Improve documentation on OIDC for EMU (#49705)

Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com> Co-authored-by: Hirsch Singhal <1666363+hpsin@users.noreply.github.com>

Author: 3 people

content/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/configuring-oidc-for-enterprise-managed-users.md

@@ -1,7 +1,7 @@
 ---
 title: Configuring OIDC for Enterprise Managed Users
 shortTitle: Configure OIDC
-intro: 'You can automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring OpenID Connect (OIDC) single sign-on (SSO) and enable support for your IdP''s Conditional Access Policy (CAP).'
+intro: 'Learn how to automatically manage access to your enterprise account on {% data variables.product.prodname_dotcom %} by configuring OpenID Connect (OIDC) single sign-on (SSO) and enabling support for your IdP''s Conditional Access Policy (CAP).'
 product: '{% data reusables.gated-features.emus %}'
 versions:
  feature: oidc-for-emu
@@ -20,15 +20,13 @@ redirect_from:
 
 With {% data variables.product.prodname_emus %}, your enterprise uses your identity provider (IdP) to authenticate all members. You can use OpenID Connect (OIDC) to manage authentication for your {% data variables.enterprise.prodname_emu_enterprise %}. Enabling OIDC SSO is a one-click setup process with certificates managed by {% data variables.product.prodname_dotcom %} and your IdP.
 
-{% data reusables.enterprise-accounts.emu-cap-validates %} For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy)."
+{% data reusables.enterprise-accounts.emu-cap-validates %} See "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/about-support-for-your-idps-conditional-access-policy)."
 
-You can adjust the lifetime of a session, and how often a {% data variables.enterprise.prodname_managed_user %} needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from your IdP. The default lifetime is one hour. For more information, see "[Configure token lifetime policies](https://learn.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes)" on Microsoft Learn.
+You can adjust the lifetime of a session, and how often a {% data variables.enterprise.prodname_managed_user %} needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from your IdP. The default lifetime is one hour. See "[Configure token lifetime policies](https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes#create-a-policy-and-assign-it-to-a-service-principal)" in the Microsoft documentation.
 
-{% note %}
+To change the lifetime policy property, you will need the object ID associated with your {% data variables.product.prodname_emus %} OIDC. See "[AUTOTITLE](/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/finding-the-object-id-for-your-entra-oidc-application)."
 
-**Note:** If you need assistance configuring the OIDC session lifetime, contact [Microsoft Support](https://support.microsoft.com).
-
-{% endnote %}
+>[!NOTE] If you need assistance configuring the OIDC session lifetime, contact [Microsoft Support](https://support.microsoft.com).
 
 {% data reusables.enterprise_user_management.SAML-to-OIDC-migration-for-EMU %}
 
@@ -38,7 +36,7 @@ You can adjust the lifetime of a session, and how often a {% data variables.ente
 
 Support for OIDC is available for customers using Entra ID.
 
-Each Entra ID tenant can support only one OIDC integration with {% data variables.product.prodname_emus %}. If you want to connect Entra ID to more than one enterprise on {% data variables.product.prodname_dotcom %}, use SAML instead. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users)."
+Each Entra ID tenant can support only one OIDC integration with {% data variables.product.prodname_emus %}. If you want to connect Entra ID to more than one enterprise on {% data variables.product.prodname_dotcom %}, use SAML instead. See "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-saml-single-sign-on-for-enterprise-managed-users)."
 
 OIDC does not support IdP-initiated authentication.
 
@@ -56,10 +54,10 @@ OIDC does not support IdP-initiated authentication.
 
 ## Enabling provisioning
 
-After you enable OIDC SSO, enable provisioning. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users)."
+After you enable OIDC SSO, enable provisioning. See "[AUTOTITLE](/admin/identity-and-access-management/using-enterprise-managed-users-for-iam/configuring-scim-provisioning-for-enterprise-managed-users)."
 
 ## Enabling guest collaborators
 
 You can use the role of guest collaborator to grant limited access to vendors and contractors in your enterprise. Unlike enterprise members, guest collaborators only have access to internal repositories within organizations where they are a member.
 
-To use guest collaborators with OIDC authentication, you may need to update your settings in Entra ID. For more information, see "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators)."
+To use guest collaborators with OIDC authentication, you may need to update your settings in Entra ID. See "[AUTOTITLE](/admin/managing-accounts-and-repositories/managing-users-in-your-enterprise/enabling-guest-collaborators)."

content/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/finding-the-object-id-for-your-entra-oidc-application.md

@@ -0,0 +1,57 @@
+---
+title: Finding the object ID for your Entra OIDC application
+shortTitle: Find ID for Entra OIDC
+intro: 'Learn how to find the object ID associated with your {% data variables.product.prodname_emus %} OIDC app.'
+product: '{% data reusables.gated-features.emus %}'
+versions:
+ feature: oidc-for-emu
+topics:
+ - Accounts
+ - Authentication
+ - Enterprise
+ - SSO
+---
+
+You can adjust the lifetime of a session, and how often a managed user account needs to reauthenticate with your IdP, by changing the lifetime policy property of the ID tokens issued for {% data variables.product.prodname_dotcom %} from your IdP. The default lifetime is one hour. 
+
+You will need the object ID associated with your {% data variables.product.prodname_emus %} OIDC app to complete these steps. You can find this ID in the Microsoft Entra ID admin center or by using the Microsoft Graph Explorer.
+
+Once you have your object ID, you must use the Microsoft Graph API to configure and assign a lifetime policy to that ID token. See "[Configure token lifetime policies](https://learn.microsoft.com/en-us/entra/identity-platform/configure-token-lifetimes#create-a-policy-and-assign-it-to-a-service-principal)" in the Microsoft documentation.
+
+For help completing these steps or configuring the OIDC session lifetime for your IdP, contact [Microsoft Support](https://support.microsoft.com/).
+
+## Using Microsoft Entra ID admin center to find your object ID
+
+You can use the Microsoft Entra ID admin center UI to view the object ID associated with your {% data variables.product.prodname_emus %} OIDC app.
+
+1. Log in to the [Microsoft Entra ID admin center](https://entra.microsoft.com/).
+1. In the left sidebar under "Applications", click **Enterprise applications**.
+1. Search for the **GitHub Enterprise Managed User (OIDC)** app. The application ID will be `12f6db80-0741-4a7e-b9c5-b85d737b3a31`.
+1. Copy the **Object ID** value.
+
+## Using Microsoft Graph Explorer to find your object ID
+
+You can use the [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) to view the object ID associated with your {% data variables.product.prodname_emus %} OIDC app.
+
+1. Log in to the [Microsoft Graph Explorer](https://developer.microsoft.com/en-us/graph/graph-explorer) tenant that has your OIDC app.
+1. To view the object ID (`id` in Microsoft Graph) for your {% data variables.product.prodname_emus %} OIDC app, run the following query.
+
+ Request Method: `GET`
+ 
+ URL:
+ `https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '12f6db80-0741-4a7e-b9c5-b85d737b3a31'&$select=id,appId,appDisplayName`
+
+ Example response:
+
+ ```json
+ {
+ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,appId,appDisplayName)",
+ "value": [
+ {
+ "id": "c8162c97-32ff-406d-85d3-cc372e3e8384",
+ "appId": "12f6db80-0741-4a7e-b9c5-b85d737b3a31",
+ "appDisplayName": "GitHub Enterprise Managed User (OIDC)"
+ }
+ ]
+ }
+ ```

content/admin/identity-and-access-management/configuring-authentication-for-enterprise-managed-users/index.md

@@ -12,6 +12,7 @@ topics:
 children:
  - /configuring-saml-single-sign-on-for-enterprise-managed-users
  - /configuring-oidc-for-enterprise-managed-users
+ - /finding-the-object-id-for-your-entra-oidc-application
  - /about-support-for-your-idps-conditional-access-policy
  - /disabling-authentication-and-provisioning-for-enterprise-managed-users
 ---