Skip to content

Commit c61be7f

Browse files
committed
Merge branch 'vigilant-ptolemy'
2 parents 67acfa3 + e0bd4df commit c61be7f

6 files changed

Lines changed: 18 additions & 18 deletions

docs/oidc-integration-guide/cloud-integration-guide.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -55,15 +55,15 @@ If you did not receive this information, it means that your onboarding process i
5555
:::
5656

5757
- An active [Entra ID P1 or P2](https://azure.microsoft.com/en-us/pricing/details/active-directory/) subscription with Conditional Access enabled, and P1/P2 licenses assigned to each user who will log in using MobileID MFA. Plans like Microsoft 365 E3, E5, and F3, as well as Enterprise Mobility + Security E3 and E5, and Microsoft Business Premium, all include Entra ID Premium.
58-
- A designated Entra ID admin service account to authorize the MobileID application access. This account requires the Entra ID Global Administrator or Privileged Role Administrator role during the MobileID setup process, though you can reduce the service account's role privileges afterward.
58+
- A designated Entra ID admin account. Configuring the external MFA method and Conditional Access policies requires at least the **Authentication Policy Administrator** role. Granting admin consent for the MobileID application (Step 8 below) requires at least the **Privileged Role Administrator** role. A Global Administrator can perform both steps, but is not the minimum required role for either. You can reduce the account's role privileges after setup is complete.
5959

6060
### Configure Entra ID
6161

6262
Follow these steps to configure MobileID as an External MFA method in Microsoft Entra ID:
6363

6464
| Step | Description |
6565
|------|-------------|
66-
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
66+
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. For Step 8 (admin consent), you will need at least the Privileged Role Administrator role. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
6767
| 2 | **Navigate to Authentication Methods** <br><br> In the Entra Admin Center, go to **Entra ID → Authentication methods → Add external MFA**. <br><br> If you're logged into the Azure portal instead, first select Microsoft Entra ID, then go to **Security → Authentication Methods**. |
6868
| 3 | **Add External MFA** <br><br> Click **+ Add External MFA**. <br><br> ![entraid-add-external-method](/img/entraid-add-external-method.png) |
6969
| 4 | **Configure the External MFA Method** <br><br> On the "Add external MFA" page, enter a descriptive name for the MobileID method. The default name might be "Mobile ID" but you can choose a name that will make sense to your users since they'll see this during authentication. <br><br> **Note:** You cannot change the name after creation. <br><br> Enter the information you have received from Swisscom in the corresponding field: **Client ID**, **Discovery Endpoint**, **App ID**. <br><br> ![entraid-configure-external-method](/img/entraid-configure-external-method.png) |
@@ -76,7 +76,7 @@ Follow these steps to configure MobileID as an External MFA method in Microsoft
7676

7777
| Step | Description |
7878
|------|-------------|
79-
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
79+
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
8080
| 2 | **Navigate to Conditional Access** <br><br> Click on **Conditional Access** in the left-hand menu, then click **+ Create New Policy**. <br><br> If you are in the Azure portal, navigate to **Security → Conditional Access → Policies**. <br><br> ![entraid-conditional-access](/img/entraid-conditional-access.png) |
8181
| 3 | **Name the Policy** <br><br> Enter a descriptive name for the new policy, such as "MobileID MFA for Acme Users". |
8282
| 4 | **Assign the Policy** <br><br> You can assign this policy to specific users or groups, Entra ID cloud apps, or other conditions like client platforms or networks. <br><br> *Example for assigning to users:* Click **Users** under "Assignments", then select **Users and groups** on the "Include" tab. Choose **Users and groups** and click **0 users and groups selected** to locate the users or Entra ID security groups for whom you want to enforce MobileID MFA. Select the users or groups, then click **Select** to apply your choices. <br><br> If you targeted specific groups when creating the MobileID external method, ensure that you apply this new policy to the same groups. <br><br> *Example for assigning to resources:* Click **Target resources**. On the "Include" tab, select **Apps**, and choose the Entra ID applications where you want MobileID MFA to be applied. |

docs/public/llms-full.txt

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5479,15 +5479,15 @@ If you did not receive this information, it means that your onboarding process i
54795479
:::
54805480

54815481
- An active [Entra ID P1 or P2](https://azure.microsoft.com/en-us/pricing/details/active-directory/) subscription with Conditional Access enabled, and P1/P2 licenses assigned to each user who will log in using MobileID MFA. Plans like Microsoft 365 E3, E5, and F3, as well as Enterprise Mobility + Security E3 and E5, and Microsoft Business Premium, all include Entra ID Premium.
5482-
- A designated Entra ID admin service account to authorize the MobileID application access. This account requires the Entra ID Global Administrator or Privileged Role Administrator role during the MobileID setup process, though you can reduce the service account's role privileges afterward.
5482+
- A designated Entra ID admin account. Configuring the external MFA method and Conditional Access policies requires at least the **Authentication Policy Administrator** role. Granting admin consent for the MobileID application (Step 8 below) requires at least the **Privileged Role Administrator** role. A Global Administrator can perform both steps, but is not the minimum required role for either. You can reduce the account's role privileges after setup is complete.
54835483

54845484
### Configure Entra ID
54855485

54865486
Follow these steps to configure MobileID as an External MFA method in Microsoft Entra ID:
54875487

54885488
| Step | Description |
54895489
|------|-------------|
5490-
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
5490+
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. For Step 8 (admin consent), you will need at least the Privileged Role Administrator role. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
54915491
| 2 | **Navigate to Authentication Methods** <br><br> In the Entra Admin Center, go to **Entra ID → Authentication methods → Add external MFA**. <br><br> If you're logged into the Azure portal instead, first select Microsoft Entra ID, then go to **Security → Authentication Methods**. |
54925492
| 3 | **Add External MFA** <br><br> Click **+ Add External MFA**. <br><br> ![entraid-add-external-method](/img/entraid-add-external-method.png) |
54935493
| 4 | **Configure the External MFA Method** <br><br> On the "Add external MFA" page, enter a descriptive name for the MobileID method. The default name might be "Mobile ID" but you can choose a name that will make sense to your users since they'll see this during authentication. <br><br> **Note:** You cannot change the name after creation. <br><br> Enter the information you have received from Swisscom in the corresponding field: **Client ID**, **Discovery Endpoint**, **App ID**. <br><br> ![entraid-configure-external-method](/img/entraid-configure-external-method.png) |
@@ -5500,7 +5500,7 @@ Follow these steps to configure MobileID as an External MFA method in Microsoft
55005500

55015501
| Step | Description |
55025502
|------|-------------|
5503-
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as a global administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
5503+
| 1 | **Log in to Entra ID** <br><br> Go to the [Microsoft Entra admin center](https://entra.microsoft.com) and log in to your Entra ID tenant as at least an Authentication Policy Administrator. <br><br> If you're using the [Azure portal](https://portal.azure.com), the navigation will differ slightly. |
55045504
| 2 | **Navigate to Conditional Access** <br><br> Click on **Conditional Access** in the left-hand menu, then click **+ Create New Policy**. <br><br> If you are in the Azure portal, navigate to **Security → Conditional Access → Policies**. <br><br> ![entraid-conditional-access](/img/entraid-conditional-access.png) |
55055505
| 3 | **Name the Policy** <br><br> Enter a descriptive name for the new policy, such as "MobileID MFA for Acme Users". |
55065506
| 4 | **Assign the Policy** <br><br> You can assign this policy to specific users or groups, Entra ID cloud apps, or other conditions like client platforms or networks. <br><br> *Example for assigning to users:* Click **Users** under "Assignments", then select **Users and groups** on the "Include" tab. Choose **Users and groups** and click **0 users and groups selected** to locate the users or Entra ID security groups for whom you want to enforce MobileID MFA. Select the users or groups, then click **Select** to apply your choices. <br><br> If you targeted specific groups when creating the MobileID external method, ensure that you apply this new policy to the same groups. <br><br> *Example for assigning to resources:* Click **Target resources**. On the "Include" tab, select **Apps**, and choose the Entra ID applications where you want MobileID MFA to be applied. |

docs/release-notes/posts/2026-03-27-mobile-id-entra-external-mfa.de.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -117,15 +117,15 @@ Das sind Szenarien, in denen ein reiner App-Ansatz an seine Grenzen stösst.
117117

118118
## Unternehmens-Anwendungsfälle
119119

120-
External MFA mit Mobile ID adressiert ein breites Spektrum von Unternehmensszenarien. SIM und App decken die breitesten Out-of-Band-Enterprise-Journeys ab. Passkeys ergänzen browser-zentrierte Journeys dort, wo WebAuthn-Unterstützung Ende-zu-Ende verfügbar ist.
120+
Mobile ID adressiert ein breites Spektrum von Unternehmensszenarien über unterschiedliche Integrationsmodelle. SIM und App decken die breitesten Out-of-Band-Enterprise-Journeys ab. Passkeys ergänzen browser-zentrierte Journeys dort, wo WebAuthn-Unterstützung Ende-zu-Ende verfügbar ist.
121121

122122
<EntraUseCaseCards />
123123

124124
### Microsoft 365 MFA für Mitarbeitende
125125

126126
Das häufigste Szenario: Absicherung des Zugangs zu Outlook, Teams, SharePoint und anderen Microsoft 365-Anwendungen. Wenn eine Conditional Access Policy MFA verlangt, authentisieren sich Mitarbeitende über Mobile ID anstelle von oder ergänzend zu Microsoft Authenticator.
127127

128-
Das ist besonders wertvoll für Organisationen, die einen **einzigen MFA-Anbieter über alle Anwendungen hinweg** wollen, nicht nur für Microsoft-Dienste. Da Mobile ID [Standard-OIDC](/oidc-integration-guide/introduction) verwendet, funktionieren die gleichen Authentisierungsmethoden für Entra ID, eigene Webanwendungen, VPN-Zugang und mehr.
128+
Das ist besonders wertvoll für Organisationen, die einen **einzigen MFA-Anbieter über alle Anwendungen hinweg** wollen, nicht nur für Microsoft-Dienste. Die Mobile ID-Authentisierungsmethoden — SIM, App und Passkeys — stehen über verschiedene Integrationsmodelle zur Verfügung: als Entra External MFA-Anbieter, über [Standard-OIDC](/oidc-integration-guide/introduction) für eigene Webanwendungen und via [RADIUS Interface Gateway](/radius-interface-gateway-guide/introduction) für VPN- und Netzwerkzugang.
129129

130130
### VPN und Remote Access
131131

@@ -206,7 +206,7 @@ Die Einrichtung von Mobile ID als External MFA-Anbieter in Entra ID erfordert dr
206206
<div class="blog-step-card">
207207
<div class="blog-step-number">3</div>
208208
<div class="blog-step-body">
209-
<p><span class="blog-step-title">Ein Entra ID-Administratorkonto vorbereiten.</span> Für die Ersteinrichtung ist die Rolle Global Administrator oder Privileged Role Administrator erforderlich.</p>
209+
<p><span class="blog-step-title">Ein Entra ID-Administratorkonto vorbereiten.</span> Für die Konfiguration der externen MFA-Methode und der Conditional Access Policies ist mindestens die Rolle Authentication Policy Administrator erforderlich. Für die Erteilung der Admin-Zustimmung für die Anbieteranwendung wird mindestens die Rolle Privileged Role Administrator benötigt.</p>
210210
</div>
211211
</div>
212212
</div>

docs/release-notes/posts/2026-03-27-mobile-id-entra-external-mfa.fr.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -117,15 +117,15 @@ Ce sont des scénarios où une approche exclusivement basée sur une application
117117

118118
## Cas d'usage en entreprise
119119

120-
External MFA avec Mobile ID couvre un large éventail de scénarios d'entreprise. La SIM et l'App couvrent les parcours d'entreprise hors bande les plus larges. Les Passkeys complètent les parcours centrés navigateur là où la prise en charge WebAuthn est disponible de bout en bout.
120+
Mobile ID couvre un large éventail de scénarios d'entreprise à travers différents modèles d'intégration. La SIM et l'App couvrent les parcours d'entreprise hors bande les plus larges. Les Passkeys complètent les parcours centrés navigateur là où la prise en charge WebAuthn est disponible de bout en bout.
121121

122122
<EntraUseCaseCards />
123123

124124
### MFA Microsoft 365 pour les collaborateurs
125125

126126
Le scénario le plus courant : sécuriser l'accès à Outlook, Teams, SharePoint et aux autres applications Microsoft 365. Lorsqu'une politique Conditional Access exige le MFA, les collaborateurs s'authentifient via Mobile ID au lieu de, ou en complément de, Microsoft Authenticator.
127127

128-
Cela est particulièrement pertinent pour les organisations qui souhaitent un **fournisseur MFA unique pour toutes les applications**, et pas uniquement pour les services Microsoft. Étant donné que Mobile ID utilise le [standard OIDC](/oidc-integration-guide/introduction), les mêmes méthodes d'authentification fonctionnent pour Entra ID, les applications web personnalisées, l'accès VPN et plus encore.
128+
Cela est particulièrement pertinent pour les organisations qui souhaitent un **fournisseur MFA unique pour toutes les applications**, et pas uniquement pour les services Microsoft. Les méthodes d'authentification Mobile ID — SIM, App et Passkeys — sont disponibles à travers différents modèles d'intégration : en tant que fournisseur Entra External MFA, via [OIDC standard](/oidc-integration-guide/introduction) pour les applications web personnalisées, et via le [RADIUS Interface Gateway](/radius-interface-gateway-guide/introduction) pour l'accès VPN et réseau.
129129

130130
### VPN et accès à distance
131131

@@ -206,7 +206,7 @@ La mise en place de Mobile ID comme fournisseur External MFA dans Entra ID repos
206206
<div class="blog-step-card">
207207
<div class="blog-step-number">3</div>
208208
<div class="blog-step-body">
209-
<p><span class="blog-step-title">Prévoir un compte administrateur Entra ID.</span> La configuration initiale requiert le rôle Global Administrator ou Privileged Role Administrator.</p>
209+
<p><span class="blog-step-title">Prévoir un compte administrateur Entra ID.</span> La configuration de la méthode External MFA et des politiques Conditional Access requiert au minimum le rôle Authentication Policy Administrator. L'octroi du consentement administrateur pour l'application du fournisseur requiert au minimum le rôle Privileged Role Administrator.</p>
210210
</div>
211211
</div>
212212
</div>

docs/release-notes/posts/2026-03-27-mobile-id-entra-external-mfa.it.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -117,15 +117,15 @@ Questi sono scenari in cui un approccio basato solo su app raggiunge i propri li
117117

118118
## Casi d'uso aziendali
119119

120-
External MFA con Mobile ID copre un'ampia gamma di scenari aziendali. SIM e App coprono i percorsi enterprise out-of-band più ampi. I Passkeys completano i percorsi browser-centrici dove il supporto WebAuthn è disponibile end-to-end.
120+
Mobile ID copre un'ampia gamma di scenari aziendali attraverso diversi modelli di integrazione. SIM e App coprono i percorsi enterprise out-of-band più ampi. I Passkeys completano i percorsi browser-centrici dove il supporto WebAuthn è disponibile end-to-end.
121121

122122
<EntraUseCaseCards />
123123

124124
### MFA per Microsoft 365 per i dipendenti
125125

126126
Lo scenario più comune: proteggere l'accesso a Outlook, Teams, SharePoint e altre applicazioni Microsoft 365. Quando una policy Conditional Access richiede la MFA, i dipendenti si autenticano tramite Mobile ID al posto di, o insieme a, Microsoft Authenticator.
127127

128-
Questo è particolarmente prezioso per le organizzazioni che desiderano un **unico provider MFA per tutte le applicazioni**, non solo per i servizi Microsoft. Poiché Mobile ID utilizza [OIDC standard](/oidc-integration-guide/introduction), gli stessi metodi di autenticazione funzionano per Entra ID, applicazioni web custom, accesso VPN e altro.
128+
Questo è particolarmente prezioso per le organizzazioni che desiderano un **unico provider MFA per tutte le applicazioni**, non solo per i servizi Microsoft. I metodi di autenticazione Mobile ID — SIM, App e Passkeys — sono disponibili attraverso diversi modelli di integrazione: come provider Entra External MFA, tramite [OIDC standard](/oidc-integration-guide/introduction) per applicazioni web custom, e tramite il [RADIUS Interface Gateway](/radius-interface-gateway-guide/introduction) per l'accesso VPN e di rete.
129129

130130
### VPN e accesso remoto
131131

@@ -206,7 +206,7 @@ Configurare Mobile ID come provider External MFA in Entra ID richiede tre prereq
206206
<div class="blog-step-card">
207207
<div class="blog-step-number">3</div>
208208
<div class="blog-step-body">
209-
<p><span class="blog-step-title">Preparare un account amministratore Entra ID.</span> La configurazione iniziale richiede il ruolo Global Administrator oppure Privileged Role Administrator.</p>
209+
<p><span class="blog-step-title">Preparare un account amministratore Entra ID.</span> La configurazione del metodo External MFA e delle policy Conditional Access richiede almeno il ruolo Authentication Policy Administrator. La concessione del consenso amministratore per l'applicazione del provider richiede almeno il ruolo Privileged Role Administrator.</p>
210210
</div>
211211
</div>
212212
</div>

0 commit comments

Comments
 (0)