
which
today
is
a
portal
specific
switch.
D
It
only
allows
it
only
revokes
or
allows
permission
via
the
portal
and
actually
doesn't
restrict
any
access
through
graph,
API
or
through
PowerShell
or
the
other
interfaces,
so
we're
working
on
that,
but
just
know
for
now.
The
simple
answer
is
that
switch
will
continue
to
block
access
except
for
tenant
level
administrators
else
we
got.
So
is
there
a
list
of
permissions
on
what
they
grant?
Yes
Rob,
so
we
have
in
the
documentation.
D
We
have
a
full
list
of
permissions,
along
with
the
corresponding
descriptions
and
what
they,
what
those
permissions
grant
access
to
you
we're
also
working
on
or
we're
trying
to
get
to
a
place
where
we
can
actually
from
within
the
portal
experience
from
being
able
to
where
we
want
to
get
to
is
I'm.
Looking
at
this
page,
that
I
actually
have
an
ability,
either
through
some
gesture
through
a
button
or
through
some
call-out,
where
I
can
actually,
as
a
flyout
I
can
see.
D
Here
are
the
permissions
that
grant
access
to
this
page,
so
you
can
get
a
much
better
connection
between
the
set
of
permissions
that
are
available
and
how
they
relate
to
the
data
as
it
exists
on
the
page
you're.
Looking
at,
let's
see
if
you
get
any
of
to
access
that
I
messages
clearly
say.
What's
for
yes,
so
Dean
great,
that's
exactly
the
challenge
that
we're
looking
to
solve
with
what
I
was
just
talking
about
Vittorio.
D
How
can
I
allow
an
application
owner
to
see
the
login
logs
only
for
a
specific
application,
great
question
so
as
part
of
our
work
for
enterprise
apps,
so
what
I
just
described
in
terms
of
the
permissions?
The
client
grant
permissions
for
a
pedestrian's
we're
doing
the
exact
same
things
for
the
enterprise
apps
experience
as
part
of
that
work,
we
will
support
granular
sign-in
report.
D
Viewing
so
you'll
be
able
to
actually
grant
someone
the
ability
to
read
sign-in
logs
at
a
stay,
for
example
at
Salesforce,
and
now,
when
someone
goes
to
the
set
of
sign-in
logs,
for
that
particular
app
they'll
see
the
sign-in
log.
So
if
they
go
out
and
try
to
view
the
global
sign-in
logs
they'll
actually
get
access
tonight,
can
we
create
these
roles
via
power,
Shawn
graphs?
And
yes,
we
support
a
PowerShell
Microsoft
graph
as
well
as
the
portal
experience
I
just.
D
So
these
we
actually
so
yeah
a
back.
We
actually
have
some
early
plans
that
were
working
through
in
terms
of
a
back.
Now
we
don't
have
anything
concrete
to
announced
on
this,
but
we're
taking
it
seriously.
There's
a
my
boss,
you
guys,
you
guys
know
Stuart
come
on
he's
my
boss.
He
is
actually
heading
up
a
project
to
go.
Do
a
lot
of
investigation,
a
lot
of
understanding
around
a
back
I'm
surprised!
D
No
one
has
anyone
asked
I
was
waiting
for
a
usually
a
wait
till
someone
asks
you
know:
can
I
do
Pam
on
these?
Yes,
yes,
we
fully
support
privilege
at
any
management
so
that
you
can
do
elevation
activations
to
custom
roles
using
I.
Think
that's
it
new
messages.
Anyone
else
well
feel
free
to
shoot
me
email.
So
you
can
find
me
on
Twitter.
You
can
find
me
again
incest
them
at
Microsoft
comm.
You
have
any
questions
or
if
you
want
to
give
us
any
more
feedback,
happy
so
I'm
also
on
the
the
MVP
distribution
list.
D
E
Thanks,
miss
yeah
all
right
cool,
we're
gonna
jump
into
the
relatively
new
token
configuration
experience.
This
is
a
public
preview
experience
in
the
app
registrations
portal
blade
that
Archie
had
talked
about
earlier.
We
launched
this
late
last
year,
and
so
what
I'll
do
is
I
will
go
over
kind
of
some
background
for
optional
claims.
E
E
The
access
tokens
are
gonna
depend
on
the
resource
that
you're
calling.
So
if
the
calling
Microsoft
graph,
for
example,
they're
gonna
be
v1
tokens,
but
it
really
depends
if
you're
calling
your
own
private
API
is,
it
depends
on
what
that
resource
is
specifying
in
terms
of
the
token
version.
So
that's
what
I'm
talking
about
when
I
talk
about
v2
tokens
versus
v1
tokens
and
v2
apps,
another
quick
note
there,
if
you're,
using
the
legacy.
Experience
again.
Aren't
you
talked
about
this?
That's
the
portal
experience
with
the
apps
dev
dot,
Microsoft
comm,
that's
being
deprecated
soon.
E
Those
are
v1
applications.
So
you're
always
gonna
get
v1
ID
tokens
the
reason
I
kind
of
pause
to
explain
that
is,
as
you
can
see
here
in
this
table,
there
are
a
bunch
of
different
types
of
optional
claims.
There
are
some
in
the
first
column
you
see
there,
there
are
v2
specific.
All
that
means
is
that
these
v2
tokens
again,
if
you
use
the
new
app
registration
experience
to
register
your
app
there's,
a
nine
optional
claim
so
far
that
are
no
longer
included.
E
They
were
included
in
v1,
apps
or
v1
tokens
they're,
not
included
in
v2
tokens,
v1,
v2
common,
that's
the
second
column.
You
see
there,
there's
20
of
those
all
that
means
is
these
optional
claims
I'll
provide
the
documentation
link
later
on.
That
has
all
these
claims
that
just
means
that,
whether
using
a
v1,
token
or
v2
token
that
are
optional,
those
20
that
you
that
we
list
in
the
documentation
they're
not
included
by
default
in
v1
tokens
or
v2
tokens.
Then
you
have
directory
extension
optional
claims.
E
E
If
you've
created
that
using
say,
Emma's
graph,
you
can
actually
have
that
information
included
up
to
15
of
those
if
your
application
requires
them
in
an
app
in
an
optional
claim
and
then
groups,
there
are
certain
applications
that
require
a
group
information
to
make
authentication
authorization
decisions,
and
so
you
can
also
request
back
group,
IDs
and
groups
claims
and
I'll
demo
that
as
well
all
right
so
additional
background
here.
So
the
availability
of
optional
claims
is
determined
by
a
few
different
things.
E
It's
durmand
by
the
token
type
I
talked
about
that
earlier:
v1
versus
v2,
the
token
version
and
the
source,
whether
it's
just
a
standard,
one
that
we
list,
that
is
in
our
documentation
or
it's
a
custom
one
like
an
extension
custom
extension
claim
that
you
created
based
on
a
user
object.
It
also
depends
on
the
type
of
user
signing
into
the
app
and
so
I've
just
kind
of
put
this
together
to
illustrate
that
alabbar
as
a
tenant
admin
as
an
app
admin,
it
can
be
a
little
hairy
navigating.
E
Oh,
my
application
needs
this
optional
claim,
which
ones
are
applicable,
which
ones
aren't.
This
is
actually
meant
to
just
show.
It
is
kind
of
an
issue
that
our
customers
have
voiced
to
us,
saying
I,
don't
really
know
which
ones
are
applicable
to
my
app
or
not,
and
this
next
slide
kind
of
drives
it
home
as
well.
This
is
the
current
experience
for
that's
available
for
updating
configuring,
your
and
adding
optional
themes.
This
is
with
the
application
manifest
Manifest
editor,
underneath
the
azure
ad
application
registration
to
experience
and
I
just
wanted
again
point
out.
E
There
are
kind
of
some
trouble
spots
that
are
our
customers
invoice
to
us
over
the
past
year.
The
one
is
that
it
is
somewhat
tedious,
I'm
calling
out
and
read
here.
That
is
a
sample
client
ID,
where
you
are
literally
have
to
cut
and
paste
the
application
ID
for
each
sort
of
custom
extension
optional
claim
that
you
want
to
add
or
configure
and
there's
not
really
a
great
reason
around.
Why
we
have
that
requirement.
E
It
can
also
be
confusing
I've
called
this
out
in
blue,
just
highlighting
the
essential
that
really
doesn't
apply
to
any
of
these
optional
claims
that
has
that
are
listed
here
in
this
example
manifest,
and
so
it's
just
one
of
those
things
where,
like
the
previous
slide,
it
is
difficult,
sometimes
to
know
which
properties
of
an
optional
theme
are
relevant
or
not
for
the
specific
optional
theme
and
then
the
last
thing
I'm
calling
out
is
it
can
be
error-prone.
That's
the
thing
I've
highlighted
in
purple
there
there's
a
typo
there's
only.
E
It
should
be
UPN,
not
UPN
n.
So
just
calling
out
that,
while
the
manifests
editor,
the
manifest
experience
here
does
have
some
error
handling.
It
is
pretty
limited,
and
so
what
we
wanted
to
try
to
do
with
this
new
token
configuration
experiences
really
fix
the
confusion
that
I
outlined
in
the
previous
few
slides
and
so
I'm,
going
to
jump
to
a
demo
I'm
just
in
appreciations
I'll,
navigate
to
a
preju
stations,
I've
registered
a
v2
app
here,
test
community
call
app,
and
so
like
I
said
before.
E
V2
app
is
any
app
that
you've
registered
using
this
app
registrations.
Experience
not
apps
dev,
Microsoft
comm,
those
are
v1
applications
that
will
get
v1,
Ivy
tokens
and
again
the
access
token
version
is
going
to
depend
on
the
resource
or
resources
that
you're
calling
we'll
take.
This
one
test
community
call
tap,
it's
a
view
to
application
that
gets
v2,
ID
tokens
and
again
click
reminder.
If
you're
calling
Microsoft
graph
that
resource
that
API
requests
v1
tokens,
so
you
are
going
to
get
different
token
versions.
You're
gonna
get
v2,
ID
tokens
and
v1
access
tokens.
E
If
you
have
an
application
that
is
calling
Microsoft
graph
that
you
registered
through
the
app
registrations
experience.
What
I'm
going
to
do
is
navigate
to
this
token
configuration
blade,
which
is
still
public
preview.
We
are
planning
the
next
few
weeks
or
next
yeah
next
few
weeks
timeframe.
So
what
I
wanted
to
point
out?
First,
is
you
see
here?
I
have
UPN
N,
and
this
is
an
existing
optional
claim,
I've
already
configured
through
the
manifest.
So
this
is
backwards
compatible.
If
you
will
any
existing
optional
claims
that
you've
added
configured
to
the
manifest
here.
I'll.
E
Just
click
on
this
to
show
you
its
to
here.
This
is
the
optional
claims
section
and
here's
under
the
ID
token,
I
have
added
a
entry.
An
entry
for
UPN
n,
which
again
like
I
said,
is
incorrect.
It's
a
typo
here,
but
it's
not
caught
here
in
the
manifest
it.
Let
me
save
it.
We
will
point
that
out
to
you
here
in
this
optional
claims
view
saying
that
you
know
it
is
incorrect.
E
If
you
scroll
over
this,
this
claim
is
not
supported
and
will
not
be
returned
until
in
the
token
I
have
an
option
to
delete
it.
If
I
want
to
that's
kind
of
nice,
you
can
see
any
existing
optional
claims
you've
configured.
The
second
thing
I'm
going
to
show
here
is
just
adding
an
optional
claim.
So
what
I
want
to
do
list
this?
E
So
the
nice
thing,
if
you
recall
okay,
so
I
can
choose
my
token
type.
I'll
choose
ID
token,
which
are
v2
if
you're
call
that
that
eye
chart
that
I
showed
earlier
of
well,
the
tokens
that
are
applicable
to
your
application
depend
on
the
type
of
user,
the
version
of
the
application,
the
type
of
tokens,
the
version
of
the
token
we
figured
that
all
out
for
you
right
here.
All
you
have
to
do
is
scroll
through
this
list.
E
We,
this
is
a
dynamic
list
of
available
applicable
optional
claims
for
your
specific
application,
based
on
audience
type
based
on
version
of
the
application
based
on
version
of
the
token
specifically
ID
token.
In
this
case,
and
so
you
can
see
here,
I
scroll
down
the
list,
I
see
UPN,
I
added
it
and
there
I
have
it
and
I
can
make
an
edit
upn
is,
is
one
of
these
special
ones.
So,
if
you
see,
let
me
just
add
another
optional
claim
here
just
to
show
you
my
ID
took
and
I'll
add
account
user
account.
E
Information
UPN
is
one
of
the
special
ones
that
shows
up
with
a
little
pencil
next
to
here
does
pencil
signifies
the
ability
to
adjust
additional
properties
for
this
specific
optional
claim
again.
This
is
one
of
those
things
where,
in
the
charts
that
I
showed
earlier,
you'd
have
to
kind
of
figure
this
out
on
your
own
through
the
documentation.
Yes,
it's
possible,
but
you're,
probably
not
in
here
every
day,
configuring
optional
themes.
So
again
we
dynamic.
We
will
show
this
pencil
whenever
you're,
adding
an
or
configure
an
optional
claim.
E
That
happens,
to
have
additional
properties
that
you
can
edit.
So
I
click
on
the
pencil
I
then
see
the
additional
properties
that
I
can
configure
and
you'll
see
here.
Actually,
this
second
option
replacing
the
hash
marks,
doesn't
actually
light
up
until
I've,
actually
clicked
this
externally
authenticated
option,
I
could
save
and
then
what
you'll
see
here
is
under
optional
settings.
This
changes
from
blank
if
we're
to
now.
E
Yes,
this
signifying
yes
I've
changed
this
from
the
default
settings
to
be
externally
authenticated,
as
well
as
I
want
the
format
to
replace
the
hash
marks
with
underscores
what
men
do
next
is
I
talked
about
earlier
groups
times.
Some
applications
require
group,
ID
information
or
groups
information,
so
you
can
also
do
that.
These
you
notice,
unlike
the
add
optional,
claimed
experience
I'm,
not
choosing
ID
access
or
sam'l
tokens,
because
groups
claims
apply
to
all
three,
so
they
apply
to
all
the
token
types
of
your
application.
E
What
I
can
choose
is
which
specific
groups
do
I
want
to
return
in
that
groups
claim
so
to
be
security,
groups,
directory
groups
or,
if
I
click,
all
groups.
This
will
include
distribution
lists,
so
you
may
be
wondering
well
why
don't
I
see
a
separate
entry
for
distribution
lists
is
because
distribution
lists
has
to
be
grouped
security
groups
and
directory
roles.
It's
one
of
those
things
that
cannot
be
standalone.
The
other
thing,
too,
is
you're
here,
you'll
see
here,
I
can
also
customize
by
by
token
type.
E
So,
even
though
I
get
the
group's
information
for
all
my
silicon
types,
I
can
customize
how
that
group
information
is
is
comes
back
in
the
token
by
default,
its
group,
ID
I,
can
say,
for
my
ID
token,
I
want
this
format.
For
my
access
token
I
want
a
different
format
and
then,
for
my
sam'l
token,
I
want
a
different
format.
E
Now
and
I
first
need
to
check
what
do
I
want
returned
in
that
groups
claim
and
I
click
Add,
and
that's
there
and
again
you'll
see
that
because
I've
configured
oops
in
the
group's
claim
some
non
default
settings
I've
changed
the
format
of
how
we
want
to
see
this
group's
information
for
my
ID
access
and
sam'l
tokens
you'll
see
that
again,
optional
settings
is
set
to
yet
or
I.
See
yes
and
that's
column.
That's
the
end
of
the
demo.
I
want
to
kind
of
pause
before
I
wrap
up
with
some
kind
of
important
notes.
E
I
got
the
item
open.
What
would
my
resource?
What
would
be
my
resource
type?
You
want
me
to
if
I
create
a
new
app,
so
that
depends
on
the
resource.
Your
calling
so
like
I
said
I'm,
not
sure
what
api's
our
resources,
your
app
is
calling
if
you
use
the
app
registrations
experience
and
that
I
just
showed
and
you're
going
to
show
the
app
it's
going
to
be
a
v2
app
calling
the
v2
endpoints.
So
your
ID
tokens
are
always
going
to
be
v2
the
access
tokens
that
are
used
to
call
your
resource.
E
It
depends
on
the
resource
that
you're
calling
if
you're
calling
Microsoft
graph
it's
going
to
be
v1
tokens,
and
so,
if
I
were
to
actually
have
my
application
called
Microsoft
graph
and
then
I
wanted
to
access
token
configuration
screen
and
you
would
seek
it
and
dynamically.
We
would
return
a
list
of
claims
that
are
applicable
to
or
v1
access
token.
E
This
one
I
think
is
for
Vince,
so
I'll
put
that
on
the
back
burner
and
Vince.
Maybe
you
can
loop
back
and
answer
this?
Why
don't
we
see
custom
claims
like
synced
extension
attributes
like
we
have
it
for
sam'l
based
apps,
so
the
test
application
that
I
created
I,
don't
have
in
this
Tennant
I,
don't
have
any
user
extension
attributes
a
news
that
I've
created.
E
Otherwise
you
would
see
those
we
make
a
call
to
bring
back
any
custom
extension
at
boots
that
you
have
created
in
the
in
your
directory
and
we
will
pull
that
back
dynamically,
so
you
don't
have
to
enter
those
manually,
although
you
still
can
so
that's
an
important
note
is
everything
I've
shown
here.
In
the
token
configuration
blade
like
I
showed
earlier
with
the
typo
and
the
manifest
everything
I've
done
here.
In
the
token
configuration
preview
experience,
you'll
see,
is
all
here
in
this
JSON
entry
under
optional
claims
everything
down
to
additional
properties.
E
For
my
groups,
all
this
is
doing
is
its
layer
on
top
of
the
manifest
that's
updating,
JSON,
just
to
make
it
easier.
So
again,
so
you
as
a
developer
and
app
admin,
don't
have
to
look
up
which
optional
claims
are
applicable
to
my
application
and
to
my
tokens,
and
you
don't
have
to
enter
those
custom
extension
optional
claims
manually
Johnny.
Can
we
configure
tenant
level
attributes?
E
Yes,
you
should
be
able,
if
Johnny,
if
I'm
understanding
this
correctly.
If
the
question
is,
if
its
tenant
specific
directory
extension
attributes,
then
yes,
otherwise
you
can
definitely
ping
me
and
I
can
follow
up
my
emails,
Kevin
DM
at
Microsoft,
comm
Danny,
and
you
can
probably
list
our
contact
information.
B
E
Yeah,
so
there's
one
and
there's
one
important
difference
here:
johnny
is
that
claims
mapping
is
done
at
the
tenant
specific
level.
Everything
I
showed
previously
with
optional
claims,
adding
it
is
that
the
application
object
level.
So
it's
slightly
different,
well
they're,
very
related
claims.
Mapping
is
more
about.
Transformation
of
claims
like
I
want
the
claim
attendant
specific
claim
to
look
slightly
different
versus
what
I
was
showing
was
I
want
to
either
add
or
delete
claims
that
my
application
is
requesting
so
well,
there
is
some
bothers.
E
While
there
are
similarities,
I,
don't
think
you
would
be
able
to
you
actually
see
they
claims,
mapping
policies
yeah,
you
wouldn't
see
any
claims,
mapping
policies
and
they
took
a
configuration
experience.
I
will
say,
though,
Johnny
that
we
are
working
on
an
experience
I'm
working
with
that
team
longer
term
to
merge
the
experiences.
So
when
you
go
to
token
configuration
instead
of
just
being
able
to
manage
optional
claims
for
your
application,
you
would
also
be
able
to
transform
what
those
optional
claims
look
like
at
their
tenant
specific
level.
Ok,.
B
E
C
E
Okay,
so
Tony
I
just
have
a
question
down
and
I
will
make
sure
to
follow
up.
Okay,
so
Mike
I
think
it
was
a
similar
question
that
Johnny
had
about
claims.
Mapping
policy,
yes
I
just
showed,
was
purely
adding
or
removing
which
claims
are
included.
In
the
token
claims
mapping,
if
you
need
to,
for
example,
you've
added
UPN
as
an
optional
claim.
That
is
included
in
your
token,
but
you
need
it
to
look
slightly
differently.
E
Yes,
you
would
still
need
a
claims
mapping
policy
to
transform
what
that
looks
like
what
I
just
showed
is
really
just
yes
or
no.
It's
included
in
the
token
or
not
all
right.
So
a
news
if
I
do
not
want
custom,
optional
claims
in
access
token
or
ID
token,
and
want
to
retrieve
from
gräfin
point
what
should
I
mention
request
hold
this
one
till
the
next
slide.
I
think
I
may
answer
this.
One
in
my
follow-up
slide
actually
Anuj.
So
there
are
slight.
E
There
is
some
overlap
between
what
you
can
request
from
say:
user,
not
read
from
Microsoft
graph
as-
and
there
are
some
some,
though,
that
you
need
to
request
through
open
ID
connect.
So
that's
where
I
have
a
documentation
link
on
the
last
slide.
Well,
that
I'll
talk
about
that
I
think
gets
to
this.
It
may
not
answer
directly,
but
the
documentation
does
cover
this.
Do
I
get
all
the
groups
and
so
Victoria.
That's
a
good
question.
There
are
some
limitations
to
the
number
of
groups
that
are
returned
in
the
claim.
I
think
it's.
E
If
it's
over
like
160,
this
is
in
the
documentation.
We
will
return
a
link
to
the
groups
rather
than
the
list
of
groups
itself.
That's
in
the
documentation
link
that
I
list
on
the
last
slide,
I
have,
which
actually
maybe
I
should
have
covered
first
before
taking
questions.
Let's
see,
let's
just
cover
off
on
these
I
knew
to
send
you
PN
in
actual
format,
not
extension.
Hashed
extension
attached
only
applies
to
users
from
external
azure
ad.
In
future,
can
we
expect
the
user
to
do
so?
This
is
kind
of
out
of
my
realm.
E
I
can
take
this
one
back
in
news
as
a
follow
up
with
one
of
my
colleagues
that
owns
the
all
up
optional
claims
feature.
I
can
follow
up
with
them
on
this.
What
I?
What
I'm
the
PM
for
is
just
the
UI
experience
that
layers
on
top
of
the
manifest
experience.
So
let
me
cut
really
quick
to
the
last
slide,
which
is
this
one,
so
just
some
caveats
that
some
optional
claims
require
additional
open,
ID
connect
scopes,
so
these
scopes
I've
just
showed
a
screenshot
here.
E
It
may
be
a
little
hard
to
see
but
I'm
in
the
app
registrations,
API
permissions,
blade
or
page
and
I've,
just
click
on
add
permission
and
I've
clicked
on
Microsoft
graph
and
then
delegated
permissions,
and
so
some
of
the
claims
these
claims
actually
here,
these
five
require
additional
Microsoft
graph,
open,
ID,
Connect
scopes.
These
are
specifically
the
Microsoft
graph
user,
endpoint
permissions
and
so
open
ID.
You
need
that
across
the
board
for
any
claim,
let
alone
optional
claims,
but
what
I've
kind
of
highlighted
here
that
I've
checked
boxes.
E
If
you
want
nickname
family
name,
given
name
or
UPN,
you
need
to
include
profile.
This
is
something
that
has
popped
up
on
our
radar
since
we
launched
this
public
preview
experience
a
few
months
ago
of
customers
saying
oh
I,
clicked
all
these.
You
know
I
clicked
these
claims,
but
why
do
I
still
not
see
them?
In
my
token?
Well,
it's
because
you
only
had
open
ID
as
a
Microsoft
graph.
Oh
I
do
see
scope.
E
You
also
need
to
check
this
box
so
that
your
application,
in
the
token
request,
is
also
including
this
in
the
scope
parameter
profile
and
if
you
want
email,
there's
an
email
check
box
that
you
have
to
check
just
put
an
Asterix
here,
because
email,
this
value
is
actually
popular
but
default
for
users
outside
the
tenant.
If
you
have
a
multi-tenant
app
and
someone
outside
the
tenant
is
logging
in
this
is
this:
these
values
are
populated
by
default.
E
In
the
token
for
manage
users
within
the
tenants,
you
need
to
check
this
email
box
in
order
to
get
that
back.
We
are
working
on
a
feature
or
planning
to
do
a
feature
where,
when
you're,
in
the
token
conversion
experience
will
automatically
indicate
if
you've
slot
did
any
of
these,
give
you
an
option
to
set
it
right
there
and
add
this
from
within
the
token
duration
experience
or,
at
the
very
least,
notify
you
that
hey
these
five
that
you've
selected
require
additional
and
the
scrap
scopes
that
you
haven't
added.
E
C
Great,
thank
you
so
much
so
we
I
posted
a
couple
things
in
the
IM
chat.
You
can
follow
us
on
twitter
at
microsoft,
365
dev.
It
will
provide
all
the
latest
announcements
for
related
to
this
call
to
other
microsoft,
identity,
platform,
features
and
news,
and
then
our
this
recording
will
also
be
posted
on
youtube,
and
that
link
is
an
IM
chat
as
well
and
will
let
you
know
as
soon
as
it's
up
and
in
the
blog
post.
We'll
get
answers
to
the
questions
that
we
weren't
able
to
answer
in
this
call
today
on
the
screen.
C
Is
our
other
developer
community
calls
across
the
Microsoft
365
platform?
If
you
don't
have
any
of
those
or
we're
not
aware
of
them,
feel
free
to
join
any
or
all
of
those
calls.
And
lastly,
our
next
call
will
be
on
Thursday
April
16th
at
9
a.m.
we
look
forward
to
seeing
you
then,
and
in
the
meantime,
you
can
get
in
touch
with
us
in
a
variety
of
ways
that
we've
talked
about
today
and
thank
you
to
our
speakers
for
joining
today
and
doing
some
great
presentations
and
demos
thanks.