Replace the two-stage memberOf+RegExReplace group rule with a single
tokenGroups-based rule, and add a callout in Step 1.6 covering the most
common filter variations (different prefix, suffix, alternation, no
filter). Update troubleshooting refs to the new rule names.
Add silent installation section to the Windows install page covering
the AUTOSTART MSI property and the fixed EXE silent install default.
Update Intune and Acronis deployment guides to mention autostart.
* docs: add ADFS with Web Application Proxy self-hosted guide
New guide for integrating on-prem Active Directory with ADFS as an OIDC
identity provider for self-hosted NetBird. Covers ADFS on a dedicated
member server, Web Application Proxy in a DMZ, Duo ADFS MFA Adapter,
claim transform rules, and the required NetBird configuration
(NETBIRD_TOKEN_SOURCE=idToken, NETBIRD_AUTH_USER_ID_CLAIM=upn).
* docs: rewrite ADFS guide for Community Edition Dashboard flow
Switch from standalone/setup.env style to the CE-native Dashboard-based
external IdP flow:
- Use a confidential Server Application (Add-AdfsServerApplication with
generated client secret) instead of a Native Application with PKCE.
- Redirect URI now comes from NetBird's Settings > Identity Providers
flow, not hard-coded /peers paths.
- Drop the NETBIRD_TOKEN_SOURCE and NETBIRD_AUTH_USER_ID_CLAIM env vars
(those are standalone/commercial-license settings).
- Fix the base64 sub claim issue upstream in ADFS via a new claim rule
(Rule 5) that emits sub from UPN, with a fallback note about
PairwiseIdentifierEnabled for ADFS builds that need it.
- Update Troubleshooting and Configuration Summary to match.
* docs: expand ADFS Step 1 and Step 5 with deeper setup prose
Pull in the richer explanations from the updated source guide:
- Step 1 gets server-provisioning prerequisites, Get-WindowsFeature
verification after role install, expanded TLS cert rationale with
Test-Certificate, a three-option service-account discussion with the
Get-KdsRootKey check and lab-mode EffectiveTime trick, a full
troubleshooting block for Install-ADServiceAccount, per-parameter
explanations for Install-AdfsFarm, and a Start-Service + event-log
fallback plus detailed OIDC-endpoint troubleshooting in 1.5.
- Step 5 gets a full Provision the WAP Server section covering server
specs, the domain-join decision (with SCADA framing generalized),
pre-install firewall rules, hosts-file name resolution with Test-
NetConnection, and exact Export-PfxCertificate/Import-PfxCertificate
flow for the WAP cert. Step 5.3 is reframed as Establish the Proxy
Trust with what-it-does and what-you-need callouts; 5.4 expands
Get-WebApplicationProxyHealth troubleshooting.
CE-specific rewrites (Server Application flow, Dashboard IdP config,
Rule 5 sub override, Duo-optional framing) are preserved.
* docs: fix ADFS intra-page anchor links
@sindresorhus/slugify (the project's heading slug generator) splits
CamelCase words (NetBird -> net-bird) and inserts hyphens between
period-separated digits (2.3 -> 2-3). Update every in-page anchor to
match the generated slugs so step links resolve correctly.
Also redirect the UPN row in the AD attributes table to Step 3, since
the 'Required NetBird Configuration Settings' subsection it used to
reference was removed in the CE rewrite.
* docs: note that ADFS group-membership claim rules are optional
Rules 3a and 3b in Step 3 produce the 'groups' claim consumed by
JWT Group Sync. Add a Note explaining they can be skipped if group
sync isn't needed, and clarify that 3a and 3b must be kept together
(3a emits into a temp claim, 3b filters and renames it to 'groups').
* docs: expand ADFS Step 3 intro with context and per-rule overview
The prior one-sentence intro ('NetBird requires specific claims in the
OIDC tokens') didn't explain what issuance transform rules are or what
each of the six rules does. Add a paragraph on why ADFS needs them and
a short bullet list describing each rule's purpose and dependencies
(e.g., Rule 5 depends on Rule 4). The optional-rules Note and code
block follow unchanged.
* docs: fix ADFS guide inaccuracies flagged in review
- Replace Get-EventLog with Get-WinEvent in Step 1.5 — Get-EventLog
only reads classic logs and cannot open 'AD FS/Admin', which lives
under Applications and Services Logs.
- Remove references to Set-AdfsServerApplication -PairwiseIdentifierEnabled
$false; that parameter does not exist on the cmdlet. Replace the
fallback guidance with NETBIRD_AUTH_USER_ID_CLAIM="upn" in setup.env,
which was the actual POC fix alongside the Rule 5 claim override.
- Restructure the 404 troubleshooting entry as a two-step fix
(claim rule + NetBird env var) with a decode-token sanity check.
- Drop the 'Domain Users' example from the JWT group sync paragraph
since Rule 3b's default '^NetBird-' filter would exclude it;
clarify that visible groups are governed by the filter regex.
- Relabel the LDAP/LDAPS firewall row as 'directory and attribute
lookups (claim data)' rather than 'authentication'; ADFS
authenticates users via Kerberos and uses LDAP for attribute lookup.
- Add a clarifying Note to Step 2.5 explaining that the guide reuses
the client_id as the Web API identifier for simplicity, and larger
environments may prefer a distinct resource URI.
* docs: rewrite ADFS guide to focus on NetBird-specific configuration
* docs: nest ADFS/DC and WAP/NetBird in topology as separate boxes
* docs: refer to NetBird's Microsoft AD FS connector instead of Generic OIDC
* docs: rework ADFS topology diagram and convert callouts to Note components
* docs: rename Restricted/OT to Restricted Network in ADFS guide
* docs: drop Generic OIDC link from ADFS related resources
* docs: drop single-group limitation from ADFS guide
Replace hardcoded v0.1.2/netbird-0.55.1 URLs with placeholders that
direct users to the latest GitHub release page. Adds architecture
guidance (x86_64 vs aarch64) and a concrete example showing how to
map release page values into the download commands. Also fixes step
numbering and removes version-specific package names from uninstall.
* Add force approval docs
* add force approval
* add filter and batch operation
* Rename force approval docs to bypass compliance
- Rename force-approval.mdx to bypass-compliance.mdx
- Update navigation title from "Force Approval" to "Bypass Compliance"
- Update all internal links to use new path
- Update image paths to /bypass-compliance/
- Update terminology in EDR integration docs
* add images
---------
Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>
The Azure AD Graph app manifest format was deprecated in January 2025.
The attribute accessTokenAcceptedVersion has been renamed to
requestedAccessTokenVersion in the Microsoft Graph manifest format.
Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>
* Update Reverse Proxy Main
- Adapted Availability to only mention Beta access
- Adapted support of pre-shared keys, and only mention Rosenpass not being supported
* re-add reverse proxy beta note
---------
Co-authored-by: Ashley Mensah <ashleyamo982@gmail.com>
Add all 5 system tray settings under Client > Settings: Allow SSH,
Block Inbound Connections, Connect on Startup, Enable Lazy Connections,
and Enable Quantum-Resistance. Allow SSH and Enable Lazy Connections
redirect to existing docs. Connect on Startup is a new page. Renames
Post-Quantum Cryptography heading to Enable Quantum-Resistance to match
the GUI label.
* added migration guide from external to embedded idp
* updated guide
* clarify issuer domain used
* improved docs structure and added clarifying notes
* updated guide to match latest binary
* link fixes and added extra psql instructions
* update versions properly
Add documentation for enabling the NetBird enterprise application in
Microsoft Entra ID, including finding the app by Application ID and
granting admin consent for the directory.
