You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/oidc-integration-guide/cloud-integration-guide.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,15 +55,15 @@ If you did not receive this information, it means that your onboarding process i
55
55
:::
56
56
57
57
- An active [Entra ID P1 or P2](https://azure.microsoft.com/en-us/pricing/details/active-directory/) subscription with Conditional Access enabled, and P1/P2 licenses assigned to each user who will log in using MobileID MFA. Plans like Microsoft 365 E3, E5, and F3, as well as Enterprise Mobility + Security E3 and E5, and Microsoft Business Premium, all include Entra ID Premium.
58
-
- A designated Entra ID admin service account to authorize the MobileID application access. This account requires the Entra ID Global Administrator or Privileged Role Administrator role during the MobileID setup process, though you can reduce the service account's role privileges afterward.
58
+
- A designated Entra ID admin account. Configuring the external MFA method and Conditional Access policies requires at least the **Authentication Policy Administrator** role. Granting admin consent for the MobileID application (Step 8 below) requires at least the **Privileged Role Administrator** role. A Global Administrator can perform both steps, but is not the minimum required role for either. You can reduce the account's role privileges after setup is complete.
59
59
60
60
### Configure Entra ID
61
61
62
62
Follow these steps to configure MobileID as an External MFA method in Microsoft Entra ID:
63
63
64
64
| Step | Description |
65
65
|------|-------------|
66
-
| 1 |**Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
66
+
| 1 |**Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. For Step 8 (admin consent), you will need at least the Privileged Role Administrator role. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
67
67
| 2 |**Navigate to Authentication Methods** <br><br> In the Entra Admin Center, go to **Entra ID → Authentication methods → Add external MFA**. <br><br> If you're logged into the Azure portal instead, first select Microsoft Entra ID, then go to **Security → Authentication Methods**. |
| 4 |**Configure the External MFA Method** <br><br> On the "Add external MFA" page, enter a descriptive name for the MobileID method. The default name might be "Mobile ID" but you can choose a name that will make sense to your users since they'll see this during authentication. <br><br> **Note:** You cannot change the name after creation. <br><br> Enter the information you have received from Swisscom in the corresponding field: **Client ID**, **Discovery Endpoint**, **App ID**. <br><br> |
@@ -76,7 +76,7 @@ Follow these steps to configure MobileID as an External MFA method in Microsoft
76
76
77
77
| Step | Description |
78
78
|------|-------------|
79
-
| 1 |**Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
79
+
| 1 |**Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
80
80
| 2 |**Navigate to Conditional Access** <br><br> Click on **Conditional Access** in the left-hand menu, then click **+ Create New Policy**. <br><br> If you are in the Azure portal, navigate to **Security → Conditional Access → Policies**. <br><br> |
81
81
| 3 |**Name the Policy** <br><br> Enter a descriptive name for the new policy, such as "MobileID MFA for Acme Users". |
82
82
| 4 |**Assign the Policy** <br><br> You can assign this policy to specific users or groups, Entra ID cloud apps, or other conditions like client platforms or networks. <br><br> *Example for assigning to users:* Click **Users** under "Assignments", then select **Users and groups** on the "Include" tab. Choose **Users and groups** and click **0 users and groups selected** to locate the users or Entra ID security groups for whom you want to enforce MobileID MFA. Select the users or groups, then click **Select** to apply your choices. <br><br> If you targeted specific groups when creating the MobileID external method, ensure that you apply this new policy to the same groups. <br><br> *Example for assigning to resources:* Click **Target resources**. On the "Include" tab, select **Apps**, and choose the Entra ID applications where you want MobileID MFA to be applied. |
Copy file name to clipboardExpand all lines: docs/public/llms-full.txt
+3-3Lines changed: 3 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -5479,15 +5479,15 @@ If you did not receive this information, it means that your onboarding process i
5479
5479
:::
5480
5480
5481
5481
- An active [Entra ID P1 or P2](https://azure.microsoft.com/en-us/pricing/details/active-directory/) subscription with Conditional Access enabled, and P1/P2 licenses assigned to each user who will log in using MobileID MFA. Plans like Microsoft 365 E3, E5, and F3, as well as Enterprise Mobility + Security E3 and E5, and Microsoft Business Premium, all include Entra ID Premium.
5482
-
- A designated Entra ID admin service account to authorize the MobileID application access. This account requires the Entra ID Global Administrator or Privileged Role Administrator role during the MobileID setup process, though you can reduce the service account's role privileges afterward.
5482
+
- A designated Entra ID admin account. Configuring the external MFA method and Conditional Access policies requires at least the **Authentication Policy Administrator** role. Granting admin consent for the MobileID application (Step 8 below) requires at least the **Privileged Role Administrator** role. A Global Administrator can perform both steps, but is not the minimum required role for either. You can reduce the account's role privileges after setup is complete.
5483
5483
5484
5484
### Configure Entra ID
5485
5485
5486
5486
Follow these steps to configure MobileID as an External MFA method in Microsoft Entra ID:
5487
5487
5488
5488
| Step | Description |
5489
5489
|------|-------------|
5490
-
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
5490
+
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. For Step 8 (admin consent), you will need at least the Privileged Role Administrator role. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
5491
5491
| 2 | **Navigate to Authentication Methods** <br><br> In the Entra Admin Center, go to **Entra ID → Authentication methods → Add external MFA**. <br><br> If you're logged into the Azure portal instead, first select Microsoft Entra ID, then go to **Security → Authentication Methods**. |
| 4 | **Configure the External MFA Method** <br><br> On the "Add external MFA" page, enter a descriptive name for the MobileID method. The default name might be "Mobile ID" but you can choose a name that will make sense to your users since they'll see this during authentication. <br><br> **Note:** You cannot change the name after creation. <br><br> Enter the information you have received from Swisscom in the corresponding field: **Client ID**, **Discovery Endpoint**, **App ID**. <br><br>  |
@@ -5500,7 +5500,7 @@ Follow these steps to configure MobileID as an External MFA method in Microsoft
5500
5500
5501
5501
| Step | Description |
5502
5502
|------|-------------|
5503
-
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
5503
+
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
5504
5504
| 2 | **Navigate to Conditional Access** <br><br> Click on **Conditional Access** in the left-hand menu, then click **+ Create New Policy**. <br><br> If you are in the Azure portal, navigate to **Security → Conditional Access → Policies**. <br><br>  |
5505
5505
| 3 | **Name the Policy** <br><br> Enter a descriptive name for the new policy, such as "MobileID MFA for Acme Users". |
5506
5506
| 4 | **Assign the Policy** <br><br> You can assign this policy to specific users or groups, Entra ID cloud apps, or other conditions like client platforms or networks. <br><br> *Example for assigning to users:* Click **Users** under "Assignments", then select **Users and groups** on the "Include" tab. Choose **Users and groups** and click **0 users and groups selected** to locate the users or Entra ID security groups for whom you want to enforce MobileID MFA. Select the users or groups, then click **Select** to apply your choices. <br><br> If you targeted specific groups when creating the MobileID external method, ensure that you apply this new policy to the same groups. <br><br> *Example for assigning to resources:* Click **Target resources**. On the "Include" tab, select **Apps**, and choose the Entra ID applications where you want MobileID MFA to be applied. |
Copy file name to clipboardExpand all lines: docs/release-notes/posts/2026-03-27-mobile-id-entra-external-mfa.de.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -117,15 +117,15 @@ Das sind Szenarien, in denen ein reiner App-Ansatz an seine Grenzen stösst.
117
117
118
118
## Unternehmens-Anwendungsfälle
119
119
120
-
External MFA mit Mobile ID adressiert ein breites Spektrum von Unternehmensszenarien. SIM und App decken die breitesten Out-of-Band-Enterprise-Journeys ab. Passkeys ergänzen browser-zentrierte Journeys dort, wo WebAuthn-Unterstützung Ende-zu-Ende verfügbar ist.
120
+
Mobile ID adressiert ein breites Spektrum von Unternehmensszenarien über unterschiedliche Integrationsmodelle. SIM und App decken die breitesten Out-of-Band-Enterprise-Journeys ab. Passkeys ergänzen browser-zentrierte Journeys dort, wo WebAuthn-Unterstützung Ende-zu-Ende verfügbar ist.
121
121
122
122
<EntraUseCaseCards />
123
123
124
124
### Microsoft 365 MFA für Mitarbeitende
125
125
126
126
Das häufigste Szenario: Absicherung des Zugangs zu Outlook, Teams, SharePoint und anderen Microsoft 365-Anwendungen. Wenn eine Conditional Access Policy MFA verlangt, authentisieren sich Mitarbeitende über Mobile ID anstelle von oder ergänzend zu Microsoft Authenticator.
127
127
128
-
Das ist besonders wertvoll für Organisationen, die einen **einzigen MFA-Anbieter über alle Anwendungen hinweg** wollen, nicht nur für Microsoft-Dienste. Da Mobile ID[Standard-OIDC](/oidc-integration-guide/introduction)verwendet, funktionieren die gleichen Authentisierungsmethoden für Entra ID, eigene Webanwendungen, VPN-Zugang und mehr.
128
+
Das ist besonders wertvoll für Organisationen, die einen **einzigen MFA-Anbieter über alle Anwendungen hinweg** wollen, nicht nur für Microsoft-Dienste. Die Mobile ID-Authentisierungsmethoden — SIM, App und Passkeys — stehen über verschiedene Integrationsmodelle zur Verfügung: als Entra External MFA-Anbieter, über [Standard-OIDC](/oidc-integration-guide/introduction)für eigene Webanwendungen und via [RADIUS Interface Gateway](/radius-interface-gateway-guide/introduction) für VPN- und Netzwerkzugang.
129
129
130
130
### VPN und Remote Access
131
131
@@ -206,7 +206,7 @@ Die Einrichtung von Mobile ID als External MFA-Anbieter in Entra ID erfordert dr
206
206
<divclass="blog-step-card">
207
207
<div class="blog-step-number">3</div>
208
208
<div class="blog-step-body">
209
-
<p><span class="blog-step-title">Ein Entra ID-Administratorkonto vorbereiten.</span> Für die Ersteinrichtung ist die Rolle Global Administrator oder Privileged Role Administrator erforderlich.</p>
209
+
<p><span class="blog-step-title">Ein Entra ID-Administratorkonto vorbereiten.</span> Für die Konfiguration der externen MFA-Methode und der Conditional Access Policies ist mindestens die Rolle Authentication Policy Administrator erforderlich. Für die Erteilung der Admin-Zustimmung für die Anbieteranwendung wird mindestens die Rolle Privileged Role Administrator benötigt.</p>
Copy file name to clipboardExpand all lines: docs/release-notes/posts/2026-03-27-mobile-id-entra-external-mfa.fr.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -117,15 +117,15 @@ Ce sont des scénarios où une approche exclusivement basée sur une application
117
117
118
118
## Cas d'usage en entreprise
119
119
120
-
External MFA avec Mobile ID couvre un large éventail de scénarios d'entreprise. La SIM et l'App couvrent les parcours d'entreprise hors bande les plus larges. Les Passkeys complètent les parcours centrés navigateur là où la prise en charge WebAuthn est disponible de bout en bout.
120
+
Mobile ID couvre un large éventail de scénarios d'entreprise à travers différents modèles d'intégration. La SIM et l'App couvrent les parcours d'entreprise hors bande les plus larges. Les Passkeys complètent les parcours centrés navigateur là où la prise en charge WebAuthn est disponible de bout en bout.
121
121
122
122
<EntraUseCaseCards />
123
123
124
124
### MFA Microsoft 365 pour les collaborateurs
125
125
126
126
Le scénario le plus courant : sécuriser l'accès à Outlook, Teams, SharePoint et aux autres applications Microsoft 365. Lorsqu'une politique Conditional Access exige le MFA, les collaborateurs s'authentifient via Mobile ID au lieu de, ou en complément de, Microsoft Authenticator.
127
127
128
-
Cela est particulièrement pertinent pour les organisations qui souhaitent un **fournisseur MFA unique pour toutes les applications**, et pas uniquement pour les services Microsoft. Étant donné que Mobile ID utilise le [standard OIDC](/oidc-integration-guide/introduction), les mêmes méthodes d'authentification fonctionnent pour Entra ID, les applications web personnalisées, l'accès VPN et plus encore.
128
+
Cela est particulièrement pertinent pour les organisations qui souhaitent un **fournisseur MFA unique pour toutes les applications**, et pas uniquement pour les services Microsoft. Les méthodes d'authentification Mobile ID — SIM, App et Passkeys — sont disponibles à travers différents modèles d'intégration : en tant que fournisseur Entra External MFA, via [OIDC standard](/oidc-integration-guide/introduction) pour les applications web personnalisées, et via le [RADIUS Interface Gateway](/radius-interface-gateway-guide/introduction) pour l'accès VPN et réseau.
129
129
130
130
### VPN et accès à distance
131
131
@@ -206,7 +206,7 @@ La mise en place de Mobile ID comme fournisseur External MFA dans Entra ID repos
206
206
<divclass="blog-step-card">
207
207
<div class="blog-step-number">3</div>
208
208
<div class="blog-step-body">
209
-
<p><span class="blog-step-title">Prévoir un compte administrateur Entra ID.</span> La configuration initiale requiert le rôle Global Administrator ou Privileged Role Administrator.</p>
209
+
<p><span class="blog-step-title">Prévoir un compte administrateur Entra ID.</span> La configuration de la méthode External MFA et des politiques Conditional Access requiert au minimum le rôle Authentication Policy Administrator. L'octroi du consentement administrateur pour l'application du fournisseur requiert au minimum le rôle Privileged Role Administrator.</p>
Copy file name to clipboardExpand all lines: docs/release-notes/posts/2026-03-27-mobile-id-entra-external-mfa.it.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -117,15 +117,15 @@ Questi sono scenari in cui un approccio basato solo su app raggiunge i propri li
117
117
118
118
## Casi d'uso aziendali
119
119
120
-
External MFA con Mobile ID copre un'ampia gamma di scenari aziendali. SIM e App coprono i percorsi enterprise out-of-band più ampi. I Passkeys completano i percorsi browser-centrici dove il supporto WebAuthn è disponibile end-to-end.
120
+
Mobile ID copre un'ampia gamma di scenari aziendali attraverso diversi modelli di integrazione. SIM e App coprono i percorsi enterprise out-of-band più ampi. I Passkeys completano i percorsi browser-centrici dove il supporto WebAuthn è disponibile end-to-end.
121
121
122
122
<EntraUseCaseCards />
123
123
124
124
### MFA per Microsoft 365 per i dipendenti
125
125
126
126
Lo scenario più comune: proteggere l'accesso a Outlook, Teams, SharePoint e altre applicazioni Microsoft 365. Quando una policy Conditional Access richiede la MFA, i dipendenti si autenticano tramite Mobile ID al posto di, o insieme a, Microsoft Authenticator.
127
127
128
-
Questo è particolarmente prezioso per le organizzazioni che desiderano un **unico provider MFA per tutte le applicazioni**, non solo per i servizi Microsoft. Poiché Mobile ID utilizza [OIDC standard](/oidc-integration-guide/introduction), gli stessi metodi di autenticazione funzionano per Entra ID, applicazioni web custom, accesso VPN e altro.
128
+
Questo è particolarmente prezioso per le organizzazioni che desiderano un **unico provider MFA per tutte le applicazioni**, non solo per i servizi Microsoft. I metodi di autenticazione Mobile ID — SIM, App e Passkeys — sono disponibili attraverso diversi modelli di integrazione: come provider Entra External MFA, tramite [OIDC standard](/oidc-integration-guide/introduction) per applicazioni web custom, e tramite il [RADIUS Interface Gateway](/radius-interface-gateway-guide/introduction) per l'accesso VPN e di rete.
129
129
130
130
### VPN e accesso remoto
131
131
@@ -206,7 +206,7 @@ Configurare Mobile ID come provider External MFA in Entra ID richiede tre prereq
206
206
<divclass="blog-step-card">
207
207
<div class="blog-step-number">3</div>
208
208
<div class="blog-step-body">
209
-
<p><span class="blog-step-title">Preparare un account amministratore Entra ID.</span> La configurazione iniziale richiede il ruolo Global Administrator oppure Privileged Role Administrator.</p>
209
+
<p><span class="blog-step-title">Preparare un account amministratore Entra ID.</span> La configurazione del metodo External MFA e delle policy Conditional Access richiede almeno il ruolo Authentication Policy Administrator. La concessione del consenso amministratore per l'applicazione del provider richiede almeno il ruolo Privileged Role Administrator.</p>
0 commit comments