okta · vanngo-okta · Oct 17, 2024 · Oct 17, 2024 · Oct 17, 2024 · Oct 18, 2024
@@ -2391,6 +2391,10 @@ redirects:
     to: /docs/guides/add-an-external-idp/-/main/#next-steps
   - from: /docs/guides/add-an-external-idp/-/next-steps/index.html
     to: /docs/guides/add-an-external-idp/-/main/#next-steps
+  - from: /docs/guides/add-an-external-idp/azure/main
+    to: /docs/guides/add-an-external-idp/entra/main/
+  - from: /docs/guides/add-an-external-idp/azure/main/index.html
+    to: /docs/guides/add-an-external-idp/entra/main/
   - from: /docs/guides/sharing-cert/overview
     to: /docs/guides/sharing-cert/
   - from: /docs/guides/sharing-cert/generate-new-credential

@@ -1,16 +1,20 @@
-1. Create an Azure AD app using these [instructions](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
+At the Microsoft identity platform, set up a tenant and register the client app that you want to use for authenticating and authorizing your users.
 
-2. In the **Redirect URI** section of the page, paste the Okta redirect URI. The redirect URI sent in the authorize request from the client needs to match the redirect URI in the IdP. This is the URL where the IdP returns the authentication response (the access token and the ID token). It needs to be a secure domain that you own. This URL has the same structure for most IdPs in Okta and is constructed using your Okta subdomain and then the callback endpoint.
+1. Set up a [Microsoft Entra tenant](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-create-new-tenant).
 
-    For example, if your Okta subdomain is called `company`, then the URL would be: `https://company.okta.com/oauth2/v1/authorize/callback`. If you’ve configured a custom domain in your Okta Org, use that value to construct your redirect URI, such as `https://login.company.com/oauth2/v1/authorize/callback`.
+1. Register an [app in Microsoft Entra admin center](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).
+
+1. In the **Redirect URI** section of the page, paste the Okta redirect URI. The redirect URI sent in the authorize request from the client needs to match the redirect URI in the IdP. This is the URL where the IdP returns the authentication response (the access token and the ID token). It needs to be a secure domain that you own. This URL has the same structure for most IdPs in Okta and is constructed using your Okta subdomain and then the callback endpoint.
+
+    For example, if your Okta subdomain is called `company`, then the URL would be: `https://company.okta.com/oauth2/v1/authorize/callback`. If you've configured a custom domain in your Okta Org, use that value to construct your redirect URI, such as `https://login.company.com/oauth2/v1/authorize/callback`.
 
     Include all base domains (Okta domain and custom domain) that your users interact with in the allowed redirect URI list.
 
-3. Copy the Azure application ID value so that you can add it to the Okta configuration in the next section.
+3. Copy the **Application (client) ID** value so that you can add it to the Okta configuration in the next section.
 
 4. Under **Certificates & secrets**, click **New client secret** to generate a client secret for your app. Copy the value so that you can add it to the Okta configuration in the next section. This is the secret that corresponds to your Azure application ID.
 
-    > **Note:** There may be other settings for the app that you can configure. The steps in this guide address the quickest route to setting up Azure AD as an IdP with Okta. See the Azure AD documentation for more information on other configuration settings.
+    > **Note:** There may be more settings for the app that you can configure. The steps in this guide address the quickest route to setting up Microsoft Entra ID as an IdP with Okta. See the [Microsoft Entra ID documentation](https://learn.microsoft.com/en-us/entra/identity/) for more information on additional configuration settings.
 
 For use in the next section, do the following:
 

@@ -0,0 +1,17 @@
+* **Name**: Enter a name for the IdP configuration.
+* **Client Id**: Paste the client ID that you obtained from Microsoft Entra ID when you configured the IdP in the previous section.
+* **Client Secret**: Paste the secret that you obtained in the previous section.
+* **Scopes**: Leave the defaults. These scopes are included when Okta makes an OpenID Connect request to Microsoft Entra ID.
+
+    > **Note:** By default, Okta requires the `email` attribute for a user. The `email` scope is required to create and link the user to Okta Universal Directory.
+
+In the **Endpoints** section:
+
+Add the following endpoint URLs for the Microsoft Entra ID IdP that you're configuring.
+
+* **Issuer**: The identifier of the Microsoft Entra ID IdP: `https://login.microsoftonline.com/{Directory(tenant)ID}/v2.0`
+* **Authorization endpoint**: The URL of the Microsoft Entra ID OAuth 2.0 authorization endpoint. For example: `https://login.microsoftonline.com/{Directory(tenant)ID}/oauth2/v2.0/authorize`
+* **Token endpoint**: The URL of the Microsoft Entra ID token endpoint for obtaining access and ID tokens. For example: `https://login.microsoftonline.com/{Directory(tenant)ID}/oauth2/v2.0/token`
+* **JWKS endpoint**: The URL of the Microsoft Entra ID JSON Web Key Set document. This document contains signing keys that are used to validate the signatures from the provider. For example: `https://login.microsoftonline.com/{Directory(tenant)ID}/discovery/v2.0/keys`
+
+  > **Note:** These URL values are obtained from the previous [Create an app at the Identity Provider](#create-an-app-at-the-identity-provider) section.
@@ -0,0 +1,3 @@
+> **Notes:**
+> * These steps configure Microsoft Entra ID as the IdP with the OIDC protocol. To configure the connection with the SAML protocol, see [Make Azure Active Directory an Identity Provider](https://help.okta.com/okta_help.htm?type=oie&id=ext-azure-idp-setup).
+> * See the [Identity Providers API](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider) for request and response examples of creating an IdP in Okta using the API.
@@ -0,0 +1 @@
+Microsoft Entra ID
@@ -0,0 +1 @@
+with [Azure](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) that has an active subscription to access the [Microsoft Entra admin center](https://entra.microsoft.com/)
@@ -7,7 +7,7 @@ meta:
 
 ## <StackSnippet snippet="idp" inline />
 
-This document explains how to configure <StackSnippet snippet="idp" inline /> as an [external Identity Provider](/docs/concepts/identity-providers/) for your application by creating an application at <StackSnippet snippet="idp" inline />, creating an Identity Provider (IdP) in Okta, testing the configuration, and creating a sign-in button.
+This document explains how to configure <StackSnippet snippet="idp" inline /> as an [external Identity Provider](/docs/concepts/identity-providers/) for your app by creating an app at <StackSnippet snippet="idp" inline />, creating an Identity Provider (IdP) in Okta, testing the configuration, and creating a sign-in button.
 
 ---
 
@@ -18,8 +18,8 @@ Configure an external IdP so that your users can quickly sign up or sign in to y
 #### What you need
 
 * [Okta Developer Edition organization](https://developer.okta.com/signup)
-* An app that you want to add authentication to. You can [create an app integration by using AIW](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard) or use an existing one.
-* An account <StackSnippet snippet="idpaccount" inline />.
+* An app that you want to add authentication to. You can [create an app integration using AIW](https://help.okta.com/okta_help.htm?id=ext_Apps_App_Integration_Wizard) or use an existing one.
+* An account <StackSnippet snippet="idpaccount" inline />
 
 ---
 
@@ -31,8 +31,6 @@ Okta manages the connection to the IdP for your app. The connection sits between
 
 ## Create an app at the Identity Provider
 
-At the <StackSnippet snippet="idp" inline /> IdP, create the client application that you want to use for authenticating and authorizing your users.
-
 <StackSnippet snippet="appatidp" />
 
 ## Create an Identity Provider in Okta
@@ -73,7 +71,7 @@ Alternatively, you can use the authorize URL to simulate the authorization flow.
 
 > **Note:** Use this step to test your authorization URL as an HTML link. For information on testing your authorization URL using the Sign-In Widget, Okta-hosted sign-in page, or AuthJS, see the [next section](#use-the-identity-provider-to-sign-in).
 >
-> If you're using Authorization Code with PKCE as the grant type, you must generate and store the PKCE. See [Implement authorization by grant type](/docs/guides/implement-grant-type/authcodepkce/main/#flow-specifics). Okta recommends that you use the [AuthJS SDK](https://github.com/okta/okta-auth-js#signinwithredirectoptions) with this grant type.
+> If you use the Authorization Code with PKCE grant type, you must generate and store the PKCE. See [Implement authorization by grant type](/docs/guides/implement-grant-type/authcodepkce/main/#flow-specifics). Okta recommends that you use the [AuthJS SDK](https://github.com/okta/okta-auth-js#signinwithredirectoptions) with this grant type.
 
 In the URL, replace `{yourOktaDomain}` with your org's base URL, and then replace the following values:
 

@@ -1,4 +1,4 @@
-When you're configuring federation between two Okta orgs, use OpenID Connect as the sign-in method:
+In the Okta org that functions as the IdP, create a client app that you want to use for authenticating and authorizing your users. When you're configuring federation between two Okta orgs, use OpenID Connect as the sign-in method:
 
 1. In the Admin Console for the Okta org that represents the IdP, go to **Applications** > **Applications**.
 1. Click **Create App Integration**.

@@ -1,4 +1,4 @@
-Use the documentation of the IdP to create a client application.
+At the OpenID Connect IdP, create the client app that you want to use for authenticating and authorizing your users. Use the IdP's documentation to create a client app.
 
 You also need to add the redirect URI to the appropriate section. The redirect URI sent in the authorize request from the client needs to match the redirect URI in the OIDC IdP. This is the URL where the IdP returns the authentication response (the access token and the ID token). It needs to be a secure domain that you own. This URL has the same structure for most IdPs in Okta and is constructed using your Okta subdomain and then the callback endpoint.
 

@@ -12,7 +12,7 @@ Not sure what an Identity Provider is? See [External Identity Providers](/docs/c
 ## Enterprise Identity Providers
 
 <Cards>
-  <Card href="/docs/guides/add-an-external-idp/azure/main/" headerImage="/img/idp-logos/azure.svg">Azure AD</Card>
+  <Card href="/docs/guides/add-an-external-idp/entra/main/" headerImage="/img/idp-logos/entraID.svg">Microsoft Entra ID</Card>
   <Card href="/docs/guides/add-an-external-idp/oktatookta/main/" headerImage="/img/idp-logos/okta.svg">Okta to Okta</Card>
   <Card href="/docs/guides/add-an-external-idp/openidconnect/main/" headerImage="/img/idp-logos/oidc.png">OpenID Connect</Card>
    <Card href="/docs/guides/add-an-external-idp/saml2/main/" headerImage="/img/idp-logos/saml.png">SAML 2.0</Card>

@@ -62,7 +62,7 @@ To remove an existing account link or validate account linking with every sign-i
 
 If **Account Link Policy** is disabled, no account linking occurs. You can manually create an account link without a transaction by making a `POST` call to the `/api/v1/idps/{idps}/users/{userId}` [endpoint](/docs/reference/api/idps/#link-a-user-to-a-social-provider-without-a-transaction).
 
-See [Add an Identity Provider](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider) for API examples of account linking JSON payloads.
+See [Create an Identity Provider](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/IdentityProvider/#tag/IdentityProvider/operation/createIdentityProvider) for API examples of account linking JSON payloads.
 
 For security best practices, consider disabling account linking after all existing users from the external IdP have signed in to your Okta org. At this point, all links have been created. After you disable linking, and JIT provisioning is enabled, Okta adds new users that are created in the external IdP.
 

@@ -1,5 +1,5 @@
 * **Name**: Enter a name for the Identity Provider configuration.
-* **Client Id**: Paste the app ID or client ID that you obtained from the Identity Provider in the previous section.
+* **Client ID**: Paste the app ID or client ID that you obtained from the Identity Provider in the previous section.
 * **Client Secret**: Paste the secret that you obtained from the Identity Provider in the previous section.
 * **Scopes**: Leave the defaults.
 

@@ -1997,10 +1997,10 @@ h1 {
   background-image: url("/img/icons/amazon-universal-gray-small.png");
 }
 
-.icon.azure::before {
+.icon.entra::before {
   content: "";
 
-  background-image: url("/img/icons/azure-ad-logo-75.png");
+  background-image: url("/img/idp-logos/entraID.svg");
 }
 
 .icon.discord::before {

@@ -11,7 +11,7 @@ const FRAMEWORK_TO_COMMON_NAME = {
 
 const COMMON_NAME_TO_FANCY_NAME = {
   apple: 'Apple',
-  azure: 'Azure AD',
+  entra: 'Microsoft Entra ID',
   javascript: 'JS',
   angular: 'Angular',
   amazon: 'Amazon',
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		with [Azure](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) that has an active subscription to access the [Microsoft Entra admin center](https://entra.microsoft.com/)