Updates from: 01/23/2021 04:14:08
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/partner-gallery https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-gallery.md
@@ -36,7 +36,6 @@ Microsoft partners with the following ISVs for identity verification and proofin
|![Screenshot of an Experian logo.](./media/partner-gallery/experian-logo.png) | [Experian](./partner-experian.md) is an identity verification and proofing provider that performs risk assessments based on user attributes to prevent fraud. | |![Screenshot of an IDology logo.](./media/partner-gallery/idology-logo.png) | [IDology](./partner-idology.md) is an identity verification and proofing provider with ID verification solutions, fraud prevention solutions, compliance solutions, and others.| |![Screenshot of a Jumio logo.](./media/partner-gallery/jumio-logo.png) | [Jumio](./partner-jumio.md) is an ID verification service, which enables real-time automated ID verification, safeguarding customer data. |
-|![Screenshot of a Keyless logo.](./media/partner-gallery/keyless-logo.png) | [Keyless](./partner-keyless.md) is an ID verification service that provides authentication in the form of a facial biometric scan and eliminates fraud, phishing, and credential reuse.
| ![Screenshot of a LexisNexis logo.](./media/partner-gallery/lexisnexis-logo.png) | [LexisNexis](./partner-lexisnexis.md) is a profiling and identity validation provider that verifies user identification and provides comprehensive risk assessment based on userΓÇÖs device. | | ![Screenshot of a Onfido logo](./media/partner-gallery/onfido-logo.png) | [Onfido](./partner-onfido.md) is a document ID and facial biometrics verification solution that allows companies to meet *Know Your Customer* and identity requirements in real time. |
@@ -48,6 +47,7 @@ Microsoft partners with the following ISVs for MFA and Passwordless authenticati
|:-------------------------|:--------------| | ![Screenshot of a hypr logo](./media/partner-gallery/hypr-logo.png) | [Hypr](./partner-hypr.md) is a passwordless authentication provider, which replaces passwords with public key encryptions eliminating fraud, phishing, and credential reuse. | | ![Screenshot of a itsme logo](./media/partner-gallery/itsme-logo.png) | [itsme](./partner-itsme.md) is an Electronic Identification, Authentication and Trust Services (eiDAS) compliant digital ID solution to allow users to sign in securely without card readers, passwords, two-factor authentication, and multiple PIN codes. |
+|![Screenshot of a Keyless logo.](./media/partner-gallery/keyless-logo.png) | [Keyless](./partner-keyless.md) is a passwordless authentication provider that provides authentication in the form of a facial biometric scan and eliminates fraud, phishing, and credential reuse.
| ![Screenshot of a nevis logo](./media/partner-gallery/nevis-logo.png) | [Nevis](./partner-nevis.md) enables passwordless authentication and provides a mobile-first, fully branded end-user experience with Nevis Access app for strong customer authentication and to comply with PSD2 transaction requirements. | | ![Screenshot of a trusona logo](./media/partner-gallery/trusona-logo.png) | [Trusona](./partner-trusona.md) integration helps you sign in securely and enables passwordless authentication, MFA, and digital license scanning. | | ![Screenshot of a twilio logo.](./media/partner-gallery/twilio-logo.png) | [Twilio Verify app](./partner-twilio.md) provides multiple solutions to enable MFA through SMS one-time password (OTP), time-based one-time password (TOTP), and push notifications, and to comply with SCA requirements for PSD2. |
@@ -81,4 +81,4 @@ Microsoft partners with the following ISVs for security.
## Next steps
-Select a partner in the tables mentioned to learn how to integrate their solution with Azure AD B2C.
\ No newline at end of file
+Select a partner in the tables mentioned to learn how to integrate their solution with Azure AD B2C.
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/partner-keyless https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/partner-keyless.md
@@ -14,7 +14,7 @@ ms.author: gasinh
ms.subservice: B2C ---
-# Tutorial for configuring Keyless with Azure Active Directory B2C
+# Tutorial: Configure Keyless with Azure Active Directory B2C
In this sample tutorial, we provide guidance on how to configure Azure Active Directory (AD) B2C with [Keyless](https://keyless.io/). With Azure AD B2C as an Identity provider, you can integrate Keyless with any of your customer applications to provide true passwordless authentication to your users.
@@ -155,4 +155,4 @@ For additional information, review the following articles:
- [Custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview) -- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)\ No newline at end of file
+- [Get started with custom policies in Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started?tabs=applications)
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-create-tenant.md
@@ -64,7 +64,7 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
![Create tenant form in with example values in Azure portal](media/tutorial-create-tenant/review-and-create-tenant.png) 1. Select **Review + create**.
-1. Review your directory settings. Then select **Create**.
+1. Review your directory settings. Then select **Create**. For [troubleshooting deployment errors](https://docs.microsoft.com/azure/azure-resource-manager/templates/common-deployment-errors).
You can link multiple Azure AD B2C tenants to a single Azure subscription for billing purposes. To link a tenant, you must be an admin in the Azure AD B2C tenant and be assigned at least a Contributor role within the Azure subscription. See [Link an Azure AD B2C tenant to a subscription](billing.md#link-an-azure-ad-b2c-tenant-to-a-subscription).
@@ -106,4 +106,4 @@ In this article, you learned how to:
Next, learn how to register a web application in your new tenant. > [!div class="nextstepaction"]
-> [Register your applications >](tutorial-register-applications.md)
\ No newline at end of file
+> [Register your applications >](tutorial-register-applications.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-methods.md
@@ -6,7 +6,7 @@ services: active-directory
ms.service: active-directory ms.subservice: authentication ms.topic: conceptual
-ms.date: 12/14/2020
+ms.date: 01/22/2021
ms.author: justinha author: justinha
@@ -69,7 +69,7 @@ The following table outlines when an authentication method can be used during a
| FIDO2 security key (preview) | Yes | MFA | | OATH hardware tokens (preview) | No | MFA | | OATH software tokens | No | MFA |
-| SMS | Yes (preview) | MFA and SSPR |
+| SMS | Yes | MFA and SSPR |
| Voice call | No | MFA and SSPR | | Password | Yes | |
@@ -82,7 +82,7 @@ To learn more about how each authentication method works, see the following sepa
* [FIDO2 security key (preview)](concept-authentication-passwordless.md#fido2-security-keys) * [OATH hardware tokens (preview)](concept-authentication-oath-tokens.md#oath-hardware-tokens-preview) * [OATH software tokens](concept-authentication-oath-tokens.md#oath-software-tokens)
-* SMS [sign-in (preview)](howto-authentication-sms-signin.md) and [verification](concept-authentication-phone-options.md#mobile-phone-verification)
+* [SMS sign-in](howto-authentication-sms-signin.md) and [verification](concept-authentication-phone-options.md#mobile-phone-verification)
* [Voice call verification](concept-authentication-phone-options.md) * Password
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-phone-options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-authentication-phone-options.md
@@ -6,7 +6,7 @@ services: active-directory
ms.service: active-directory ms.subservice: authentication ms.topic: conceptual
-ms.date: 11/18/2020
+ms.date: 01/22/2021
ms.author: justinha author: justinha
@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
--- # Authentication methods in Azure Active Directory - phone options
-For direct authentication using text message, you can [Configure and enable users for SMS-based authentication(preview)](howto-authentication-sms-signin.md). SMS-based sign-in is great for front-line workers. With SMS-based sign-in, users don't need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
+For direct authentication using text message, you can [Configure and enable users for SMS-based authentication](howto-authentication-sms-signin.md). SMS-based sign-in is great for Frontline workers. With SMS-based sign-in, users don't need to know a username and password to access applications and services. The user instead enters their registered mobile phone number, receives a text message with a verification code, and enters that in the sign-in interface.
Users can also verify themselves using a mobile phone or office phone as secondary form of authentication used during Azure AD Multi-Factor Authentication or self-service password reset (SSPR).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-sspr-howitworks.md
@@ -134,7 +134,7 @@ When using a mobile app as a method for password reset, like the Microsoft Authe
Users don't have the option to register their mobile app when registering for self-service password reset from [https://aka.ms/ssprsetup](https://aka.ms/ssprsetup). Users can register their mobile app at [https://aka.ms/mfasetup](https://aka.ms/mfasetup), or in the combined security info registration at [https://aka.ms/setupsecurityinfo](https://aka.ms/setupsecurityinfo). > [!IMPORTANT]
-> The Authenticator app can't be selected as the only authentication method when only method is required. Similarly, the Authenticator app and only one additional method cannot be selected when requiring two methods.
+> The Authenticator app can't be selected as the only authentication method when only one method is required. Similarly, the Authenticator app and only one additional method cannot be selected when requiring two methods.
> > When configuring SSPR policies that include the Authenticator app as a method, at least one additional method should be selected when one method is required, and at least two additional methods should be selected when configuring two methods are required. >
@@ -240,4 +240,4 @@ The following articles provide additional information regarding password reset t
[Authentication]: ./media/concept-sspr-howitworks/manage-authentication-methods-for-password-reset.png "Azure AD authentication methods available and quantity required" [Registration]: ./media/concept-sspr-howitworks/configure-registration-options.png "Configure SSPR registration options in the Azure portal"
-[Writeback]: ./media/concept-sspr-howitworks/on-premises-integration.png "On-premises integration for SSPR in the Azure portal"
\ No newline at end of file
+[Writeback]: ./media/concept-sspr-howitworks/on-premises-integration.png "On-premises integration for SSPR in the Azure portal"
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-sms-signin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-sms-signin.md
@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
# Configure and enable users for SMS-based authentication using Azure Active Directory
-To simplify and secure sign in to applications and services, Azure Active Directory (Azure AD) provides multiple authentication options. SMS-based authentication lets users sign in without providing, or even knowing, their user name and password. After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt. They receive an authentication code via text message that they can provide to complete the sign in. This authentication method simplifies access to applications and services, especially for front line workers.
+To simplify and secure sign in to applications and services, Azure Active Directory (Azure AD) provides multiple authentication options. SMS-based authentication lets users sign in without providing, or even knowing, their user name and password. After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt. They receive an authentication code via text message that they can provide to complete the sign in. This authentication method simplifies access to applications and services, especially for Frontline workers.
This article shows you how to enable SMS-based authentication for select users or groups in Azure AD.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/authentication/overview-authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/overview-authentication.md
@@ -6,7 +6,7 @@ services: active-directory
ms.service: active-directory ms.subservice: authentication ms.topic: overview
-ms.date: 01/20/2021
+ms.date: 01/22/2021
ms.author: justinha author: justinha
@@ -29,6 +29,8 @@ One of the main features of an identity platform is to verify, or *authenticate*
Take a look at our short video to learn more about these authentication components.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4KVJA]
+ ## Improve the end-user experience Azure AD helps to protect a user's identity and simplify their sign-in experience. Features like self-service password reset let users update or change their passwords using a web browser from any device. This feature is especially useful when the user has forgotten their password or their account is locked. Without waiting for a helpdesk or administrator to provide support, a user can unblock themselves and continue to work.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/whats-new-docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/whats-new-docs.md
@@ -18,6 +18,17 @@ ms.author: marsma
Welcome to what's new in Microsoft identity platform documentation. This article lists new docs that have been added and those that have had significant updates in the last three months.
+## January 2021
+
+### Updated articles
+
+- [Authentication vs. authorization](authentication-vs-authorization.md)
+- [How to: Restrict your Azure AD app to a set of users in an Azure AD tenant](howto-restrict-your-app-to-a-set-of-users.md)
+- [Permissions and consent in the Microsoft identity platform endpoint](v2-permissions-and-consent.md)
+- [Configurable token lifetimes in Microsoft identity platform (preview)](active-directory-configurable-token-lifetimes.md)
+- [Configure token lifetime policies (preview)](configure-token-lifetimes.md)
+- [Microsoft identity platform and OAuth 2.0 authorization code flow](v2-oauth2-auth-code-flow.md)
+ ## December 2020 ### New articles
@@ -32,6 +43,7 @@ Welcome to what's new in Microsoft identity platform documentation. This article
### Updated articles
+- [Quickstart: Add sign-in with Microsoft to a Java web app](quickstart-v2-java-webapp.md)
- [Tutorial: Build a multi-tenant daemon that uses the Microsoft identity platform](tutorial-v2-aspnet-daemon-web-app.md) - [Web app that signs in users: App registration](scenario-web-app-sign-user-app-registration.md) - [Microsoft identity platform and implicit grant flow](v2-oauth2-implicit-grant-flow.md)
@@ -52,49 +64,3 @@ Welcome to what's new in Microsoft identity platform documentation. This article
- [How to: Provide optional claims to your app](active-directory-optional-claims.md) - [Publish your app to the Azure AD app gallery](v2-howto-app-gallery-listing.md) - [How to: Add app roles to your application and receive them in the token](howto-add-app-roles-in-azure-ad-apps.md)-
-## October 2020
-
-### New articles
--- [Quickstart: Sign in users and get an access token in a Node web app using the auth code flow](quickstart-v2-nodejs-webapp-msal.md)-- [How to: Enable cross-app SSO on Android using MSAL](msal-android-single-sign-on.md)-- [Support single sign-on and app protection policies in mobile apps you develop](mobile-sso-support-overview.md)-- Microsoft identity platform docs: What's new (this article)-- [Tutorial: Sign in users and call a protected API from a Blazor WebAssembly app](tutorial-blazor-webassembly.md)-- [Microsoft Identity Web authentication library](microsoft-identity-web.md)-
-### Updated articles
--- [Configurable token lifetimes in Microsoft identity platform (preview)](active-directory-configurable-token-lifetimes.md)-- [How to: Sign in any Azure Active Directory user using the multi-tenant application pattern](howto-convert-app-to-be-multi-tenant.md)-- [Quickstart: Modify the accounts supported by an application](quickstart-modify-supported-accounts.md)-- [Microsoft identity platform videos](identity-videos.md)-- [ADAL to MSAL migration guide for Android](migrate-android-adal-msal.md)-- [Quickstart: Call an ASP.NET web API that's protected by Microsoft identity platform](quickstart-v2-dotnet-native-aspnet.md)-- [Microsoft identity platform application authentication certificate credentials](active-directory-certificate-credentials.md)-- [Tutorial: Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)-- [Sign in users and call the Microsoft Graph API from a JavaScript single-page application (SPA)](tutorial-v2-javascript-spa.md)-- [Tutorial: Use shared-device mode in your Android application](tutorial-v2-shared-device-mode.md)-
-## September 2020
-
-### New articles
--- [Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform](quickstart-v2-aspnet-core-web-api.md)-- [Tutorial: Create a Blazor Server app that uses the Microsoft identity platform for authentication](tutorial-blazor-server.md)-
-### Updated articles
--- [Tutorial: Sign in users and call the Microsoft Graph API from an Android application](tutorial-v2-android.md)-- [A web app that calls web APIs: Code configuration](scenario-web-app-call-api-app-configuration.md)-- [A web app that calls web APIs: Call a web API](scenario-web-app-call-api-call-api.md)-- [A web API that calls web APIs: Code configuration](scenario-web-api-call-api-app-configuration.md)-- [A web API that calls web APIs: Call an API](scenario-web-api-call-api-call-api.md)-- [Sign in users and call Microsoft Graph from an iOS or macOS app](tutorial-v2-ios.md)-- [Quickstart: Call an ASP.NET web API that's protected by Microsoft identity platform](quickstart-v2-dotnet-native-aspnet.md)-- [Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app](quickstart-v2-aspnet-core-webapp.md)-- [Considerations for using Xamarin iOS with MSAL.NET](msal-net-xamarin-ios-considerations.md)-- [Quickstart: Configure a client application to access a web API](quickstart-configure-app-access-web-apis.md)-- [Quickstart: Configure an application to expose a web API](quickstart-configure-app-expose-web-apis.md)-- [Quickstart: Register an application with the Microsoft identity platform](quickstart-register-app.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/devices/troubleshoot-device-dsregcmd.md
@@ -302,10 +302,10 @@ This section displays the output of sanity checks performed on a device joined t
## NGC prerequisite check
-This section performs the perquisite checks for the provisioning of Windows Hello for Business (WHFB).
+This section performs the prerequisite checks for the provisioning of Windows Hello for Business (WHFB).
> [!NOTE]
-> You may not see NGC pre-requisite check details in dsregcmd /status if the user already successfully configured WHFB.
+> You may not see NGC prerequisite check details in dsregcmd /status if the user already successfully configured WHFB.
- **IsDeviceJoined:** - Set to ΓÇ£YESΓÇ¥ if the device is joined to Azure AD. - **IsUserAzureAD:** - Set to ΓÇ£YESΓÇ¥ if the logged in user is present in Azure AD .
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/one-time-passcode.md
@@ -100,10 +100,10 @@ If you've previously opted in to the email one-time passcode public preview, the
![Enable Email one-time passcode opted in](media/delegate-invitations/enable-email-otp-opted-in.png)
-However, if you'd prefer to opt out of the feature and allow it to be automatically enabled in March 2021, you can revert to the default settings by using the Microsoft Graph API [email authentication method configuration resource type](https://aka.ms/exid-graphemailauth). After you revert to the default settings, the following options will be available under **Email one-time passcode for guests**:
+However, if you'd prefer to opt out of the feature and allow it to be automatically enabled in March 2021, you can revert to the default settings by using the Microsoft Graph API [email authentication method configuration resource type](/graph/api/resources/emailauthenticationmethodconfiguration). After you revert to the default settings, the following options will be available under **Email one-time passcode for guests**:
- **Automatically enable email one-time passcode for guests in March 2021**. (Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on in March 2021. No further action is necessary if you want the feature enabled at that time. If you've already enabled or disabled the feature, this option will be unavailable. - **Enable email one-time passcode for guests effective now**. Turns on the email one-time passcode feature for your tenant. -- **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in March 2021.
+- **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in March 2021.
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/1-secure-access-posture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/1-secure-access-posture.md
@@ -64,7 +64,7 @@ Whichever you enact for your organization and scenarios you'll need to:
* **Control access to applications, data, and content**. This can be accomplished through a variety of methods, depending on your versions of [Azure AD](https://azure.microsoft.com/pricing/details/active-directory/) and [Microsoft 365](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
-* **Reduce the attack surface**. [Privileged identity management](../privileged-identity-management/pim-configure.md), [data loss prevention (DLP),](https://docs.microsoft.com/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) and [encryption capabilities](https://docs.microsoft.com/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) reduce the attack surface.
+* **Reduce the attack surface**. [Privileged identity management](../privileged-identity-management/pim-configure.md), [data loss prevention (DLP),](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) and [encryption capabilities](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) reduce the attack surface.
* **Regularly review activity and audit log to confirm compliance**. IT can delegate access decisions to business owners through entitlement management while access reviews provide a way to periodically confirm continued access. Automated data classification with sensitivity labels helps to automate encryption of sensitive content making it easy for employee end users to comply.
@@ -91,4 +91,4 @@ See the following articles on securing external access to resources. We recommen
9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
-ΓÇï
+ΓÇï
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/2-secure-access-current-state https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/2-secure-access-current-state.md
@@ -29,11 +29,11 @@ Individuals in your organization are probably already collaborating with users f
The users initiating external collaboration best understand the applications most relevant for external collaboration, and when that access should end. Understanding these users can help you determine who should be delegated permission to inviting external users, create access packages, and complete access reviews.
-To find users who are currently collaborating, review the [Microsoft 365 audit log for sharing and access request activities](https://docs.microsoft.com/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#sharing-and-access-request-activities). You can also review the [Azure AD audit log for details on who invited B2B](../external-identities/auditing-and-reporting.md) users to your directory.
+To find users who are currently collaborating, review the [Microsoft 365 audit log for sharing and access request activities](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#sharing-and-access-request-activities). You can also review the [Azure AD audit log for details on who invited B2B](../external-identities/auditing-and-reporting.md) users to your directory.
## Find current collaboration partners
-External users may be [Azure AD B2B users](../external-identities/what-is-b2b.md) (preferable) with partner-managed credentials, or external users with locally provisioned credentials. These users are typically (but not always) marked with a UserType of Guest. You can enumerate guest users through the [Microsoft Graph API](https://docs.microsoft.com/graph/api/user-list?view=graph-rest-1.0&tabs=http), [PowerShell](https://docs.microsoft.com/graph/api/user-list?view=graph-rest-1.0&tabs=http), or the [Azure portal](../enterprise-users/users-bulk-download.md).
+External users may be [Azure AD B2B users](../external-identities/what-is-b2b.md) (preferable) with partner-managed credentials, or external users with locally provisioned credentials. These users are typically (but not always) marked with a UserType of Guest. You can enumerate guest users through the [Microsoft Graph API](/graph/api/user-list?tabs=http&view=graph-rest-1.0), [PowerShell](/graph/api/user-list?tabs=http&view=graph-rest-1.0), or the [Azure portal](../enterprise-users/users-bulk-download.md).
### Use email domains and companyName property
@@ -50,7 +50,7 @@ Consider whether your organization wants to allow collaboration with only specif
## Find access being granted to external users
-Once you have an inventory of external users and organizations,, you can determine the access granted to these users using the Microsoft Graph API to determine Azure AD [group membership](https://docs.microsoft.com/graph/api/resources/groups-overview?view=graph-rest-1.0) or [direct application assignment](https://docs.microsoft.com/graph/api/resources/approleassignment?view=graph-rest-1.0) in Azure AD.
+Once you have an inventory of external users and organizations,, you can determine the access granted to these users using the Microsoft Graph API to determine Azure AD [group membership](/graph/api/resources/groups-overview?view=graph-rest-1.0) or [direct application assignment](/graph/api/resources/approleassignment?view=graph-rest-1.0) in Azure AD.
### Enumerate application-specific permissions
@@ -60,7 +60,7 @@ You may also be able to perform application-specific permission enumeration. For
Specifically investigate access to all of your business-sensitive and business-critical apps so that you are fully aware of any external access. ### Detect Ad Hoc Sharing
-If your email and network plans enable it, you can investigate content being shared through email or through unauthorized software as a service (SaaS) apps. [Microsoft 365 Data Loss Protection](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide) helps you identify, prevent, and monitor the accidental sharing of sensitive information across your Microsoft 365 infrastructure. [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) can help you identify the use of unauthorized SaaS apps in your environment.
+If your email and network plans enable it, you can investigate content being shared through email or through unauthorized software as a service (SaaS) apps. [Microsoft 365 Data Loss Protection](/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide) helps you identify, prevent, and monitor the accidental sharing of sensitive information across your Microsoft 365 infrastructure. [Microsoft Cloud App Security](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/cloud-app-security) can help you identify the use of unauthorized SaaS apps in your environment.
## Next steps
@@ -82,4 +82,4 @@ See the following articles on securing external access to resources. We recommen
8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md)
-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/3-secure-access-plan https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/3-secure-access-plan.md
@@ -88,7 +88,7 @@ Sign-in conditions are configured in [Azure AD Conditional Access](../conditiona
| High risk| Require MFA always for external users |
-Today, you can [enforce multi-factor authentication for B2B users in your tenant](https://docs.microsoft.com/azure/active-directory/external-identities/b2b-tutorial-require-mfa).
+Today, you can [enforce multi-factor authentication for B2B users in your tenant](../external-identities/b2b-tutorial-require-mfa.md).
**User- and device-based sign in conditions**.
@@ -101,11 +101,11 @@ Today, you can [enforce multi-factor authentication for B2B users in your tenant
Today, to use device state as an input to a policy, the device must be registered or joined to your tenant.
-[Identity Protection risk-based policies](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-risk) can be used. However, issues must be mitigated in the userΓÇÖs home tenant.
+[Identity Protection risk-based policies](../conditional-access/howto-conditional-access-policy-risk.md) can be used. However, issues must be mitigated in the userΓÇÖs home tenant.
-For [network locations](https://docs.microsoft.com/azure/active-directory/conditional-access/howto-conditional-access-policy-location), you can restrict access to any IP addresses range that you own. You might use this if you only want external partners accessing an application while they are on site at your organization.
+For [network locations](../conditional-access/howto-conditional-access-policy-location.md), you can restrict access to any IP addresses range that you own. You might use this if you only want external partners accessing an application while they are on site at your organization.
-[Learn more about conditional access policies](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
+[Learn more about conditional access policies](../conditional-access/overview.md).
## Document access review policies
@@ -121,13 +121,13 @@ While your policies will be highly customized to your needs, consider the follow
* **Entitlement Management Access Reviews**. Use the functionality in Entitlement Management to
- * [Automatically expire access packages](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-lifecycle-policy), and thus external user access to the included resources.
+ * [Automatically expire access packages](../governance/entitlement-management-access-package-lifecycle-policy.md), and thus external user access to the included resources.
- * Set a [required review frequency](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-reviews-create) for access reviews.
+ * Set a [required review frequency](../governance/entitlement-management-access-reviews-create.md) for access reviews.
- * If you are using [connected organizations](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-organization) to group all users from a single partner, schedule regular reviews with the business owner and the partner representative.
+ * If you are using [connected organizations](../governance/entitlement-management-organization.md) to group all users from a single partner, schedule regular reviews with the business owner and the partner representative.
-* **Microsoft 365 Groups**. Set a [group expiration policy](https://docs.microsoft.com/microsoft-365/solutions/microsoft-365-groups-expiration-policy?view=o365-worldwide) for Microsoft 365 Groups to which external users are invited.
+* **Microsoft 365 Groups**. Set a [group expiration policy](/microsoft-365/solutions/microsoft-365-groups-expiration-policy?view=o365-worldwide) for Microsoft 365 Groups to which external users are invited.
* **Other options**. If external users have access outside of Entitlement Management access packages or Microsoft 365 groups, set up business process to review when accounts should be made inactive or deleted. For example:
@@ -141,9 +141,9 @@ While your policies will be highly customized to your needs, consider the follow
Now that you know what you want to control access to, how those assets should be grouped for common access, and required sign-in and access review policies, you can decide on how to accomplish your plan.
-Some functionality, for example [Entitlement Management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview), is only available with an Azure AD Premium 2 (P2) licenses. Microsoft 365 E5 and Office 365 E5 licenses include Azure AD P2 licenses.
+Some functionality, for example [Entitlement Management](../governance/entitlement-management-overview.md), is only available with an Azure AD Premium 2 (P2) licenses. Microsoft 365 E5 and Office 365 E5 licenses include Azure AD P2 licenses.
-Other combinations of Microsoft 365, Office 365 and Azure AD also enable some functionality for managing external users. See [Information Protection](https://docs.microsoft.com/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance) for more informationΓÇï.
+Other combinations of Microsoft 365, Office 365 and Azure AD also enable some functionality for managing external users. See [Information Protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance) for more informationΓÇï.
> [!NOTE] > Licenses are per user. Therefore, you can have specific users, including administrators and business owners delegated access control, at the Azure AD P2 or Microsoft 365 E5 level without enabling those licenses for all users. Your first 50,000 external users are free. If you do not enable P2 licenses for your other internal users, they will not be able to use entitlement management functionality like Access packages.
@@ -175,7 +175,7 @@ Azure AD P2 and Microsoft 365 E5 have the full suite of security and governance
### Entitlement Management 
-[Entitlement management access packages](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-access-package-create) enable provisioning and deprovisioning access to Groups and Teams, Applications, and SharePoint sites. You can define which connected organizations are allowed access, whether self-service requests are allowed, and what approval workflows are required (if any) to grant access. To ensure that access doesnΓÇÖt stay around longer than necessary, you can define expiration policies and access reviews for each access package.
+[Entitlement management access packages](../governance/entitlement-management-access-package-create.md) enable provisioning and deprovisioning access to Groups and Teams, Applications, and SharePoint sites. You can define which connected organizations are allowed access, whether self-service requests are allowed, and what approval workflows are required (if any) to grant access. To ensure that access doesnΓÇÖt stay around longer than necessary, you can define expiration policies and access reviews for each access package.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/4-secure-access-groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/4-secure-access-groups.md
@@ -43,13 +43,13 @@ As you develop your group strategy to secure external access to your resources,
* *By default any tenant member can create Azure AD security groups*.
- * You can [restrict access to the portal for non-administrators](../develop/howto-restrict-your-app-to-a-set-of-users.md) and disable group creation ability in [PowerShell.](../users-groups-roles/groups-troubleshooting.md)
+ * You can [restrict access to the portal for non-administrators](../develop/howto-restrict-your-app-to-a-set-of-users.md) and disable group creation ability in [PowerShell.](../enterprise-users/groups-troubleshooting.md)
- * You can also [set up self-service group management in Azure Active Directory](../users-groups-roles/groups-self-service-management.md).
+ * You can also [set up self-service group management in Azure Active Directory](../enterprise-users/groups-self-service-management.md).
* *By default all users can create M365 Groups and groups are open for all (internal and external) users in your tenant to join*.
- * [You can restrict Microsoft 365 Group creation](https://docs.microsoft.com/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide) to the members of a particular security group. Use Windows PowerShell to configure this setting.
+ * [You can restrict Microsoft 365 Group creation](/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide) to the members of a particular security group. Use Windows PowerShell to configure this setting.
* **Who should be able to invite people to groups?** Can all group members be able to add other members, or can only group owners add members?
@@ -75,7 +75,7 @@ Dynamic groups can contain either users or devices, but not both. You add querie
![Screenshot of configuring dynamic membership rules.](media/secure-external-access/4-dynamic-membership-rules.png)
-For more information on dynamic groups, see [Create or update a dynamic group in Azure Active Directory.](../users-groups-roles/groups-create-rule.md)
+For more information on dynamic groups, see [Create or update a dynamic group in Azure Active Directory.](../enterprise-users/groups-create-rule.md)
### Do not use groups for multiple purposes
@@ -112,7 +112,7 @@ Use Microsoft 365 groups to create and manage a set of Microsoft 365 resources,
## Azure AD security groups
-[Azure AD security groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-manage-groups) can contain users or devices and can be used to manage access to
+[Azure AD security groups](./active-directory-manage-groups.md) can contain users or devices and can be used to manage access to
* Azure resources such as Microsoft 365 apps, custom apps, and Software as a Service (SaaS) apps such as ServiceNow of Dropbox.
@@ -122,11 +122,11 @@ Use Microsoft 365 groups to create and manage a set of Microsoft 365 resources,
Azure AD security groups can also be used to:
-* assign licenses for services such as M365, Dynamics 365, and Enterprise Mobility and Security. For more information, see [group-based licensing](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
+* assign licenses for services such as M365, Dynamics 365, and Enterprise Mobility and Security. For more information, see [group-based licensing](./active-directory-licensing-whatis-azure-portal.md).
-* assign elevated permissions. For more information, see [Use cloud groups to manage role assignments (preview](https://docs.microsoft.com/azure/active-directory/users-groups-roles/roles-groups-concept)).
+* assign elevated permissions. For more information, see [Use cloud groups to manage role assignments (preview](../roles/groups-concept.md)).
-To create a group [in the Azure portal](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) navigate to Azure Active Directory, then to Groups. You can also create Azure AD security groups by using [PowerShell cmdlets](https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-settings-v2-cmdlets).
+To create a group [in the Azure portal](./active-directory-groups-create-azure-portal.md) navigate to Azure Active Directory, then to Groups. You can also create Azure AD security groups by using [PowerShell cmdlets](../enterprise-users/groups-settings-v2-cmdlets.md).
> [!NOTE] > A security group can be used for assignment of up to 1500 applications, but not more.
@@ -141,17 +141,17 @@ To create a group [in the Azure portal](https://docs.microsoft.com/azure/active-
Hybrid organizations have both an on-premises infrastructure and an Azure AD cloud infrastructure. Many hybrid organizations that use Active Directory create their security groups on-premises and sync them to the cloud. By using this method, only users in the on-premises environment can be added to the security groups.
-**Protect your on-premises infrastructure from compromise, as a breach on-premises can be used to gain access to your Microsoft 365 tenant**. See [Protecting Microsoft 365 from on-premises attacks](https://aka.ms/protectm365) for guidance.
+**Protect your on-premises infrastructure from compromise, as a breach on-premises can be used to gain access to your Microsoft 365 tenant**. See [Protecting Microsoft 365 from on-premises attacks](./protect-m365-from-on-premises-attacks.md) for guidance.
## Microsoft 365 Groups
-[Microsoft 365 Groups](https://docs.microsoft.com/microsoft-365/admin/create-groups/office-365-groups?view=o365-worldwide) are the foundational membership service that drives all access across M365. They can be created from the [Azure portal](https://portal.azure.com/), or the [M365 portal](https://admin.microsoft.com/). When an M365 group is created, you grant access to a group of resources used to collaborate. See [Overview of Microsoft 365 Groups for administrators](https://docs.microsoft.com/microsoft-365/admin/create-groups/office-365-groups?view=o365-worldwide) for a complete listing of these resources.
+[Microsoft 365 Groups](/microsoft-365/admin/create-groups/office-365-groups?view=o365-worldwide) are the foundational membership service that drives all access across M365. They can be created from the [Azure portal](https://portal.azure.com/), or the [M365 portal](https://admin.microsoft.com/). When an M365 group is created, you grant access to a group of resources used to collaborate. See [Overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups?view=o365-worldwide) for a complete listing of these resources.
M365 Groups have the following nuances for their roles * **Owners** - Group owners can add or remove members and have unique permissions like the ability to delete conversations from the shared inbox or change group settings. Group owners can rename the group, update the description or picture and more.
-* **Members** - Members can access everything in the group but can't change group settings. By default group members can invite guests to join your group, though you can [control that setting](https://docs.microsoft.com/microsoft-365/admin/create-groups/manage-guest-access-in-groups?view=o365-worldwide).
+* **Members** - Members can access everything in the group but can't change group settings. By default group members can invite guests to join your group, though you can [control that setting](/microsoft-365/admin/create-groups/manage-guest-access-in-groups?view=o365-worldwide).
* **Guests** - Group guests are members who are from outside your organization. Guests by default have some limits to functionality in Teams.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/5-secure-access-b2b https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/5-secure-access-b2b.md
@@ -95,7 +95,7 @@ Determine who can invite guest users to access resources.
If you use Azure AD entitlement management, you can configure questions for external users to answer. The questions will then be shown to approvers to help them make a decision. You can configure different sets of questions for each [access package policy](../governance/entitlement-management-access-package-approval-policy.md) so that approvers can have relevant information for the access they're approving. For example, if one access package is intended for vendor access, then the requestor may be asked for their vendor contract number. A different access package intended for suppliers, may ask for their country of origin.
-If you use a self-service portal, you can use [API connectors](../external-identities/api-connectors-overview.md) to collect additional attributes about users as they sign up. You can then potentially use those attributes to assign access. For example, if during the sign-up process you collect their supplier ID, you could use that attribute to dynamically assign them to a group or access package for that supplier. You can create custom attributes in the Azure portal and use them in your self-service sign-up user flows. You can also read and write these attributes by using the [Microsoft Graph API](https://docs.microsoft.com/azure/active-directory-b2c/manage-user-accounts-graph-api).
+If you use a self-service portal, you can use [API connectors](../external-identities/api-connectors-overview.md) to collect additional attributes about users as they sign up. You can then potentially use those attributes to assign access. For example, if during the sign-up process you collect their supplier ID, you could use that attribute to dynamically assign them to a group or access package for that supplier. You can create custom attributes in the Azure portal and use them in your self-service sign-up user flows. You can also read and write these attributes by using the [Microsoft Graph API](../../active-directory-b2c/manage-user-accounts-graph-api.md).
### Troubleshoot invitation redemption to Azure AD users
@@ -127,7 +127,7 @@ We recommend the following restrictions for guest users.
* **Block access to the Azure portal. You can make rare necessary exceptions**.
- * Create a Conditional Access policy that includes either All guest and external users and then [implement a policy to block access](https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management).
+ * Create a Conditional Access policy that includes either All guest and external users and then [implement a policy to block access](../../role-based-access-control/conditional-access-azure-management.md).
@@ -181,7 +181,7 @@ By default Teams allows external access, which means that organization can comm
### Direct sharing through SharePoint and OneDrive Direct sharing through SharePoint and OneDrive can add users outside of the Entitlement Management process. For an in-depth look at these configurations see [Manage Access with Microsoft Teams, SharePoint, and OneDrive for business](9-secure-access-teams-sharepoint.md)
-You can also [block the use of userΓÇÖs personal OneDrive](https://docs.microsoft.com/office365/troubleshoot/group-policy/block-onedrive-use-from-office) if desired.
+You can also [block the use of userΓÇÖs personal OneDrive](/office365/troubleshoot/group-policy/block-onedrive-use-from-office) if desired.
### Sending documents through email
@@ -193,9 +193,9 @@ The landscape of collaboration tools is vast. Your users likely use many outside
For more information on managing unsanctioned applications, see:
-* [Governing connected apps](https://docs.microsoft.com/cloud-app-security/governance-actions)
+* [Governing connected apps](/cloud-app-security/governance-actions)
-* [Sanctioning and unsanctioning an application.](https://docs.microsoft.com/cloud-app-security/governance-discovery)
+* [Sanctioning and unsanctioning an application.](/cloud-app-security/governance-discovery)
### Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/6-secure-access-entitlement-managment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/6-secure-access-entitlement-managment.md
@@ -89,15 +89,15 @@ For more information about access reviews, see [Planning an Azure AD Access Revi
## Using automation in Entitlement Management
-You can perform [Entitlement Management functions by using Microsoft Graph](https://docs.microsoft.com/graph/tutorial-access-package-api), including
+You can perform [Entitlement Management functions by using Microsoft Graph](/graph/tutorial-access-package-api), including
-* [Manage access packages](https://docs.microsoft.com/graph/api/resources/accesspackage?view=graph-rest-beta)
+* [Manage access packages](/graph/api/resources/accesspackage?view=graph-rest-beta)
-* [Manage access reviews](https://docs.microsoft.com/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta)
+* [Manage access reviews](/graph/api/resources/accessreviewsv2-root?view=graph-rest-beta)
-* [Manage connected organizations](https://docs.microsoft.com/graph/api/resources/connectedorganization?view=graph-rest-beta)
+* [Manage connected organizations](/graph/api/resources/connectedorganization?view=graph-rest-beta)
-* [Manage Entitlement Management settings](https://docs.microsoft.com/graph/api/resources/entitlementmanagementsettings?view=graph-rest-beta)
+* [Manage Entitlement Management settings](/graph/api/resources/entitlementmanagementsettings?view=graph-rest-beta)
## Recommendations
@@ -107,7 +107,7 @@ We recommend the practices to govern external access with Entitlement Management
* If you already have B2B users in your directory, you can also directly assign them to the appropriate access packages.
-* You can assign access in the [Azure portal](../governance/entitlement-management-access-package-assignments.md), or via [Microsoft Graph](https://docs.microsoft.com/graph/api/resources/accesspackageassignmentrequest?view=graph-rest-beta).
+* You can assign access in the [Azure portal](../governance/entitlement-management-access-package-assignments.md), or via [Microsoft Graph](/graph/api/resources/accesspackageassignmentrequest?view=graph-rest-beta).
**Use your Identity Governance settings to remove users from your directory when their access packages expire**.
@@ -168,4 +168,3 @@ See the following articles on securing external access to resources. We recommen
-
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/8-secure-access-sensitivity-labels https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/8-secure-access-sensitivity-labels.md
@@ -17,13 +17,13 @@ ms.collection: M365-identity-device-management
# Control access with sensitivity labels
-[Sensitivity labels](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide) help you control access to your content in Office 365 applications, and in containers like Microsoft Teams, Microsoft 365 Groups, and SharePoint sites. They can protect your content without hindering your usersΓÇÖ collaboration and production abilities. Sensitivity labels allow you to send your organizationΓÇÖs content across devices, apps, and services, while protecting your data and meeting your compliance and security policies.
+[Sensitivity labels](/microsoft-365/compliance/sensitivity-labels?view=o365-worldwide) help you control access to your content in Office 365 applications, and in containers like Microsoft Teams, Microsoft 365 Groups, and SharePoint sites. They can protect your content without hindering your usersΓÇÖ collaboration and production abilities. Sensitivity labels allow you to send your organizationΓÇÖs content across devices, apps, and services, while protecting your data and meeting your compliance and security policies.
With sensitivity labels you can: * **Classify content without adding any protection settings**. You can assign a classification to content (like a sticker) that persists and roams with your content as itΓÇÖs used and shared. You can use this classification to generate usage reports and see activity data for your sensitive content.
-* **Enforce protection settings such as encryption, watermarks, and access restrictions**. For example, users can apply a Confidential label to a document or email, and that label can [encrypt the content](https://docs.microsoft.com/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide) and add a ΓÇ£ConfidentialΓÇ¥ watermark. In addition, you can [apply a sensitivity label to a container](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide) like a SharePoint site, and enforce whether external users can access the content it contains.
+* **Enforce protection settings such as encryption, watermarks, and access restrictions**. For example, users can apply a Confidential label to a document or email, and that label can [encrypt the content](/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide) and add a ΓÇ£ConfidentialΓÇ¥ watermark. In addition, you can [apply a sensitivity label to a container](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide) like a SharePoint site, and enforce whether external users can access the content it contains.
Sensitivity labels on email and other content travel with the content. Sensitivity labels on containers can restrict access to the container, but content in the container doesn't inherit the label. For example, a user could take content from a protected site, download it, and then share it without restrictions unless the content also had a sensitivity label.
@@ -47,7 +47,7 @@ As you think about governing external access to your content, determine the foll
* How will you define what is High, Medium, or Low Business Impact (HBI, MBI, LBI)? Consider the impact to your organization if specific types of content are shared inappropriately.
- * Content with specific types of inherently [sensitive content](https://docs.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide), such as credit cards or passport numbers
+ * Content with specific types of inherently [sensitive content](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide), such as credit cards or passport numbers
* Content created by specific groups or people (for example, compliance officers, financial officers, or executives)
@@ -61,21 +61,21 @@ As you think about governing external access to your content, determine the foll
* What defaults should be in place for HBI data, sites, or Microsoft 365 Groups?
-* Where will you use sensitivity labels to [label and monitor](https://docs.microsoft.com/microsoft-365/compliance/label-analytics?view=o365-worldwide), versus to [enforce encryption](https://docs.microsoft.com/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide) or to [enforce container access restrictions](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide)?
+* Where will you use sensitivity labels to [label and monitor](/microsoft-365/compliance/label-analytics?view=o365-worldwide), versus to [enforce encryption](/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide) or to [enforce container access restrictions](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide)?
**For email and content**
-* Do you want to [automatically apply sensitivity labels](https://docs.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) to content, or do so manually?
+* Do you want to [automatically apply sensitivity labels](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) to content, or do so manually?
- * If you choose to do so manually, do you want to [recommend that users apply a label](https://docs.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide)?
+ * If you choose to do so manually, do you want to [recommend that users apply a label](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide)?
**For containers** * What criteria will determine if M365 Groups, Teams, or SharePoint sites require access to be restricted by using sensitivity labels?
-* Do you want to only label content in these containers moving forward, or do you want to [automatically label](https://docs.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) existing files in SharePoint and OneDrive?
+* Do you want to only label content in these containers moving forward, or do you want to [automatically label](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide) existing files in SharePoint and OneDrive?
-See these [common scenarios for sensitivity labels](https://docs.microsoft.com/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-worldwide) for other ideas on how you can use sensitivity labels.
+See these [common scenarios for sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-worldwide) for other ideas on how you can use sensitivity labels.
### Sensitivity labels on email and content
@@ -95,7 +95,7 @@ When you assign a sensitivity label to a document or email, it's like a stamp th
### Sensitivity labels on containers
-You can apply sensitivity labels on containers such as [Microsoft 365 Groups](https://docs.microsoft.com/azure/active-directory/users-groups-roles/groups-assign-sensitivity-labels), [Microsoft Teams](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide), and [SharePoint sites](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide). When you apply this sensitivity label to a supported container, the label automatically applies the classification and protection settings to the connected site or group. Sensitivity labels on these containers can control the following aspects of containers:
+You can apply sensitivity labels on containers such as [Microsoft 365 Groups](../enterprise-users/groups-assign-sensitivity-labels.md), [Microsoft Teams](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide), and [SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide). When you apply this sensitivity label to a supported container, the label automatically applies the classification and protection settings to the connected site or group. Sensitivity labels on these containers can control the following aspects of containers:
* **Privacy**. You can choose who can see the site: specific users, all internal users, or anyone.
@@ -111,25 +111,25 @@ You can apply sensitivity labels on containers such as [Microsoft 365 Groups](ht
When you apply a sensitivity label to a container such as a SharePoint site, it is not applied to content there: sensitivity labels on containers control access to the content within the container.
-* If you want to automatically apply labels to the content within the container, see [Apply a sensitivity to content automatically](https://docs.microsoft.com/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide).
+* If you want to automatically apply labels to the content within the container, see [Apply a sensitivity to content automatically](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-worldwide).
-* If you want users to be able to manually apply labels to this content, be sure that youΓÇÿve [enabled sensitivity labels for Office files in SharePoint and OneDrive](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide).
+* If you want users to be able to manually apply labels to this content, be sure that youΓÇÿve [enabled sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide).
### Plan to implement sensitivity labels Once you have determined how you want to use sensitivity labels, and to what content and sites you want to apply them, see the following documentation to help you perform your implementation.
-1. [Get started with sensitivity labels](https://docs.microsoft.com/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-worldwide)
+1. [Get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-worldwide)
-2. [Create a deployment strategy](https://docs.microsoft.com/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-worldwide)
+2. [Create a deployment strategy](/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-worldwide)
-3. [Create and publish sensitivity labels](https://docs.microsoft.com/microsoft-365/compliance/create-sensitivity-labels?view=o365-worldwide)
+3. [Create and publish sensitivity labels](/microsoft-365/compliance/create-sensitivity-labels?view=o365-worldwide)
-4. [Restrict access to content using sensitivity labels to apply encryption](https://docs.microsoft.com/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide)
+4. [Restrict access to content using sensitivity labels to apply encryption](/microsoft-365/compliance/encryption-sensitivity-labels?view=o365-worldwide)
-5. [Use sensitivity labels with teams, groups, and sites](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide)
+5. [Use sensitivity labels with teams, groups, and sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites?view=o365-worldwide)
-6. [Enable sensitivity labels for Office files in SharePoint and OneDrive](https://docs.microsoft.com/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide)
+6. [Enable sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide)
### Next steps
@@ -151,4 +151,4 @@ See the following articles on securing external access to resources. We recommen
8. [Secure access with Sensitivity labels](8-secure-access-sensitivity-labels.md) (You are here.)
-9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
+9. [Secure access to Microsoft Teams, OneDrive, and SharePoint](9-secure-access-teams-sharepoint.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/9-secure-access-teams-sharepoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/9-secure-access-teams-sharepoint.md
@@ -72,7 +72,7 @@ There are three choices under collaboration restrictions. Your business requirem
## Govern access in Teams
-[Teams differentiates between external users (anyone outside your organization) and guest users (those with guest accounts)](https://docs.microsoft.com/microsoftteams/communicate-with-users-from-other-organizations?WT.mc_id=TeamsAdminCenterCSHΓÇï)). You manage collaboration setting in the [Teams Admin portal](https://admin.teams.microsoft.com/company-wide-settings/external-communications) under Org-wide settings.
+[Teams differentiates between external users (anyone outside your organization) and guest users (those with guest accounts)](/microsoftteams/communicate-with-users-from-other-organizations?WT.mc_id=TeamsAdminCenterCSH%e2%80%8b)). You manage collaboration setting in the [Teams Admin portal](https://admin.teams.microsoft.com/company-wide-settings/external-communications) under Org-wide settings.
> [!NOTE] > External identities collaboration settings in Azure Active Directory control the effective permissions. You can increase restrictions in Teams, but not decrease them from what is set in Azure AD.
@@ -83,13 +83,13 @@ There are three choices under collaboration restrictions. Your business requirem
To learn more about managing external access in Teams, see the following resources.
-* [Manage external access in Microsoft Teams](https://docs.microsoft.com/microsoftteams/manage-external-access)
+* [Manage external access in Microsoft Teams](/microsoftteams/manage-external-access)
-* [Microsoft 365 identity models and Azure Active Directory](https://docs.microsoft.com/microsoft-365/enterprise/about-microsoft-365-identity?view=o365-worldwide)
+* [Microsoft 365 identity models and Azure Active Directory](/microsoft-365/enterprise/about-microsoft-365-identity?view=o365-worldwide)
-* [Identity models and authentication for Microsoft Teams](https://docs.microsoft.com/MicrosoftTeams/identify-models-authentication)
+* [Identity models and authentication for Microsoft Teams](/MicrosoftTeams/identify-models-authentication)
-* [Sensitivity labels for Microsoft Teams](https://docs.microsoft.com/MicrosoftTeams/sensitivity-labels)
+* [Sensitivity labels for Microsoft Teams](/MicrosoftTeams/sensitivity-labels)
## Govern access in SharePoint and OneDrive
@@ -97,9 +97,9 @@ SharePoint administrators have many settings available for collaboration. Organi
### Integrating SharePoint and One-drive with Azure AD B2B
-As a part of your overall strategy for governing external collaboration, we recommend that you [enable the Preview of SharePoint and OneDrive integration with Azure AD B2B](https://docs.microsoft.com/sharepoint/sharepoint-azureb2b-integration-preview) .
+As a part of your overall strategy for governing external collaboration, we recommend that you [enable the Preview of SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration-preview) .
-Azure AD B2B provides authentication and management of guest users. With SharePoint and OneDrive integration, [Azure AD B2B one-time passcodes](https://docs.microsoft.com/azure/active-directory/external-identities/one-time-passcode) are used for external sharing of files, folders, list items, document libraries, and sites. This feature provides an upgraded experience from the existing [secure external sharing recipient experience](https://docs.microsoft.com/sharepoint/what-s-new-in-sharing-in-targeted-release).
+Azure AD B2B provides authentication and management of guest users. With SharePoint and OneDrive integration, [Azure AD B2B one-time passcodes](../external-identities/one-time-passcode.md) are used for external sharing of files, folders, list items, document libraries, and sites. This feature provides an upgraded experience from the existing [secure external sharing recipient experience](/sharepoint/what-s-new-in-sharing-in-targeted-release).
> [!NOTE] > If you enable the preview for Azure AD B2B integration, then SharePoint and OneDrive sharing is subject to the Azure AD organizational relationships settings, such as **Members can invite** and **Guests can invite**.
@@ -166,9 +166,9 @@ We do not recommend enabling anyone links. If you do, we recommend setting an ex
To learn more about governing external access to SharePoint see the following:
-* [SharePoint external sharing overview](https://docs.microsoft.com/sharepoint/external-sharing-overview)
+* [SharePoint external sharing overview](/sharepoint/external-sharing-overview)
-* [SharePoint and OneDrive integration with Azure AD B2B](https://docs.microsoft.com/sharepoint/sharepoint-azureb2b-integration-preview)
+* [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration-preview)
#### Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/protect-m365-from-on-premises-attacks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/protect-m365-from-on-premises-attacks.md
@@ -86,7 +86,7 @@ the principles illustrated below:
* Accessed only by using Azure Managed Workstations.
-These are restricted use accounts. **There should be no on-premises accounts with administrative privileges in Microsoft 365.** For more information, see this [overview of Microsoft 365 administrator roles](https://docs.microsoft.com/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide).
+These are restricted use accounts. **There should be no on-premises accounts with administrative privileges in Microsoft 365.** For more information, see this [overview of Microsoft 365 administrator roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide).
Also see [Roles for Microsoft 365 in Azure Active Directory](../roles/m365-workload-docs.md). * **Manage devices from Microsoft 365.** Use Azure AD Join and
@@ -123,7 +123,7 @@ In Azure AD, users with privileged roles such as administrators are the root of
* Use cloud-only accounts for Azure AD and Microsoft 365 privileged roles.d
-* Deploy [privileged access devices](https://docs.microsoft.com/security/compass/privileged-access-devices#device-roles-and-profiles) for privileged access to manage Microsoft 365 and Azure AD.
+* Deploy [privileged access devices](/security/compass/privileged-access-devices#device-roles-and-profiles) for privileged access to manage Microsoft 365 and Azure AD.
* Deploy [Azure AD Privileged Identity Management](../privileged-identity-management/pim-configure.md) (PIM) for just in time (JIT) access to all human accounts that have privileged roles, and require strong authentication to activate roles.
@@ -133,7 +133,7 @@ In Azure AD, users with privileged roles such as administrators are the root of
* Deploy [Emergency Access Accounts](../roles/security-emergency-access.md) and do NOT use on-premises password vaults to store credentials.
-For more information, see [Securing privileged access](https://aka.ms/SPA), which has detailed guidance on this topic. Also, see [Secure access practices for administrators in Azure AD](../roles/security-planning.md).
+For more information, see [Securing privileged access](/security/compass/overview), which has detailed guidance on this topic. Also, see [Secure access practices for administrators in Azure AD](../roles/security-planning.md).
### Use cloud authentication
@@ -143,16 +143,16 @@ practices to make credentials more secure.
* [Deploy passwordless authentication](../authentication/howto-authentication-passwordless-deployment.md): Reduce the use of passwords as much as possible by deploying passwordless credentials. These credentials are managed and validated natively in the cloud. Choose from:
- * [Windows Hello for business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy)
+ * [Windows Hello for business](/windows/security/identity-protection/hello-for-business/passwordless-strategy)
* [Authenticator App](../authentication/howto-authentication-passwordless-phone.md) * [FIDO2 security keys](../authentication/howto-authentication-passwordless-security-key-windows.md)
-* [Deploy Multi-Factor Authentication](https://aka.ms/deploymentplans/mfa): Provision
+* [Deploy Multi-Factor Authentication](../authentication/howto-mfa-getstarted.md): Provision
[multiple strong credentials using Azure AD MFA](../fundamentals/resilience-in-credentials.md). That way, access to cloud resources will require a credential that is managed in Azure AD in addition to an on-premises password that can be manipulated.
- * For more information, see [Create a resilient access control management strategy with Azure active Directory](https://aka.ms/resilientaad).
+ * For more information, see [Create a resilient access control management strategy with Azure active Directory](./resilience-overview.md).
**Limitations and tradeoffs**
@@ -189,7 +189,7 @@ Provisioning refers to the creation of user accounts and groups in applications
* Block access to the Azure portal. You can make rare necessary exceptions. Create a Conditional Access policy that includes all guests and external users and then [implement a policy to block
- access](/azure/role-based-access-control/conditional-access-azure-management).
+ access](../../role-based-access-control/conditional-access-azure-management.md).
* **Disconnected Forests:** Use [Azure AD Cloud Provisioning](../cloud-provisioning/what-is-cloud-provisioning.md). This enables you to connect to disconnected forests, eliminating the need to establish cross-forest connectivity or trusts, which can
@@ -207,7 +207,7 @@ your on-premises infrastructure.
* **Collaboration:** Use Microsoft 365 Groups and Microsoft Teams for modern collaboration. Decommission on-premises distribution lists, and [Upgrade distribution lists to Microsoft 365 Groups in
- Outlook](https://docs.microsoft.com/office365/admin/manage/upgrade-distribution-lists?view=o365-worldwide).
+ Outlook](/office365/admin/manage/upgrade-distribution-lists?view=o365-worldwide).
* **Access:** Use Azure AD security groups or Microsoft 365 Groups to authorize access to applications in Azure AD.
@@ -229,7 +229,7 @@ Use Azure AD capabilities to securely manage devices.
- **Use Windows 10 Workstations:** [Deploy Azure AD Joined](../devices/azureadjoin-plan.md) devices with MDM policies. Enable [Windows
- Autopilot](https://docs.microsoft.com/mem/autopilot/windows-autopilot)
+ Autopilot](/mem/autopilot/windows-autopilot)
for a fully automated provisioning experience. - Deprecate Windows 8.1 and earlier machines.
@@ -239,7 +239,7 @@ Use Azure AD capabilities to securely manage devices.
- Use [Microsoft Intune](https://www.microsoft.com/en/microsoft-365/enterprise-mobility-security/microsoft-intune) as the source of authority of all device management workloads. -- [**Deploy privileged access devices**](https://docs.microsoft.com/security/compass/privileged-access-devices#device-roles-and-profiles)
+- [**Deploy privileged access devices**](/security/compass/privileged-access-devices#device-roles-and-profiles)
for privileged access to manage Microsoft 365 and Azure AD. ## Workloads, applications, and resources
@@ -263,21 +263,21 @@ Use Azure AD capabilities to securely manage devices.
* **Application and workload servers**
- * Applications or resources that required servers can be migrated to Azure IaaS and use [Azure AD Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/overview) (Azure AD DS) to decouple trust and dependency on AD on-premises. To achieve this decoupling, virtual networks used for Azure AD DS should not have connection to corporate networks.
+ * Applications or resources that required servers can be migrated to Azure IaaS and use [Azure AD Domain Services](../../active-directory-domain-services/overview.md) (Azure AD DS) to decouple trust and dependency on AD on-premises. To achieve this decoupling, virtual networks used for Azure AD DS should not have connection to corporate networks.
- * Follow the guidance of the [credential tiering](https://aka.ms/TierModel). Application Servers are typically considered Tier 1 assets.
+ * Follow the guidance of the [credential tiering](/security/compass/privileged-access-access-model#ADATM_BM). Application Servers are typically considered Tier 1 assets.
## Conditional Access Policies Use Azure AD Conditional Access to interpret signals and make authentication decisions based on them. For more information, see the
-[Conditional Access deployment plan.](https://aka.ms/deploymentplans/ca)
+[Conditional Access deployment plan.](../conditional-access/plan-conditional-access.md)
* [Legacy Authentication Protocols](../fundamentals/auth-sync-overview.md): Use Conditional Access to [block legacy authentication](../conditional-access/howto-conditional-access-policy-block-legacy.md) protocols whenever possible. Additionally, disable legacy authentication protocols at the application level using application-specific configuration.
- * See specific details for [Exchange Online](https://docs.microsoft.com/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#how-basic-authentication-works-in-exchange-online) and [SharePoint Online](https://docs.microsoft.com/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps).
+ * See specific details for [Exchange Online](/exchange/clients-and-mobile-in-exchange-online/disable-basic-authentication-in-exchange-online#how-basic-authentication-works-in-exchange-online) and [SharePoint Online](/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps).
-* Implement the recommended [Identity and device access configurations.](https://docs.microsoft.com/microsoft-365/security/office-365-security/identity-access-policies?view=o365-worldwide)
+* Implement the recommended [Identity and device access configurations.](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-worldwide)
* If you are using a version of Azure AD that does not include Conditional Access, ensure that you are using the [Azure AD security defaults](../fundamentals/concept-fundamentals-security-defaults.md).
@@ -294,14 +294,14 @@ Monitor the following key scenarios, in addition to any scenarios
specific to your organization. For example, you should proactively monitor access to your business-critical applications and resources.
-* **Suspicious activity**: All [Azure AD risk events](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#risk-detection-and-remediation) should be monitored for suspicious activity. [Azure AD Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection) is natively integrated with Azure Security Center.
+* **Suspicious activity**: All [Azure AD risk events](../identity-protection/overview-identity-protection.md#risk-detection-and-remediation) should be monitored for suspicious activity. [Azure AD Identity Protection](../identity-protection/overview-identity-protection.md) is natively integrated with Azure Security Center.
* Define the network [named locations](../reports-monitoring/quickstart-configure-named-locations.md) to avoid noisy detections on location-based signals. * **User Entity Behavioral Analytics (UEBA) alerts** Use UEBA to get insights on anomaly detection.
- * Microsoft Cloud App Discovery (MCAS) provides [UEBA in the cloud](https://docs.microsoft.com/cloud-app-security/tutorial-ueba).
+ * Microsoft Cloud App Discovery (MCAS) provides [UEBA in the cloud](/cloud-app-security/tutorial-ueba).
- * You can [integrate on-premises UEBA from Azure ATP](https://docs.microsoft.com/defender-for-identity/install-step2). MCAS reads signals from Azure AD Identity Protection.
+ * You can [integrate on-premises UEBA from Azure ATP](/defender-for-identity/install-step2). MCAS reads signals from Azure AD Identity Protection.
* **Emergency access accounts activity**: Any access using [emergency access accounts](../roles/security-emergency-access.md) should be monitored and alerts created for investigations. This monitoring must include:
@@ -313,7 +313,7 @@ monitor access to your business-critical applications and resources.
* Application Assignments. * **Privileged role activity**: Configure and review
- security [alerts generated by Azure AD PIM](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-how-to-configure-security-alerts?tabs=new#security-alerts).
+ security [alerts generated by Azure AD PIM](../privileged-identity-management/pim-how-to-configure-security-alerts.md?tabs=new#security-alerts).
Monitor direct assignment of privileged roles outside PIM by generating alerts whenever a user is assigned directly. * **Azure AD tenant-wide configurations**: Any change to tenant-wide configurations should generate alerts in the system. These include but are not limited to
@@ -345,11 +345,11 @@ Define a log storage and retention strategy, design, and implementation to facil
* Risk events
-Azure AD provides [Azure Monitor integration](../reports-monitoring/concept-activity-logs-azure-monitor.md) for the sign-in activity log and audit logs. Risk events can be ingested through [Microsoft Graph API](https://aka.ms/AzureADSecuredAzure/32b). You can [stream Azure AD logs to Azure monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
+Azure AD provides [Azure Monitor integration](../reports-monitoring/concept-activity-logs-azure-monitor.md) for the sign-in activity log and audit logs. Risk events can be ingested through [Microsoft Graph API](/graph/api/resources/identityriskevent). You can [stream Azure AD logs to Azure monitor logs](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md).
* **Hybrid Infrastructure OS Security Logs.** All hybrid identity infrastructure OS logs should be archived and carefully monitored as a <br>Tier 0 system, given the surface area implications. This includes:
- * Azure AD Connect. [Azure AD Connect Health](https://aka.ms/AzureADSecuredAzure/32e) must be deployed to monitor identity synchronization.
+ * Azure AD Connect. [Azure AD Connect Health](../hybrid/whatis-azure-ad-connect.md) must be deployed to monitor identity synchronization.
* Application Proxy Agents
@@ -364,4 +364,4 @@ Azure AD provides [Azure Monitor integration](../reports-monitoring/concept-acti
* [Build resilience into identity and access management with Azure AD](resilience-overview.md) * [Secure external access to resources](secure-external-access-resources.md)
-* [Integrate all your apps with Azure AD](five-steps-to-full-application-integration-with-azure-ad.md)
+* [Integrate all your apps with Azure AD](five-steps-to-full-application-integration-with-azure-ad.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-b2b-authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-b2b-authentication.md
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
# Build resilience in external user authentication
-[Azure Active Directory B2B collaboration](https://docs.microsoft.com/azure/active-directory/external-identities/what-is-b2b) (Azure AD B2B) is a feature of [External Identities](https://docs.microsoft.com/azure/active-directory/external-identities/delegate-invitations) that enables collaboration with other organizations and individuals. It enables the secure onboarding of guest users into your Azure AD tenant without having to manage their credentials. External users bring their identity and credentials with them from an external identity provider (IdP), so they donΓÇÖt have to remember a new credential.
+[Azure Active Directory B2B collaboration](../external-identities/what-is-b2b.md) (Azure AD B2B) is a feature of [External Identities](../external-identities/delegate-invitations.md) that enables collaboration with other organizations and individuals. It enables the secure onboarding of guest users into your Azure AD tenant without having to manage their credentials. External users bring their identity and credentials with them from an external identity provider (IdP), so they donΓÇÖt have to remember a new credential.
## Ways to authenticate external users
@@ -26,7 +26,7 @@ You can choose the methods of external user authentication to your directory. Yo
With every external IdP, you take a dependency on the availability of that IdP. With some methods of connecting to IdPs, there are things you can do to increase your resilience. > [!NOTE]
-> Azure AD B2B has the built-in ability to authenticate any user from any [Azure Active Directory](https://docs.microsoft.com/azure/active-directory) tenant, or with a personal [Microsoft Account](https://account.microsoft.com/account). You do not have to do any configuration with these built-in options.
+> Azure AD B2B has the built-in ability to authenticate any user from any [Azure Active Directory](../index.yml) tenant, or with a personal [Microsoft Account](https://account.microsoft.com/account). You do not have to do any configuration with these built-in options.
### Considerations for resilience with other IdPs
@@ -34,22 +34,22 @@ When using external IdPs for guest user authentication, there are certain config
| Authentication Method| Resilience considerations | | - | - |
-| Federation with social IDPs like [Facebook](https://docs.microsoft.com/azure/active-directory/external-identities/facebook-federation) or [Google](https://docs.microsoft.com/azure/active-directory/external-identities/google-federation).| You must maintain your account with the IdP and configure your Client ID and Client Secret. |
-| [Direct Federation with SAML and WS-Federation Identity Providers](https://docs.microsoft.com/azure/active-directory/external-identities/direct-federation)| You must collaborate with the IdP owner for access to their endpoints, upon which you're dependent. <br>You must maintain the metadata that contain the certificates and endpoints. |
-| [Email one-time passcode](https://docs.microsoft.com/azure/active-directory/external-identities/one-time-passcode)| With this method you're dependent on MicrosoftΓÇÖs email system, the userΓÇÖs email system, and the userΓÇÖs email client. |
+| Federation with social IDPs like [Facebook](../external-identities/facebook-federation.md) or [Google](../external-identities/google-federation.md).| You must maintain your account with the IdP and configure your Client ID and Client Secret. |
+| [Direct Federation with SAML and WS-Federation Identity Providers](../external-identities/direct-federation.md)| You must collaborate with the IdP owner for access to their endpoints, upon which you're dependent. <br>You must maintain the metadata that contain the certificates and endpoints. |
+| [Email one-time passcode](../external-identities/one-time-passcode.md)| With this method you're dependent on MicrosoftΓÇÖs email system, the userΓÇÖs email system, and the userΓÇÖs email client. |
## Self-service sign-up (preview)
-As an alternative to sending invitations or links, you can enable [Self-service sign-up](https://docs.microsoft.com/azure/active-directory/external-identities/self-service-sign-up-overview). This allows external users to request access to an application. You must create an [API connector](https://docs.microsoft.com/azure/active-directory/external-identities/self-service-sign-up-add-api-connector) and associate it with a user flow. You associate user flows that define the user experience with one or more applications.
+As an alternative to sending invitations or links, you can enable [Self-service sign-up](../external-identities/self-service-sign-up-overview.md). This allows external users to request access to an application. You must create an [API connector](../external-identities/self-service-sign-up-add-api-connector.md) and associate it with a user flow. You associate user flows that define the user experience with one or more applications.
-ItΓÇÖs possible to use [API connectors](https://docs.microsoft.com/azure/active-directory/external-identities/api-connectors-overview) to integrate your self-service sign-up user flow with external systemsΓÇÖ APIs. This API integration can be used for [custom approval workflows](https://docs.microsoft.com/azure/active-directory/external-identities/self-service-sign-up-add-approvals), [performing identity verification](https://docs.microsoft.com/azure/active-directory/external-identities/code-samples-self-service-sign-up), and other tasks such as overwriting user attributes. Using APIs requires that you manage the following dependencies.
+ItΓÇÖs possible to use [API connectors](../external-identities/api-connectors-overview.md) to integrate your self-service sign-up user flow with external systemsΓÇÖ APIs. This API integration can be used for [custom approval workflows](../external-identities/self-service-sign-up-add-approvals.md), [performing identity verification](../external-identities/code-samples-self-service-sign-up.md), and other tasks such as overwriting user attributes. Using APIs requires that you manage the following dependencies.
* **API Connector Authentication**: Setting up a connector requires an endpoint URL, a username, and a password. Set up a process by which these credentials are maintained, and work with the API owner to ensure you know any expiration schedule.
-* **API Connector Response**: Design API Connectors in the sign-up flow to fail gracefully if the API isn't available. Examine and provide to your API developers these [example API responses](https://docs.microsoft.com/azure/active-directory/external-identities/self-service-sign-up-add-api-connector) and the [best practices for troubleshooting](https://docs.microsoft.com/azure/active-directory/external-identities/self-service-sign-up-add-api-connector). Work with the API development team to test all possible response scenarios, including continuation, validation-error, and blocking responses.
+* **API Connector Response**: Design API Connectors in the sign-up flow to fail gracefully if the API isn't available. Examine and provide to your API developers these [example API responses](../external-identities/self-service-sign-up-add-api-connector.md) and the [best practices for troubleshooting](../external-identities/self-service-sign-up-add-api-connector.md). Work with the API development team to test all possible response scenarios, including continuation, validation-error, and blocking responses.
## Next steps Resilience resources for administrators and architects
@@ -69,4 +69,3 @@ Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md) * [Build resilience in your CIAM systems](resilience-b2c.md)
-
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-b2c-developer-best-practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-b2c-developer-best-practices.md
@@ -23,7 +23,7 @@ In this article, we share some learnings that are based on our experience from w
## Use the Microsoft Authentication Library (MSAL)
-The [Microsoft Authentication Library (MSAL)](https://docs.microsoft.com/azure/active-directory/develop/msal-overview) and the [Microsoft identity web authentication library for ASP.NET](https://docs.microsoft.com/azure/active-directory/develop/reference-v2-libraries) simplify acquiring, managing, caching, and refreshing the tokens an application requires. These libraries are optimized specifically to support Microsoft Identity including features that improve application resiliency.
+The [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) and the [Microsoft identity web authentication library for ASP.NET](../develop/reference-v2-libraries.md) simplify acquiring, managing, caching, and refreshing the tokens an application requires. These libraries are optimized specifically to support Microsoft Identity including features that improve application resiliency.
Developers should adopt latest releases of MSAL and stay up to date. See [how to increase resilience of authentication and authorization](resilience-app-development-overview.md) in your applications. Where possible, avoid implementing your own authentication stack and use well-established libraries.
@@ -35,7 +35,7 @@ The Microsoft Azure AD B2C directory service supports billions of authentication
- **Avoid write functions to the directory on sign-in**: Never execute a write on sign-in without a precondition (if clause) in your custom policies. One use case that requires a write on a sign-in is [just-in-time migration of user passwords](https://github.com/azure-ad-b2c/user-migration/tree/master/seamless-account-migration). Avoid any scenario that requires a write on every sign-in.
- - [Preconditions](https://docs.microsoft.com/azure/active-directory-b2c/userjourneys) in a user journey will look like this:
+ - [Preconditions](../../active-directory-b2c/userjourneys.md) in a user journey will look like this:
`` <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
@@ -45,7 +45,7 @@ The Microsoft Azure AD B2C directory service supports billions of authentication
`` - Build resistance to bot driven [sign-ups by integrating with a CAPTCHA system](https://github.com/azure-ad-b2c/samples/tree/master/policies/captcha-integration).
- - Use a [load testing sample](https://docs.microsoft.com/azure/active-directory-b2c/best-practices#testing) to simulate sign-up and sign-in.
+ - Use a [load testing sample](../../active-directory-b2c/best-practices.md#testing) to simulate sign-up and sign-in.
- **Understand throttling**: The directory implements both application and tenant level throttling rules. There are further rate limits for Read/GET, Write/POST, Update/PUT, and Delete/DELETE operations and each operation have different limits.
@@ -57,11 +57,11 @@ The Microsoft Azure AD B2C directory service supports billions of authentication
- Understand and plan your migration timeline. When planning to migrate users to Azure AD B2C using Microsoft Graph, consider the application and tenant limits to calculate the time needed to complete the migration of users. If you split your user creation job or script using two applications, you can use the per application limit. It would still need to remain below the per tenant threshold.
- - Understand the effects of your migration job on other applications. Consider the live traffic served by other relying applications to make sure you donΓÇÖt cause throttling at the tenant level and resource starvation for your live application. For more information, see the [Microsoft Graph throttling guidance](https://docs.microsoft.com/graph/throttling).
+ - Understand the effects of your migration job on other applications. Consider the live traffic served by other relying applications to make sure you donΓÇÖt cause throttling at the tenant level and resource starvation for your live application. For more information, see the [Microsoft Graph throttling guidance](/graph/throttling).
## Extend token lifetimes
-In an unlikely event, when the Azure AD B2C authentication service is unable to complete new sign-ups and sign-ins, you can still provide mitigation for users who are signed in. With [configuration](https://docs.microsoft.com/azure/active-directory-b2c/configure-tokens), you can allow users that are already signed in to continue using the application without any perceived disruption until the user signs out from the application or the [session](https://docs.microsoft.com/azure/active-directory-b2c/session-behavior) times out due to inactivity.
+In an unlikely event, when the Azure AD B2C authentication service is unable to complete new sign-ups and sign-ins, you can still provide mitigation for users who are signed in. With [configuration](../../active-directory-b2c/configure-tokens.md), you can allow users that are already signed in to continue using the application without any perceived disruption until the user signs out from the application or the [session](../../active-directory-b2c/session-behavior.md) times out due to inactivity.
Your business requirements and desired end-user experience will dictate your frequency of token refresh for both web and Single-page applications (SPAs).
@@ -77,7 +77,7 @@ Your business requirements and desired end-user experience will dictate your fre
- Build your application to use an API gateway as the authentication proxy. In this configuration, the SPA loads without any authentication and the API calls are made to the API gateway. The API gateway sends the user through a sign-in process using an [authorization code grant](https://oauth.net/2/grant-types/authorization-code/) based on a policy and authenticates the user. Subsequently, the authentication session between the API gateway and the client is maintained using an authentication cookie. The APIs are serviced from the API gateway using the token that is obtained by the API gateway or some other direct authentication method such as certificates, client credentials, or API keys.
- - [Migrate your SPA from implicit grant](https://developer.microsoft.com/identity/blogs/msal-js-2-0-supports-authorization-code-flow-is-now-generally-available/) to [authorization code grant flow](https://docs.microsoft.com/azure/active-directory-b2c/implicit-flow-single-page-application) with Proof Key for Code Exchange (PKCE) and Cross-origin Resource Sharing (CORS) support. Migrate your application from MSAL.js 1.x to MSAL.js 2.x to realize the resiliency of Web applications.
+ - [Migrate your SPA from implicit grant](https://developer.microsoft.com/identity/blogs/msal-js-2-0-supports-authorization-code-flow-is-now-generally-available/) to [authorization code grant flow](../../active-directory-b2c/implicit-flow-single-page-application.md) with Proof Key for Code Exchange (PKCE) and Cross-origin Resource Sharing (CORS) support. Migrate your application from MSAL.js 1.x to MSAL.js 2.x to realize the resiliency of Web applications.
- For mobile applications, it's recommended to extend both the refresh and access token lifetimes.
@@ -85,25 +85,25 @@ Your business requirements and desired end-user experience will dictate your fre
## Configure Single sign-on
-With [Single sign-on (SSO)](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on), users sign in once with a single account and get access to multiple applications. The application can be a web, mobile, or a Single page application (SPA), regardless of platform or domain name. When the user initially signs in to an application, Azure AD B2C persists a [cookie-based session](https://docs.microsoft.com/azure/active-directory-b2c/session-overview).
+With [Single sign-on (SSO)](../manage-apps/what-is-single-sign-on.md), users sign in once with a single account and get access to multiple applications. The application can be a web, mobile, or a Single page application (SPA), regardless of platform or domain name. When the user initially signs in to an application, Azure AD B2C persists a [cookie-based session](../../active-directory-b2c/session-behavior.md).
Upon subsequent authentication requests, Azure AD B2C reads and validates the cookie-based session and issues an access token without prompting the user to sign in again. If SSO is configured with a limited scope at a policy or an application, later access to other policies and applications will require fresh authentication. ### How to configure SSO
-[Configure SSO](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sso-quick-start) to be tenant-wide (default) to allow multiple applications and user flows in your tenant to share the same user session. Tenant-wide configuration provides most resiliency to fresh authentication.
+[Configure SSO](../hybrid/how-to-connect-sso-quick-start.md) to be tenant-wide (default) to allow multiple applications and user flows in your tenant to share the same user session. Tenant-wide configuration provides most resiliency to fresh authentication.
## Safe deployment practices
-The most common disrupters of service are the code and configuration changes. Adoption of Continuous Integration and Continuous Delivery (CICD) processes and tools help with rapid deployment at a large scale and reduces human errors during testing and deployment into production. Adopt CICD for error reduction, efficiency, and consistency. [Azure Pipelines](https://docs.microsoft.com/azure/devops/pipelines/apps/cd/azure/cicd-data-overview) is an example of CICD.
+The most common disrupters of service are the code and configuration changes. Adoption of Continuous Integration and Continuous Delivery (CICD) processes and tools help with rapid deployment at a large scale and reduces human errors during testing and deployment into production. Adopt CICD for error reduction, efficiency, and consistency. [Azure Pipelines](/azure/devops/pipelines/apps/cd/azure/cicd-data-overview) is an example of CICD.
## Web application firewall Protect your applications against known vulnerabilities such as Distributed Denial of Service (DDoS) attacks, SQL injections, cross-site scripting, remote code execution, and many others as documented in [OWASP Top 10](https://owasp.org/www-project-top-ten/). Deployment of a Web Application Firewall (WAF) can defend against common exploits and vulnerabilities. -- Use Azure [WAF](https://docs.microsoft.com/azure/web-application-firewall/overview), which provides centralized protection against attacks.
+- Use Azure [WAF](../../web-application-firewall/overview.md), which provides centralized protection against attacks.
-- Use WAF with Azure AD [Identity Protection and Conditional Access to provide multi-layer protection](https://docs.microsoft.com/azure/active-directory-b2c/conditional-access-identity-protection-overview) when using Azure AD B2C.
+- Use WAF with Azure AD [Identity Protection and Conditional Access to provide multi-layer protection](../../active-directory-b2c/conditional-access-identity-protection-overview.md) when using Azure AD B2C.
## Secrets rotation
@@ -111,9 +111,9 @@ Azure AD B2C uses secrets for applications, APIs, policies, and encryption. The
### How to implement secret rotation -- Use [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) for supported resources to authenticate to any service that supports Azure AD authentication. When you use managed identities, you can manage resources automatically, including rotation of credentials.
+- Use [managed identities](../managed-identities-azure-resources/overview.md) for supported resources to authenticate to any service that supports Azure AD authentication. When you use managed identities, you can manage resources automatically, including rotation of credentials.
-- Take an inventory of all the [keys and certificates configured](https://docs.microsoft.com/azure/active-directory-b2c/policy-keys-overview) in Azure AD B2C. This list is likely to include keys used in custom policies, [APIs](https://docs.microsoft.com/azure/active-directory-b2c/secure-rest-api), signing ID token, and certificates for SAML.
+- Take an inventory of all the [keys and certificates configured](../../active-directory-b2c/policy-keys-overview.md) in Azure AD B2C. This list is likely to include keys used in custom policies, [APIs](../../active-directory-b2c/secure-rest-api.md), signing ID token, and certificates for SAML.
- Using CICD, rotate secrets that are about to expire within two months from the anticipated peak season. The recommended maximum cryptoperiod of private keys associated to a certificate is one year.
@@ -125,7 +125,7 @@ In the context of resiliency, testing of REST APIs needs to include verification
### How to test APIs
-We recommend your test plan to include [comprehensive API tests](https://docs.microsoft.com/azure/active-directory-b2c/best-practices#testing). If you're planning for an upcoming surge because of promotion or holiday traffic, you need to revise your load testing with the new estimates. Conduct load testing of your APIs and Content Delivery Network (CDN) in a developer environment and not in production.
+We recommend your test plan to include [comprehensive API tests](../../active-directory-b2c/best-practices.md#testing). If you're planning for an upcoming surge because of promotion or holiday traffic, you need to revise your load testing with the new estimates. Conduct load testing of your APIs and Content Delivery Network (CDN) in a developer environment and not in production.
## Next steps
@@ -134,4 +134,4 @@ We recommend your test plan to include [comprehensive API tests](https://docs.mi
- [Resilient interfaces with external processes](resilient-external-processes.md) - [Resilience through monitoring and analytics](resilience-with-monitoring-alerting.md) - [Build resilience in your authentication infrastructure](resilience-in-infrastructure.md)-- [Increase resilience of authentication and authorization in your applications](resilience-app-development-overview.md)
+- [Increase resilience of authentication and authorization in your applications](resilience-app-development-overview.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-b2c https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-b2c.md
@@ -17,7 +17,7 @@ ms.collection: M365-identity-device-management
# Build resilience in your customer identity and access management with Azure Active Directory B2C
-[Azure Active Directory (AD) B2C](https://docs.microsoft.com/azure/active-directory-b2c/overview) is a Customer Identity and Access Management (CIAM) platform that is designed to help you launch your critical customer facing applications successfully. We have many built-in features for [resilience](https://azure.microsoft.com/blog/advancing-azure-active-directory-availability/) that are designed to help our service scale to your needs and improve resilience in the face of potential outage situations. In addition, when launching a mission critical application, itΓÇÖs important to consider various design and configuration elements in your application, as well as how the application is configured within Azure AD B2C to ensure that you get a resilient behavior in response to outage or failure scenarios. In this article, we'll discuss some of the best practices to help you increase resilience.
+[Azure Active Directory (AD) B2C](../../active-directory-b2c/overview.md) is a Customer Identity and Access Management (CIAM) platform that is designed to help you launch your critical customer facing applications successfully. We have many built-in features for [resilience](https://azure.microsoft.com/blog/advancing-azure-active-directory-availability/) that are designed to help our service scale to your needs and improve resilience in the face of potential outage situations. In addition, when launching a mission critical application, itΓÇÖs important to consider various design and configuration elements in your application, as well as how the application is configured within Azure AD B2C to ensure that you get a resilient behavior in response to outage or failure scenarios. In this article, we'll discuss some of the best practices to help you increase resilience.
A resilient service is one that continues to function despite disruptions. You can help improve resilience in your service by:
@@ -45,3 +45,6 @@ In the subsequent sections, weΓÇÖll guide you to build resilience in the followi
- [Build resilience in your authentication infrastructure](resilience-in-infrastructure.md) - [Increase resilience of authentication and authorization in your applications](resilience-app-development-overview.md)+
+Watch this video to know how to build resilient and scalable flows using Azure AD B2C.
+>[!Video https://www.youtube.com/embed/8f_Ozpw9yTs]
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-client-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-client-app.md
@@ -19,13 +19,13 @@ This section provides guidance on building resilience into client applications t
## Use the Microsoft Authentication Library (MSAL)
-The [Microsoft Authentication Library (MSAL)](https://docs.microsoft.com/azure/active-directory/develop/msal-overview) is a key part of the [Microsoft identity platform](https://docs.microsoft.com/azure/active-directory/develop). It simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. MSAL is designed to enable a secure solution without developers having to worry about the implementation details.
+The [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md) is a key part of the [Microsoft identity platform](../develop/index.yml). It simplifies and manages acquiring, managing, caching, and refreshing tokens, and uses best practices for resilience. MSAL is designed to enable a secure solution without developers having to worry about the implementation details.
-MSAL caches tokens and uses a silent token acquisition pattern. It also automatically serializes the token cache on platforms that natively provide secure storage like Windows UWP, iOS and Android. Developers can customize the serialization behavior when using [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization), [MSAL.NET](https://docs.microsoft.com/azure/active-directory/develop/msal-net-token-cache-serialization), [MSAL for Java](https://docs.microsoft.com/azure/active-directory/develop/msal-java-token-cache-serialization), and [MSAL for Python](https://docs.microsoft.com/azure/active-directory/develop/msal-python-token-cache-serialization).
+MSAL caches tokens and uses a silent token acquisition pattern. It also automatically serializes the token cache on platforms that natively provide secure storage like Windows UWP, iOS and Android. Developers can customize the serialization behavior when using [Microsoft.Identity.Web](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization), [MSAL.NET](../develop/msal-net-token-cache-serialization.md), [MSAL for Java](../develop/msal-java-token-cache-serialization.md), and [MSAL for Python](../develop/msal-python-token-cache-serialization.md).
![Image of device with and application using MSAL to call Microsoft Identity](media/resilience-client-app/resilience-with-microsoft-authentication-library.png)
-When using MSAL, token caching, refreshing, and silent acquisition is supported automatically. You can use simple patterns to acquire the tokens necessary for modern authentication. We support many languages, and you can find a sample that matches your language and scenario on our [Samples](https://docs.microsoft.com/azure/active-directory/develop/sample-v2-code) page.
+When using MSAL, token caching, refreshing, and silent acquisition is supported automatically. You can use simple patterns to acquire the tokens necessary for modern authentication. We support many languages, and you can find a sample that matches your language and scenario on our [Samples](../develop/sample-v2-code.md) page.
## [C#](#tab/csharp)
@@ -100,7 +100,7 @@ Using the cached token prevents unnecessary traffic between your app and Microso
### Serialize and persist tokens
-Apps should securely serialize their token cache to persist the tokens between instances of the app. Tokens can be reused as long as they are within their valid lifetime. [Refresh tokens](https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow#refresh-the-access-token), and, increasingly, [access tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens), are issued for many hours. This valid time can span a user starting your application many times. When your app starts, it should check to see if there is a valid access or refresh token that can be used. This will increase the app's resilience and performance as it avoids any unnecessary calls to Microsoft Identity.
+Apps should securely serialize their token cache to persist the tokens between instances of the app. Tokens can be reused as long as they are within their valid lifetime. [Refresh tokens](../develop/v2-oauth2-auth-code-flow.md#refresh-the-access-token), and, increasingly, [access tokens](../develop/access-tokens.md), are issued for many hours. This valid time can span a user starting your application many times. When your app starts, it should check to see if there is a valid access or refresh token that can be used. This will increase the app's resilience and performance as it avoids any unnecessary calls to Microsoft Identity.
![An application making a call to Microsoft identity, but the call goes through a token cache as well as a token store on the device running the application](media/resilience-client-app/token-store.png)
@@ -131,14 +131,14 @@ Many applications and APIs need specific information about the user to make auth
### Tokens
-Identity (ID) tokens and access tokens contain standard claims that provide information about the subject. These are documented in [Microsoft identity platform ID tokens](https://docs.microsoft.com/azure/active-directory/develop/id-tokens) and [Microsoft identity platform access tokens](https://docs.microsoft.com/azure/active-directory/develop/access-tokens). If the information your app needs is already in the token, then the most efficient technique for retrieving that data is to use token claims as that will save the overheard of an additional network call to retrieve information separately. Fewer network calls mean higher overall resilience for the application.
+Identity (ID) tokens and access tokens contain standard claims that provide information about the subject. These are documented in [Microsoft identity platform ID tokens](../develop/id-tokens.md) and [Microsoft identity platform access tokens](../develop/access-tokens.md). If the information your app needs is already in the token, then the most efficient technique for retrieving that data is to use token claims as that will save the overheard of an additional network call to retrieve information separately. Fewer network calls mean higher overall resilience for the application.
> [!NOTE] > Some applications call the UserInfo endpoint to retrieve claims about the user that authenticated. The information available in the ID token that your app can receive is a superset of the information it can get from the UserInfo endpoint. Your app should use the ID token to get information about the user instead of calling the UserInfo endpoint.
-An app developer can augment standard token claims with [optional claims](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims). One common optional claim is [groups](https://docs.microsoft.com/azure/active-directory/develop/active-directory-optional-claims#configuring-groups-optional-claims). There are several ways to add group claims. The "Application Group" option only includes groups assigned to the application. The "All" or "Security groups" options include groups from all apps in the same tenant, which can add many groups to the token. It is important to evaluate the effect in your case, as it can potentially negate the efficiency gained by requesting groups in the token by causing token bloat and even requiring additional calls to get the full list of groups.
+An app developer can augment standard token claims with [optional claims](../develop/active-directory-optional-claims.md). One common optional claim is [groups](../develop/active-directory-optional-claims.md#configuring-groups-optional-claims). There are several ways to add group claims. The "Application Group" option only includes groups assigned to the application. The "All" or "Security groups" options include groups from all apps in the same tenant, which can add many groups to the token. It is important to evaluate the effect in your case, as it can potentially negate the efficiency gained by requesting groups in the token by causing token bloat and even requiring additional calls to get the full list of groups.
-Instead of using groups in your token you can instead use and include app roles. Developers can define [app roles](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) for their apps and APIs which the customer can manage from their directory using the portal or APIs. IT Pros can then assign roles to different users and groups to control who has access to what content and functionality. When a token is issued for the application or API, the roles assigned to the user will be available in the roles claim in the token. Getting this information directly in a token can save additional APIs calls.
+Instead of using groups in your token you can instead use and include app roles. Developers can define [app roles](../develop/howto-add-app-roles-in-azure-ad-apps.md) for their apps and APIs which the customer can manage from their directory using the portal or APIs. IT Pros can then assign roles to different users and groups to control who has access to what content and functionality. When a token is issued for the application or API, the roles assigned to the user will be available in the roles claim in the token. Getting this information directly in a token can save additional APIs calls.
Finally, IT Admins can also add claims based on specific information in a tenant. For example, an enterprise can have an extension to have an enterprise specific User ID.
@@ -150,26 +150,26 @@ Microsoft Graph provides a unified API endpoint to access the Microsoft 365 data
Apps require just a single token to access all of Microsoft 365. This is more resilient than using the older APIs that are specific to Microsoft 365 components like Microsoft Exchange or Microsoft SharePoint where multiple tokens are required.
-When using Microsoft Graph APIs, we suggest your use a [Microsoft Graph SDK](https://docs.microsoft.com/graph/sdks/sdks-overview). The Microsoft Graph SDKs are designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.
+When using Microsoft Graph APIs, we suggest your use a [Microsoft Graph SDK](/graph/sdks/sdks-overview). The Microsoft Graph SDKs are designed to simplify building high-quality, efficient, and resilient applications that access Microsoft Graph.
For authorization decisions, developers should consider when to use the claims available in a token as an alternative to some Microsoft Graph calls. As mentioned above, developers could request groups, app roles, and optional claims in their tokens. In terms of resilience, using Microsoft Graph for authorization requires additional network calls that rely on Microsoft Identity (to get the token to access Microsoft Graph) as well as Microsoft Graph itself. However, if your application already relies on Microsoft Graph as its data layer, then relying on the Graph for authorization is not an additional risk to take. ## Use broker authentication on mobile devices
-On mobile devices, using an authentication broker like Microsoft Authenticator will improve resilience. The broker adds benefits above what is available with other options such as the system browser or an embedded WebView. The authentication broker can utilize a [primary refresh token](https://docs.microsoft.com/azure/active-directory/devices/concept-primary-refresh-token) (PRT) that contains claims about the user and the device and can be used to get authentication tokens to access other applications from the device. When a PRT is used to request access to an application, its device and MFA claims are trusted by Azure AD. This increases resilience by avoiding additional steps to authenticate the device again. Users won't be challenged with multiple MFA prompts on the same device, therefore increasing resilience by reducing dependencies on external services and improving the user experience.
+On mobile devices, using an authentication broker like Microsoft Authenticator will improve resilience. The broker adds benefits above what is available with other options such as the system browser or an embedded WebView. The authentication broker can utilize a [primary refresh token](../devices/concept-primary-refresh-token.md) (PRT) that contains claims about the user and the device and can be used to get authentication tokens to access other applications from the device. When a PRT is used to request access to an application, its device and MFA claims are trusted by Azure AD. This increases resilience by avoiding additional steps to authenticate the device again. Users won't be challenged with multiple MFA prompts on the same device, therefore increasing resilience by reducing dependencies on external services and improving the user experience.
![An application making a call to Microsoft identity, but the call goes through a token cache as well as a token store and an Authentication Broker on the device running the application](media/resilience-client-app/authentication-broker.png) Broker authentication is automatically supported by MSAL. You can find more information on using brokered authentication on the following pages: -- [Configure SSO on macOS and iOS](https://docs.microsoft.com/azure/active-directory/develop/single-sign-on-macos-ios#sso-through-authentication-broker-on-ios)-- [How to enable cross-app SSO on Android using MSAL](https://docs.microsoft.com/azure/active-directory/develop/msal-android-single-sign-on)
+- [Configure SSO on macOS and iOS](../develop/single-sign-on-macos-ios.md#sso-through-authentication-broker-on-ios)
+- [How to enable cross-app SSO on Android using MSAL](../develop/msal-android-single-sign-on.md)
## Adopt Continuous Access Evaluation
-[Continuous Access Evaluation (CAE)](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) is a recent development that can increase application security and resilience with long-lived tokens. CAE is an emerging industry standard being developed in the Shared Signals and Events Working Group of the OpenID Foundation. With CAE, an access token can be revoked based on [critical events](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation#critical-event-evaluation) and [policy evaluation](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation#conditional-access-policy-evaluation-preview), rather than relying on a short token lifetime. For some resource APIs, because risk and policy are evaluated in real time, CAE can substantially increase token lifetime up to 28 hours. As resource APIs and applications adopt CAE, Microsoft Identity will be able to issue access tokens that are revocable and are valid for extended periods of time. These long-lived tokens will be proactively refreshed by MSAL.
+[Continuous Access Evaluation (CAE)](../conditional-access/concept-continuous-access-evaluation.md) is a recent development that can increase application security and resilience with long-lived tokens. CAE is an emerging industry standard being developed in the Shared Signals and Events Working Group of the OpenID Foundation. With CAE, an access token can be revoked based on [critical events](../conditional-access/concept-continuous-access-evaluation.md#critical-event-evaluation) and [policy evaluation](../conditional-access/concept-continuous-access-evaluation.md#conditional-access-policy-evaluation-preview), rather than relying on a short token lifetime. For some resource APIs, because risk and policy are evaluated in real time, CAE can substantially increase token lifetime up to 28 hours. As resource APIs and applications adopt CAE, Microsoft Identity will be able to issue access tokens that are revocable and are valid for extended periods of time. These long-lived tokens will be proactively refreshed by MSAL.
-While CAE is in early phases, it is possible to [develop client applications today that will benefit from CAE](../develop/app-resilience-continuous-access-evaluation.md) when the resources (APIs) the application uses adopt CAE. As more resources adopt CAE, your application will be able to acquire CAE enabled tokens for those resources as well. The Microsoft Graph API, and [Microsoft Graph SDKs](https://docs.microsoft.com/graph/sdks/sdks-overview), will preview CAE capability early 2021. If you would like to participate in the public preview of Microsoft Graph with CAE, you can let us know you are interested here: [https://aka.ms/GraphCAEPreview](https://aka.ms/GraphCAEPreview).
+While CAE is in early phases, it is possible to [develop client applications today that will benefit from CAE](../develop/app-resilience-continuous-access-evaluation.md) when the resources (APIs) the application uses adopt CAE. As more resources adopt CAE, your application will be able to acquire CAE enabled tokens for those resources as well. The Microsoft Graph API, and [Microsoft Graph SDKs](/graph/sdks/sdks-overview), will preview CAE capability early 2021. If you would like to participate in the public preview of Microsoft Graph with CAE, you can let us know you are interested here: [https://aka.ms/GraphCAEPreview](https://aka.ms/GraphCAEPreview).
If you develop resource APIs, we encourage you to participate in the [Shared Signals and Events WG](https://openid.net/wg/sse/). We are working with this group to enable the sharing of security events between Microsoft Identity and resource providers.
@@ -178,4 +178,4 @@ If you develop resource APIs, we encourage you to participate in the [Shared Sig
- [How to use Continuous Access Evaluation enabled APIs in your applications](../develop/app-resilience-continuous-access-evaluation.md) - [Build resilience into daemon applications](resilience-daemon-app.md) - [Build resilience in your identity and access management infrastructure](resilience-in-infrastructure.md)-- [Build resilience in your CIAM systems](resilience-b2c.md)
+- [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-daemon-app https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-daemon-app.md
@@ -21,7 +21,7 @@ This article provides guidance on how developers can use the Microsoft identity
## Use Managed Identities for Azure Resources
-Developers building daemon apps on Microsoft Azure can use [Managed Identities for Azure Resources](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview). Managed Identities eliminate the need for developers to manage secrets and credentials. The feature improves resilience by avoiding mistakes around certificate expiry, rotation errors, or trust. It also has several built-in features meant specifically to increase resilience.
+Developers building daemon apps on Microsoft Azure can use [Managed Identities for Azure Resources](../managed-identities-azure-resources/overview.md). Managed Identities eliminate the need for developers to manage secrets and credentials. The feature improves resilience by avoiding mistakes around certificate expiry, rotation errors, or trust. It also has several built-in features meant specifically to increase resilience.
Managed Identities use long lived access tokens and information from Microsoft Identity to proactively acquire new tokens within a large window of time before the existing token expires. Your app can continue to run while attempting to acquire a new token.
@@ -29,11 +29,11 @@ Managed Identities also use regional endpoints to improve performance and resili
## Use the Microsoft Authentication Library
-Developers of daemon apps who do not use Managed Identities can use the [Microsoft Authentication Library (MSAL)](https://docs.microsoft.com/azure/active-directory/develop/msal-overview), which makes implementing authentication and authorization simple, and automatically uses best practices for resilience. MSAL will make the process of providing the required Client Credentials easier. For example, your application does not need to implement creating and signing JSON Web Token assertions when using certificate-based credentials.
+Developers of daemon apps who do not use Managed Identities can use the [Microsoft Authentication Library (MSAL)](../develop/msal-overview.md), which makes implementing authentication and authorization simple, and automatically uses best practices for resilience. MSAL will make the process of providing the required Client Credentials easier. For example, your application does not need to implement creating and signing JSON Web Token assertions when using certificate-based credentials.
### Use Microsoft.Identity.Web for .NET Developers
-Developers building daemon apps on ASP.NET Core can use the [Microsoft.Identity.Web](https://docs.microsoft.com/azure/active-directory/develop/microsoft-identity-web) library. This library is built on top of MSAL to make implementing authorization even easier for ASP.NET Core apps. It includes several [distributed token cache](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization#distributed-token-cache) strategies for distributed apps that can run in multiple regions.
+Developers building daemon apps on ASP.NET Core can use the [Microsoft.Identity.Web](../develop/microsoft-identity-web.md) library. This library is built on top of MSAL to make implementing authorization even easier for ASP.NET Core apps. It includes several [distributed token cache](https://github.com/AzureAD/microsoft-identity-web/wiki/token-cache-serialization#distributed-token-cache) strategies for distributed apps that can run in multiple regions.
## Cache and store tokens
@@ -53,4 +53,4 @@ When a request times out applications should not retry immediately. Implement an
- [Build resilience into applications that sign-in users](resilience-client-app.md) - [Build resilience in your identity and access management infrastructure](resilience-in-infrastructure.md)-- [Build resilience in your CIAM systems](resilience-b2c.md)
+- [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-in-credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-in-credentials.md
@@ -57,7 +57,7 @@ In addition to individual user resiliency described above, enterprises should pl
* Turn on [password hash synchronization](../hybrid/whatis-phs.md) for hybrid accounts that are synchronized from Windows Server Active Directory. This option can be enabled alongside federation services such as AD FS and provides a fall back in case the federation service fails.
-* [Analyze usage of Multi-factor authentication methods](https://docs.microsoft.com/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/) to improve usersΓÇÖ experience.
+* [Analyze usage of Multi-factor authentication methods](/samples/azure-samples/azure-mfa-authentication-method-analysis/azure-mfa-authentication-method-analysis/) to improve usersΓÇÖ experience.
* [Implement a resilient access control strategy](../authentication/concept-resilient-controls.md)
@@ -78,4 +78,4 @@ Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md)
-* [Build resilience in your CIAM systems](resilience-b2c.md)
+* [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-in-hybrid https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-in-hybrid.md
@@ -77,7 +77,7 @@ To implement Pass-through Authentication, see the following resources.
Federation involves the creation of a trust relationship between Azure AD and the federation service, which includes the exchange of endpoints, token signing certificates, and other metadata. When a request comes to Azure AD, it reads the configuration and redirects the user to the endpoints configured. At that point, the user interacts with the federation service, which issues a SAML assertion that is validated by Azure AD.
-The following diagram shows a topology of an enterprise Active Directory Federation Services (AD FS), deployment that includes redundant federation and web application proxy servers across multiple on-premises data centers. This configuration relies on enterprise networking infrastructure components like DNS, Network Load Balancing with geo-affinity capabilities, firewalls, etc. All on-premises components and connections are susceptible to failure. Visit the [AD FS Capacity Planning Documentation](https://docs.microsoft.com/windows-server/identity/ad-fs/design/planning-for-ad-fs-server-capacity) for more information.
+The following diagram shows a topology of an enterprise Active Directory Federation Services (AD FS), deployment that includes redundant federation and web application proxy servers across multiple on-premises data centers. This configuration relies on enterprise networking infrastructure components like DNS, Network Load Balancing with geo-affinity capabilities, firewalls, etc. All on-premises components and connections are susceptible to failure. Visit the [AD FS Capacity Planning Documentation](/windows-server/identity/ad-fs/design/planning-for-ad-fs-server-capacity) for more information.
> [!NOTE] > Federation has the highest number of on-premises dependencies, and therefore the most potential points of failure. While this diagram shows AD FS, other on-premises identity providers are subject to similar design considerations to achieve high availability, scalability, and fail over.
@@ -94,9 +94,9 @@ If you are implementing a federated authentication strategy or want to make it m
* [Azure AD federation compatibility list](../hybrid/how-to-connect-fed-compatibility.md)
-* Follow the [AD FS capacity planning documentation](https://docs.microsoft.com/windows-server/identity/ad-fs/design/planning-for-ad-fs-server-capacity)
+* Follow the [AD FS capacity planning documentation](/windows-server/identity/ad-fs/design/planning-for-ad-fs-server-capacity)
-* [Deploying AD FS in Azure IaaS](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs)
+* [Deploying AD FS in Azure IaaS](/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs)
* [Enable PHS](../hybrid/tutorial-phs-backup.md) along with your federation
@@ -117,4 +117,4 @@ Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md)
-* [Build resilience in your CIAM systems](resilience-b2c.md)
+* [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-in-infrastructure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-in-infrastructure.md
@@ -27,7 +27,7 @@ The document set is designed for
* Identity Operations teams
-Please also see the documentation for [application developers](https://aka.ms/azureadresilience/developer) and for [Azure AD B2C systems](resilience-b2c.md).
+Please also see the documentation for [application developers](./resilience-app-development-overview.md) and for [Azure AD B2C systems](resilience-b2c.md).
## What is resilience?
@@ -39,7 +39,7 @@ Every call to the authentication system is subject to disruption if any componen
In a token-based authentication system like Azure AD, a userΓÇÖs application (client) must acquire a security token from the identity system before it can access an application or other resource. During the validity period, a client can present the same token multiple times to access the application.
-When the token presented to the application expires, the application rejects the token, and the client must acquire a new token from Azure AD. Acquiring a new token potentially requires user interaction such as credential prompts or meeting other requirements of the authentication system. Reducing the frequency of authentication calls with longer-lived tokens decreases unnecessary interactions. However, you must balance token life with the risk created by fewer policy evaluations. For more information on managing token lifetimes, see this article on [optimizing reauthentication prompts](https://docs.microsoft.com/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime).
+When the token presented to the application expires, the application rejects the token, and the client must acquire a new token from Azure AD. Acquiring a new token potentially requires user interaction such as credential prompts or meeting other requirements of the authentication system. Reducing the frequency of authentication calls with longer-lived tokens decreases unnecessary interactions. However, you must balance token life with the risk created by fewer policy evaluations. For more information on managing token lifetimes, see this article on [optimizing reauthentication prompts](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).
## Ways to increase resilience The following diagram shows six concrete ways you can increase resilience. Each method is explained in detail in the articles linked in the Next steps portion of this article.
@@ -65,4 +65,4 @@ Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md)
-* [Build resilience in your CIAM systems](resilience-b2c.md)
+* [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-on-premises-access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-on-premises-access.md
@@ -22,7 +22,7 @@ Application Proxy is a feature of Azure AD that enables users to access on-premi
Users access on-premises resources through a URL published via Application Proxy. They are redirected to the Azure AD sign in page. The Application Proxy service in Azure AD then sends a token to the Application Proxy connector in the corporate network, which passes the token to the on-premises Active Directory The authenticated user can then access the on-premises resource. In the diagram below, [connectors](../manage-apps/application-proxy-connectors.md) are shown in a [connector group](../manage-apps/application-proxy-connector-groups.md). > [!IMPORTANT]
-> When you publish your applications via Application Proxy, you must implement [capacity planning and appropriate redundancy for the Application Proxy connectors](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-connectors#capacity-planning).
+> When you publish your applications via Application Proxy, you must implement [capacity planning and appropriate redundancy for the Application Proxy connectors](../manage-apps/application-proxy-connectors.md#capacity-planning).
![Architecture diagram of Application y](./media/resilience-on-prem-access/admin-resilience-app-proxy.png))
@@ -55,4 +55,4 @@ Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md)
-* [Build resilience in your CIAM systems](resilience-b2c.md)
+* [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-with-continuous-access-evaluation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-with-continuous-access-evaluation.md
@@ -18,7 +18,7 @@ ms.collection: M365-identity-device-management
# Build resilience by using Continuous Access Evaluation
-[Continuous Access Evaluation](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) (CAE) allows Azure AD applications to subscribe to critical events that can then be evaluated and enforced. This includes evaluation of the following events:
+[Continuous Access Evaluation](../conditional-access/concept-continuous-access-evaluation.md) (CAE) allows Azure AD applications to subscribe to critical events that can then be evaluated and enforced. This includes evaluation of the following events:
* The user account being deleted or disabled
@@ -44,11 +44,11 @@ Microsoft is working with the industry to build [standards](https://openid.net/w
## How do I implement CAE?
-* [Enable CAE](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) in the Azure AD Security Configuration.
+* [Enable CAE](../conditional-access/concept-continuous-access-evaluation.md) in the Azure AD Security Configuration.
-* Ensure that your organization is using [compatible versions](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-continuous-access-evaluation) of Microsoft Office native applications.
+* Ensure that your organization is using [compatible versions](../conditional-access/concept-continuous-access-evaluation.md) of Microsoft Office native applications.
-* [Optimize your reauthentication prompts](https://docs.microsoft.com/azure/active-directory/authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime).
+* [Optimize your reauthentication prompts](../authentication/concepts-azure-multi-factor-authentication-prompts-session-lifetime.md).
## Next steps
@@ -68,4 +68,4 @@ Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md)
-* [Build resilience in your CIAM systems](resilience-b2c.md)
+* [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-with-device-states https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-with-device-states.md
@@ -35,11 +35,11 @@ When a PRT is used to request access to an application, its device, session, and
If there are older versions of Windows in your organization, upgrade those devices to use Windows 10.
-* Standardize user browser access to use either [Microsoft Edge](https://docs.microsoft.com/deployedge/microsoft-edge-security-identity) or Google Chrome with [supported](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji) [extensions](https://chrome.google.com/webstore/detail/office/ndjpnladcallmjemlbaebfadecfhkepb) that enabled seamless SSO to web applications using the PRT.
+* Standardize user browser access to use either [Microsoft Edge](/deployedge/microsoft-edge-security-identity) or Google Chrome with [supported](https://chrome.google.com/webstore/detail/windows-10-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji) [extensions](https://chrome.google.com/webstore/detail/office/ndjpnladcallmjemlbaebfadecfhkepb) that enabled seamless SSO to web applications using the PRT.
-* For personal or company owned iOS and Android devices deploy the [Microsoft Authenticator App](../user-help/user-help-auth-app-overview.md). In addition to the Multi-factor authentication and password-less sign in capabilities, the Microsoft Authenticator app will enable single sign across native application through [brokered authentication](../develop/brokered-auth.md) with fewer authentication prompts for end users.
+* For personal or company owned iOS and Android devices deploy the [Microsoft Authenticator App](../user-help/user-help-auth-app-overview.md). In addition to the Multi-factor authentication and password-less sign in capabilities, the Microsoft Authenticator app will enable single sign across native application through [brokered authentication](../develop/msal-android-single-sign-on.md) with fewer authentication prompts for end users.
-* For personal or company owned iOS and Android devices use [mobile application management](https://docs.microsoft.com/mem/intune/apps/app-management) to securely access company resources with fewer authentication requests.
+* For personal or company owned iOS and Android devices use [mobile application management](/mem/intune/apps/app-management) to securely access company resources with fewer authentication requests.
* [Use the Microsoft Enterprise SSO plug-in for Apple devices (preview)](../develop/apple-sso-plugin.md). This registers the device and provides SSO across browser and native Azure AD applications.
@@ -61,4 +61,4 @@ Resilience resources for developers
* [Build IAM resilience in your applications](resilience-app-development-overview.md)
-* [Build resilience in your CIAM systems](resilience-b2c.md)
+* [Build resilience in your CIAM systems](resilience-b2c.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilience-with-monitoring-alerting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilience-with-monitoring-alerting.md
@@ -29,14 +29,14 @@ Similarly, to detect failures or performance disruptions, setting up a good base
### How to implement monitoring and alerting -- **Monitoring**: Use [Azure Monitor](https://docs.microsoft.com/azure/active-directory-b2c/azure-monitor) to continuously monitor health against key Service Level Objectives (SLO) and get notification whenever a critical change happens. Begin by identifying Azure AD B2C policy or an application as a critical component of your business whose health needs to be monitored to maintain SLO. Identify key indicators that align with your SLOs.
+- **Monitoring**: Use [Azure Monitor](../../active-directory-b2c/azure-monitor.md) to continuously monitor health against key Service Level Objectives (SLO) and get notification whenever a critical change happens. Begin by identifying Azure AD B2C policy or an application as a critical component of your business whose health needs to be monitored to maintain SLO. Identify key indicators that align with your SLOs.
For example, track the following metrics, since a sudden drop in either will lead to a loss in business. - **Total requests**: The total ΓÇ£nΓÇ¥ number of requests sent to Azure AD B2C policy. - **Success rate (%)**: Successful requests/Total number of requests.
- Access the [key indicators](https://docs.microsoft.com/azure/active-directory-b2c/view-audit-logs) in [application insights](https://docs.microsoft.com/azure/active-directory-b2c/analytics-with-application-insights) where Azure AD B2C policy-based logs, [audit logs](https://docs.microsoft.com/azure/active-directory-b2c/analytics-with-application-insights), and sign-in logs are stored.
+ Access the [key indicators](../../active-directory-b2c/view-audit-logs.md) in [application insights](../../active-directory-b2c/analytics-with-application-insights.md) where Azure AD B2C policy-based logs, [audit logs](../../active-directory-b2c/analytics-with-application-insights.md), and sign-in logs are stored.
- **Visualizations**: Using Log analytics build dashboards to visually monitor the key indicators.
@@ -44,15 +44,15 @@ For example, track the following metrics, since a sudden drop in either will lea
- **Previous period**: Create temporal charts to show changes in the Total requests and Success rate (%) over some previous period for reference purposes, for example, last week. -- **Alerting**: Using log analytics define [alerts](https://docs.microsoft.com/azure/azure-monitor/platform/alerts-log) that get triggered when there are sudden changes in the key indicators. These changes may negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:
+- **Alerting**: Using log analytics define [alerts](../../azure-monitor/platform/alerts-log.md) that get triggered when there are sudden changes in the key indicators. These changes may negatively impact the SLOs. Alerts use various forms of notification methods including email, SMS, and webhooks. Start by defining a criterion that acts as a threshold against which alert will be triggered. For example:
- Alert against abrupt drop in Total requests: Trigger an alert when number of total requests drop abruptly. For example, when there is a 25% drop in the total number of requests compared to previous period, raise an alert. - Alert against significant drop in Success rate (%): Trigger an alert when success rate of the selected policy significantly drops.
- - Upon receiving an alert, troubleshoot the issue using [Log Analytics](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-install-use-log-analytics-views), [Application Insights](https://docs.microsoft.com/azure/active-directory-b2c/troubleshoot-with-application-insights#:~:text=Setup%20Application%20Insights%201%20Go%20to%20the%20Azure,left-menu%2C%20and%20click%20on%20it.%20More%20items...%20), and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) for Azure AD B2C. After resolving the issue and deploying an updated application or policy, it continues to monitor the key indicators until they return back to normal range.
+ - Upon receiving an alert, troubleshoot the issue using [Log Analytics](../reports-monitoring/howto-install-use-log-analytics-views.md), [Application Insights](../../active-directory-b2c/troubleshoot-with-application-insights.md), and [VS Code extension](https://marketplace.visualstudio.com/items?itemName=AzureADB2CTools.aadb2c) for Azure AD B2C. After resolving the issue and deploying an updated application or policy, it continues to monitor the key indicators until they return back to normal range.
-- **Service alerts**: Use the [Azure AD B2C service level alerts](https://docs.microsoft.com/azure/service-health/service-health-overview) to get notified of service issues, planned maintenance, health advisory, and security advisory.
+- **Service alerts**: Use the [Azure AD B2C service level alerts](../../service-health/service-health-overview.md) to get notified of service issues, planned maintenance, health advisory, and security advisory.
-- **Reporting**: [By using log analytics](https://docs.microsoft.com/azure/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics), build reports that help you gain understanding about user insights, technical challenges, and growth opportunities.
- - **Health Dashboard**: Create [custom dashboards using Azure Dashboard](https://docs.microsoft.com/azure/azure-monitor/learn/tutorial-app-dashboards) feature, which supports adding charts using Log Analytics queries. For example, identify pattern of successful and failed sign-ins, failure reasons and telemetry about devices used to make the requests.
+- **Reporting**: [By using log analytics](../reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md), build reports that help you gain understanding about user insights, technical challenges, and growth opportunities.
+ - **Health Dashboard**: Create [custom dashboards using Azure Dashboard](../../azure-monitor/learn/tutorial-app-dashboards.md) feature, which supports adding charts using Log Analytics queries. For example, identify pattern of successful and failed sign-ins, failure reasons and telemetry about devices used to make the requests.
- **Abandon Azure AD B2C journeys**: Use the [workbook](https://github.com/azure-ad-b2c/siem#list-of-abandon-journeys) to track the list of abandoned Azure AD B2C journeys where user started the sign-in or sign-up journey but never finished it. It provides you details about policy ID and breakdown of steps that are taken by the user before abandoning the journey. - **Azure AD B2C monitoring workbooks**: Use the [monitoring workbooks](https://github.com/azure-ad-b2c/siem), which includes Azure AD B2C dashboard, Multi-factor authentication (MFA) operations, Conditional Access report, and Search logs by correlationId, to get better insights into the health of your Azure AD B2C environment.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilient-end-user-experience https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilient-end-user-experience.md
@@ -29,19 +29,19 @@ The sign-up and sign-in end-user experience is made up of the following elements
## Choose between user flow and custom policy
-To help you set up the most common identity tasks, Azure AD B2C provides built-in configurable [user flows](https://docs.microsoft.com/azure/active-directory-b2c/user-flow-overview). You can also build your own [custom policies](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview), that offers you maximum flexibility. However, it's recommended to use custom policies only to address complex scenarios.
+To help you set up the most common identity tasks, Azure AD B2C provides built-in configurable [user flows](../../active-directory-b2c/user-flow-overview.md). You can also build your own [custom policies](../../active-directory-b2c/custom-policy-overview.md), that offers you maximum flexibility. However, it's recommended to use custom policies only to address complex scenarios.
### How to decide between user flow and custom policy Choose built-in user flows if your business requirements can be met by them. Since extensively tested by Microsoft, you can minimize the testing needed for validating policy-level functional, performance, or scale of these identity user flows. You still need to test your applications for functionality, performance, and scale.
-Should you [choose custom policies](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-get-started) because of your business requirements, make sure you perform policy-level testing for functional, performance, or scale in addition to application-level testing.
+Should you [choose custom policies](../../active-directory-b2c/custom-policy-get-started.md) because of your business requirements, make sure you perform policy-level testing for functional, performance, or scale in addition to application-level testing.
-See the article that [compares user flows and custom polices](https://docs.microsoft.com/azure/active-directory-b2c/custom-policy-overview#comparing-user-flows-and-custom-policies) to help you decide.
+See the article that [compares user flows and custom polices](../../active-directory-b2c/custom-policy-overview.md#comparing-user-flows-and-custom-policies) to help you decide.
## Choose multiple IDPs
-When using an [external identity provider](https://docs.microsoft.com/azure/active-directory-b2c/technical-overview#external-identity-providers) such as Facebook, make sure to have a fallback plan in case the external provider becomes unavailable.
+When using an [external identity provider](../../active-directory-b2c/technical-overview.md#external-identity-providers) such as Facebook, make sure to have a fallback plan in case the external provider becomes unavailable.
### How to set up multiple IDPs
@@ -53,11 +53,11 @@ As part of the external identity provider registration process, include a verifi
2. Configure a profile policy to allow users to [link the other identity to their account](https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/tree/master/account-linking) after they sign in.
- 3. Notify and allow users to [switch to an alternate IDP](https://docs.microsoft.com/azure/active-directory-b2c/customize-ui-with-html#configure-dynamic-custom-page-content-uri) during an outage.
+ 3. Notify and allow users to [switch to an alternate IDP](../../active-directory-b2c/customize-ui-with-html.md#configure-dynamic-custom-page-content-uri) during an outage.
## Availability of Multi-factor authentication
-When using a [phone service for Multi-factor authentication (MFA)](https://docs.microsoft.com/azure/active-directory-b2c/phone-authentication), make sure to consider an alternative service provider. The local Telco or phone service provider may experience disruptions in their service.
+When using a [phone service for Multi-factor authentication (MFA)](../../active-directory-b2c/phone-authentication.md), make sure to consider an alternative service provider. The local Telco or phone service provider may experience disruptions in their service.
### How to choose an alternate MFA
@@ -98,4 +98,4 @@ Periodically test your CDNΓÇÖs availability and the performance of content distr
- [Resilience through developer best practices](resilience-b2c-developer-best-practices.md) - [Resilience through monitoring and analytics](resilience-with-monitoring-alerting.md) - [Build resilience in your authentication infrastructure](resilience-in-infrastructure.md)-- [Increase resilience of authentication and authorization in your applications](resilience-app-development-overview.md)
+- [Increase resilience of authentication and authorization in your applications](resilience-app-development-overview.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/resilient-external-processes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/resilient-external-processes.md
@@ -23,7 +23,7 @@ In this article, we provide you guidance on how to plan for and implement the RE
## Ensure correct placement of the APIs
-Identity experience framework (IEF) policies allow you to call an external system using a [RESTful API technical profile](https://docs.microsoft.com/azure/active-directory-b2c/restful-technical-profile). External systems are not controlled by the IEF runtime environment and are a potential failure point.
+Identity experience framework (IEF) policies allow you to call an external system using a [RESTful API technical profile](../../active-directory-b2c/restful-technical-profile.md). External systems are not controlled by the IEF runtime environment and are a potential failure point.
### How to manage external systems using APIs
@@ -33,11 +33,11 @@ Identity experience framework (IEF) policies allow you to call an external syste
- Remove API calls from the pre-authenticated path whenever possible. If you can't, then you must place strict protections for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks in front of your APIs. Attackers can load the sign-in page and try to flood your API with DoS attacks and cripple your application. For example, using CAPTCHA in your sign in, sign up flow can help. -- Use [API connectors of built-in sign-up user flow](https://docs.microsoft.com/azure/active-directory-b2c/api-connectors-overview) wherever possible to integrate with web APIs either after signing in with an identity provider or before creating the user. Since the user flows are already extensively tested, itΓÇÖs likely that you donΓÇÖt have to perform user flow-level functional, performance, or scale testing. You still need to test your applications for functionality, performance, and scale.
+- Use [API connectors of built-in sign-up user flow](../../active-directory-b2c/api-connectors-overview.md) wherever possible to integrate with web APIs either after signing in with an identity provider or before creating the user. Since the user flows are already extensively tested, itΓÇÖs likely that you donΓÇÖt have to perform user flow-level functional, performance, or scale testing. You still need to test your applications for functionality, performance, and scale.
-- Azure AD RESTFul API [technical profiles](https://docs.microsoft.com/azure/active-directory-b2c/restful-technical-profile) don't provide any caching behavior. Instead, RESTFul API profile implements a retry logic and a timeout that is built into the policy.
+- Azure AD RESTFul API [technical profiles](../../active-directory-b2c/restful-technical-profile.md) don't provide any caching behavior. Instead, RESTFul API profile implements a retry logic and a timeout that is built into the policy.
-- For APIs that need writing data, queue up a task to have such tasks executed by a background worker. Services like [Azure queues](https://docs.microsoft.com/azure/storage/queues/storage-queues-introduction) can be used. This will make the API return efficiently increasing the policy execution performance.
+- For APIs that need writing data, queue up a task to have such tasks executed by a background worker. Services like [Azure queues](../../storage/queues/storage-queues-introduction.md) can be used. This will make the API return efficiently increasing the policy execution performance.
## API error handling
@@ -45,11 +45,11 @@ As the APIs live outside the Azure AD B2C system, it's needed to have proper err
### How to gracefully handle API errors -- An API could fail for various reasons, make your application resilient to such failures. [Return an HTTP 4XX error message](https://docs.microsoft.com/azure/active-directory-b2c/restful-technical-profile#returning-validation-error-message) if the API is unable to complete the request. In the Azure AD B2C policy, try to gracefully handle the unavailability of the API and perhaps render a reduced experience.
+- An API could fail for various reasons, make your application resilient to such failures. [Return an HTTP 4XX error message](../../active-directory-b2c/restful-technical-profile.md#returning-validation-error-message) if the API is unable to complete the request. In the Azure AD B2C policy, try to gracefully handle the unavailability of the API and perhaps render a reduced experience.
-- [Handle transient errors gracefully](https://docs.microsoft.com/azure/active-directory-b2c/restful-technical-profile#error-handling). The RESTFul API profile allows you to configure error messages for various [circuit breakers](https://docs.microsoft.com/azure/architecture/patterns/circuit-breaker).
+- [Handle transient errors gracefully](../../active-directory-b2c/restful-technical-profile.md#error-handling). The RESTFul API profile allows you to configure error messages for various [circuit breakers](/azure/architecture/patterns/circuit-breaker).
-- Proactively monitor and using Continuous Integration/Continuous Delivery (CICD), rotate the API access credentials such as passwords and certificates used by the [Technical profile engine](https://docs.microsoft.com/azure/active-directory-b2c/restful-technical-profile).
+- Proactively monitor and using Continuous Integration/Continuous Delivery (CICD), rotate the API access credentials such as passwords and certificates used by the [Technical profile engine](../../active-directory-b2c/restful-technical-profile.md).
## API management - best practices
@@ -59,7 +59,7 @@ While you deploy the REST APIs and configure the RESTful technical profile, foll
- API Management (APIM) publishes, manages, and analyzes your APIs. APIM also handles authentication to provide secure access to backend services and microservices. Use an API gateway to scale out API deployments, caching, and load balancing. -- Recommendation is to get the right token at the beginning of the user journey instead of calling multiple times for each API and [secure an Azure APIM API](https://docs.microsoft.com/azure/active-directory-b2c/secure-api-management?tabs=app-reg-ga).
+- Recommendation is to get the right token at the beginning of the user journey instead of calling multiple times for each API and [secure an Azure APIM API](../../active-directory-b2c/secure-api-management.md?tabs=app-reg-ga).
## Next steps
@@ -68,4 +68,4 @@ While you deploy the REST APIs and configure the RESTful technical profile, foll
- [Resilience through developer best practices](resilience-b2c-developer-best-practices.md) - [Resilience through monitoring and analytics](resilience-with-monitoring-alerting.md) - [Build resilience in your authentication infrastructure](resilience-in-infrastructure.md)-- [Increase resilience of authentication and authorization in your applications](resilience-app-development-overview.md)
+- [Increase resilience of authentication and authorization in your applications](resilience-app-development-overview.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/users-default-permissions.md
@@ -59,7 +59,7 @@ Default permissions for guest users can be restricted in the following ways:
Permission | Setting explanation ---------- | ------------
-Guests user access restrictions (Preview) | Setting this option to **Guest users have the same access as members** grants all member user permissions to guest users by default.<p>Setting this option to **Guest user access is restricted to properties and memberships of their own directory objects** restricts guest access to only their own user profile by default. Access to other users are no longer allowed even when searching by User Principal Name, ObjectId or Display Name. Access to groups information including groups memberships is also no longer allowed.<p>**Note**: This setting does not prevent access to joined groups in some Microsoft 365 services like Microsoft Teams. See [Microsoft Teams Guest access](https://docs.microsoft.com/MicrosoftTeams/guest-access) to learn more.<p>Guest users can still be added to administrator roles regardless of this permission settings.
+Guests user access restrictions (Preview) | Setting this option to **Guest users have the same access as members** grants all member user permissions to guest users by default.<p>Setting this option to **Guest user access is restricted to properties and memberships of their own directory objects** restricts guest access to only their own user profile by default. Access to other users are no longer allowed even when searching by User Principal Name, ObjectId or Display Name. Access to groups information including groups memberships is also no longer allowed.<p>**Note**: This setting does not prevent access to joined groups in some Microsoft 365 services like Microsoft Teams. See [Microsoft Teams Guest access](/MicrosoftTeams/guest-access) to learn more.<p>Guest users can still be added to administrator roles regardless of this permission settings.
Guests can invite | Setting this option to Yes allows guests to invite other guests. See [Delegate invitations for B2B collaboration](../external-identities/delegate-invitations.md#configure-b2b-external-collaboration-settings) to learn more. Members can invite | Setting this option to Yes allows non-admin members of your directory to invite guests. See [Delegate invitations for B2B collaboration](../external-identities/delegate-invitations.md#configure-b2b-external-collaboration-settings) to learn more. Admins and users in the guest inviter role can invite | Setting this option to Yes allows admins and users in the "Guest Inviter" role to invite guests. When set to Yes, users in the Guest inviter role will still be able to invite guests, regardless of the Members can invite setting. See [Delegate invitations for B2B collaboration](../external-identities/delegate-invitations.md#assign-the-guest-inviter-role-to-a-user) to learn more.
@@ -142,4 +142,4 @@ Users can perform the following actions on owned groups.
* To learn more about how to assign Azure AD administrator roles, see [Assign a user to administrator roles in Azure Active Directory](active-directory-users-assign-role-azure-portal.md) * To learn more about how resource access is controlled in Microsoft Azure, see [Understanding resource access in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md) * For more information on how Azure Active Directory relates to your Azure subscription, see [How Azure subscriptions are associated with Azure Active Directory](active-directory-how-subscriptions-associated-directory.md)
-* [Manage users](add-users-azure-active-directory.md)
+* [Manage users](add-users-azure-active-directory.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new-archive https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new-archive.md
@@ -1199,7 +1199,7 @@ For more information about how to better secure your organization by using autom
In January 2020, we've added these 33 new apps with Federation support to the app gallery:
-[JOSA](../saas-apps/josa-tutorial.md), [Fastly Edge Cloud](../saas-apps/fastly-edge-cloud-tutorial.md), [Terraform Enterprise](../saas-apps/terraform-enterprise-tutorial.md), [Spintr SSO](../saas-apps/spintr-sso-tutorial.md), [Abibot Netlogistik](https://azuremarketplace.microsoft.com/marketplace/apps/aad.abibotnetlogistik), [SkyKick](https://login.skykick.com/login?state=g6Fo2SBTd3M5Q0xBT0JMd3luS2JUTGlYN3pYTE1remJQZnR1c6N0aWTZIDhCSkwzYVQxX2ZMZjNUaWxNUHhCSXg2OHJzbllTcmYto2NpZNkgM0h6czk3ZlF6aFNJV1VNVWQzMmpHeFFDbDRIMkx5VEc&client=3Hzs97fQzhSIWUMUd32jGxQCl4H2LyTG&protocol=oauth2&audience=https://papi.skykick.com&response_type=code&redirect_uri=https://portal.skykick.com/callback&scope=openid%20profile%20offline_access), [Upshotly](../saas-apps/upshotly-tutorial.md), [LeaveBot](https://appsource.microsoft.com/en-us/product/office/WA200001175), [DataCamp](../saas-apps/datacamp-tutorial.md), [TripActions](../saas-apps/tripactions-tutorial.md), [SmartWork](https://www.intumit.com/teams-smartwork/), [Dotcom-Monitor](../saas-apps/dotcom-monitor-tutorial.md), [SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE](../saas-apps/ssogen-tutorial.md), [Hosted MyCirqa SSO](../saas-apps/hosted-mycirqa-sso-tutorial.md), [Yuhu Property Management Platform](../saas-apps/yuhu-property-management-platform-tutorial.md), [LumApps](https://sites.lumapps.com/login), [Upwork Enterprise](../saas-apps/upwork-enterprise-tutorial.md), [Talentsoft](../saas-apps/talentsoft-tutorial.md), [SmartDB for Microsoft Teams](http://teams.smartdb.jp/login/), [PressPage](../saas-apps/presspage-tutorial.md), [ContractSafe Saml2 SSO](../saas-apps/contractsafe-saml2-sso-tutorial.md), [Maxient Conduct Manager Software](../saas-apps/maxient-conduct-manager-software-tutorial.md), [Helpshift](../saas-apps/helpshift-tutorial.md), [PortalTalk 365](https://www.portaltalk.com/), [CoreView](https://portal.coreview.com/), [Squelch Cloud Office365 Connector](https://laxmi.squelch.io/login), [PingFlow Authentication](https://app-staging.pingview.io/), [ PrinterLogic SaaS](../saas-apps/printerlogic-saas-tutorial.md), [Taskize Connect](../saas-apps/taskize-connect-tutorial.md), [Sandwai](https://app.sandwai.com/), [EZRentOut](../saas-apps/ezrentout-tutorial.md), [AssetSonar](../saas-apps/assetsonar-tutorial.md), [Akari Virtual Assistant](https://akari.io/akari-virtual-assistant/)
+[JOSA](../saas-apps/josa-tutorial.md), [Fastly Edge Cloud](../saas-apps/fastly-edge-cloud-tutorial.md), [Terraform Enterprise](../saas-apps/terraform-enterprise-tutorial.md), [Spintr SSO](../saas-apps/spintr-sso-tutorial.md), [Abibot Netlogistik](https://azuremarketplace.microsoft.com/marketplace/apps/aad.abibotnetlogistik), [SkyKick](https://login.skykick.com/login?state=g6Fo2SBTd3M5Q0xBT0JMd3luS2JUTGlYN3pYTE1remJQZnR1c6N0aWTZIDhCSkwzYVQxX2ZMZjNUaWxNUHhCSXg2OHJzbllTcmYto2NpZNkgM0h6czk3ZlF6aFNJV1VNVWQzMmpHeFFDbDRIMkx5VEc&client=3Hzs97fQzhSIWUMUd32jGxQCl4H2LyTG&protocol=oauth2&audience=https://papi.skykick.com&response_type=code&redirect_uri=https://portal.skykick.com/callback&scope=openid%20profile%20offline_access), [Upshotly](../saas-apps/upshotly-tutorial.md), [LeaveBot](https://appsource.microsoft.com/en-us/product/office/WA200001175), [DataCamp](../saas-apps/datacamp-tutorial.md), [TripActions](../saas-apps/tripactions-tutorial.md), [SmartWork](https://www.intumit.com/teams-smartwork/), [Dotcom-Monitor](../saas-apps/dotcom-monitor-tutorial.md), [SSOGEN - Azure AD SSO Gateway for Oracle E-Business Suite - EBS, PeopleSoft, and JDE](../saas-apps/ssogen-tutorial.md), [Hosted MyCirqa SSO](../saas-apps/hosted-mycirqa-sso-tutorial.md), [Yuhu Property Management Platform](../saas-apps/yuhu-property-management-platform-tutorial.md), [LumApps](https://sites.lumapps.com/login), [Upwork Enterprise](../saas-apps/upwork-enterprise-tutorial.md), [Talentsoft](../saas-apps/talentsoft-tutorial.md), [SmartDB for Microsoft Teams](http://teams.smartdb.jp/login/), [PressPage](../saas-apps/presspage-tutorial.md), [ContractSafe Saml2 SSO](../saas-apps/contractsafe-saml2-sso-tutorial.md), [Maxient Conduct Manager Software](../saas-apps/maxient-conduct-manager-software-tutorial.md), [Helpshift](../saas-apps/helpshift-tutorial.md), [PortalTalk 365](https://www.portaltalk.com/), [CoreView](https://portal.coreview.com/), Squelch Cloud Office365 Connector, [PingFlow Authentication](https://app-staging.pingview.io/), [ PrinterLogic SaaS](../saas-apps/printerlogic-saas-tutorial.md), [Taskize Connect](../saas-apps/taskize-connect-tutorial.md), [Sandwai](https://app.sandwai.com/), [EZRentOut](../saas-apps/ezrentout-tutorial.md), [AssetSonar](../saas-apps/assetsonar-tutorial.md), [Akari Virtual Assistant](https://akari.io/akari-virtual-assistant/)
For more information about the apps, see [SaaS application integration with Azure Active Directory](../saas-apps/tutorial-list.md). For more information about listing your application in the Azure AD app gallery, see [List your application in the Azure Active Directory application gallery](../develop/v2-howto-app-gallery-listing.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/whats-new.md
@@ -96,7 +96,7 @@ You can now automate creating, updating, and deleting user accounts for these ne
- [Bizagi Studio for Digital Process Automation](../saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md) - [CybSafe](../saas-apps/cybsafe-provisioning-tutorial.md) - [GroupTalk](../saas-apps/grouptalk-provisioning-tutorial.md)-- [PaperCut Cloud Print Management](/azure/active-directory/saas-apps/papercut-cloud-print-management-provisioning-tutorial)
+- [PaperCut Cloud Print Management](../saas-apps/papercut-cloud-print-management-provisioning-tutorial.md)
- [Parsable](../saas-apps/parsable-provisioning-tutorial.md) - [Shopify Plus](../saas-apps/shopify-plus-provisioning-tutorial.md)
@@ -189,7 +189,7 @@ For listing your application in the Azure AD app gallery, read the details here
**Service category:** RBAC **Product capability:** Access Control
- [Custom RBAC roles for delegated enterprise application management](../users-groups-roles/roles-custom-available-permissions.md) is now in public preview. These new permissions build on the custom roles for app registration management, which allows fine-grained control over what access your admins have. Over time, additional permissions to delegate management of Azure AD will be released.
+ [Custom RBAC roles for delegated enterprise application management](../roles/custom-available-permissions.md) is now in public preview. These new permissions build on the custom roles for app registration management, which allows fine-grained control over what access your admins have. Over time, additional permissions to delegate management of Azure AD will be released.
Some common delegation scenarios: - assignment of user and groups that can access SAML based single sign-on applications
@@ -245,7 +245,7 @@ You can now automate creating, updating, and deleting user accounts for these ne
- [Tic - Tac Mobile](../saas-apps/tic-tac-mobile-provisioning-tutorial.md) - [Visibly](../saas-apps/visibly-provisioning-tutorial.md)
-For more information, see [Automate user provisioning to SaaS applications with Azure AD](../manage-apps/user-provisioning.md).
+For more information, see [Automate user provisioning to SaaS applications with Azure AD](../app-provisioning/user-provisioning.md).
---
@@ -299,7 +299,7 @@ Cloud provisioning agent has been released in public preview and is now availabl
Previously, you could recover BitLocker keys via the /bitlocker endpoint. We'll eventually be deprecating this endpoint, and customers should begin consuming the API that now falls under /informationProtection.
-See [BitLocker recovery API](https://docs.microsoft.com/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta) for updates to the documentation to reflect these changes.
+See [BitLocker recovery API](/graph/api/resources/bitlockerrecoverykey?view=graph-rest-beta) for updates to the documentation to reflect these changes.
---
@@ -1129,4 +1129,3 @@ If your organization is using the Azure MFA SDK, you need to migrate by Septembe
---
-
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-health-diagnose-sync-errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-health-diagnose-sync-errors.md
@@ -137,7 +137,7 @@ The user with conflicting attribute in Azure AD should be cleaned before you can
Cloud-based user in Azure AD should not have source anchor. Updating source anchor is not supported in this case. Manual fix is required from on premises. **The fix process failed to update the values.**
-The specific settings such as [UserWriteback in Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-preview#user-writeback) is not supported. Please disable in the settings.
+The specific settings such as [UserWriteback in Azure AD Connect](./how-to-connect-preview.md#user-writeback) is not supported. Please disable in the settings.
## FAQ **Q.** What happens if execution of the **Apply Fix** fails?
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-upgrade-previous-version.md
@@ -24,7 +24,7 @@ This topic describes the different methods that you can use to upgrade your Azur
>[!NOTE] > It is important that you keep your servers current with the latest releases of Azure AD Connect. We are constantly making upgrades to AADConnect, and these upgrades include fixes to security issues and bugs, as well as serviceability, performance and scalability improvements.
-> To see what the latest version is, and to learn what changes have been made between versions, please refer to the [release version history](https://docs.microsoft.com/azure/active-directory/hybrid/reference-connect-version-history)
+> To see what the latest version is, and to learn what changes have been made between versions, please refer to the [release version history](./reference-connect-version-history.md)
>[!NOTE] > It is currently supported to upgrade from any version of Azure AD Connect to the current version. In-place upgrades of DirSync or ADSync are not supported and a swing migration is required. If you want to upgrade from DirSync, see [Upgrade from Azure AD sync tool (DirSync)](how-to-dirsync-upgrade-get-started.md) or the [Swing migration](#swing-migration) section. </br>In practice, customers on extremely old versions may encounter problems not directly related to Azure AD Connect. Servers that have been in production for several years, typically have had several patches applied to them and not all of these can be accounted for. Generally, customers who have not upgraded in 12-18 months should consider a swing upgrade instead as this is the most conservative and least risky option.
@@ -168,4 +168,4 @@ If you want to install a newer version of Azure AD Connect: close the Azure AD C
## Next steps
-Learn more about [integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-hybrid-identity-design-considerations-data-protection-strategy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/plan-hybrid-identity-design-considerations-data-protection-strategy.md
@@ -32,7 +32,7 @@ As explained in [Determine directory synchronization requirements](plan-hybrid-i
Once authenticated, the user principal name (UPN) is read from the authentication token. Then, the authorization system determines the replicated partition and container corresponding to the userΓÇÖs domain. Information on the userΓÇÖs existence, enabled state, and role then helps the authorization system determine whether access to the target tenant is authorized for the user in that session. Certain authorized actions (specifically, create user and password reset) create an audit trail that a tenant administrator then uses to manage compliance efforts or investigations.
-Moving data from your on-premises datacenter into Azure Storage over an Internet connection may not always be feasible due to data volume, bandwidth availability, or other considerations. The [Azure Storage Import/Export Service](../../storage/common/storage-import-export-service.md) provides a hardware-based option for placing/retrieving large volumes of data in blob storage. It allows you to send [BitLocker-encrypted](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)#BKMK_BL2012R2) hard disk drives directly to an Azure datacenter where cloud operators upload the contents to your storage account, or they can download your Azure data to your drives to return to you. Only encrypted disks are accepted for this process (using a BitLocker key generated by the service itself during the job setup). The BitLocker key is provided to Azure separately, thus providing out of band key sharing.
+Moving data from your on-premises datacenter into Azure Storage over an Internet connection may not always be feasible due to data volume, bandwidth availability, or other considerations. The [Azure Storage Import/Export Service](../../import-export/storage-import-export-service.md) provides a hardware-based option for placing/retrieving large volumes of data in blob storage. It allows you to send [BitLocker-encrypted](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn306081(v=ws.11)#BKMK_BL2012R2) hard disk drives directly to an Azure datacenter where cloud operators upload the contents to your storage account, or they can download your Azure data to your drives to return to you. Only encrypted disks are accepted for this process (using a BitLocker key generated by the service itself during the job setup). The BitLocker key is provided to Azure separately, thus providing out of band key sharing.
Since data in transit can take place in different scenarios, is also relevant to know that Microsoft Azure uses [virtual networking](https://azure.microsoft.com/documentation/services/virtual-network/) to isolate tenantsΓÇÖ traffic from one another, employing measures such as host- and guest-level firewalls, IP packet filtering, port blocking, and HTTPS endpoints. However, most of AzureΓÇÖs internal communications, including infrastructure-to-infrastructure and infrastructure-to-customer (on-premises), are also encrypted. Another important scenario is the communications within Azure datacenters; Microsoft manages networks to assure that no VM can impersonate or eavesdrop on the IP address of another. TLS/SSL is used when accessing Azure Storage or SQL Databases, or when connecting to Cloud Services. In this case, the customer administrator is responsible for obtaining a TLS/SSL certificate and deploying it to their tenant infrastructure. Data traffic moving between Virtual Machines in the same deployment or between tenants in a single deployment via Microsoft Azure Virtual Network can be protected through encrypted communication protocols such as HTTPS, SSL/TLS, or others.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-management-fundamentals https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-management-fundamentals.md
@@ -29,9 +29,9 @@ This article contains recommendations and best practices for managing applicatio
| Check the Azure AD application gallery for apps | Azure AD has a gallery that contains thousands of pre-integrated applications that are enabled with Enterprise single sign-on (SSO). For app-specific setup guidance, see the [List of SaaS app tutorials](../saas-apps/tutorial-list.md). | | Use federated SAML-based SSO | When an application supports it, use Federated, SAML-based SSO with Azure AD instead of password-based SSO and ADFS. | | Use SHA-256 for certificate signing | Azure AD uses the SHA-256 algorithm by default to sign the SAML response. Use SHA-256 unless the application requires SHA-1 (see [Certificate signing options](certificate-signing-options.md) and [Application sign-in problem](application-sign-in-problem-application-error.md).) |
-| Require user assignment | By default, users can access to your enterprise applications without being assigned to them. However, if the application exposes roles, or if you want the application to appear on a userΓÇÖs My Apps, require user assignment. (See [Developer guidance for integrating applications](developer-guidance-for-integrating-applications.md).) |
+| Require user assignment | By default, users can access to your enterprise applications without being assigned to them. However, if the application exposes roles, or if you want the application to appear on a userΓÇÖs My Apps, require user assignment. |
| Deploy My Apps to your users | [My Apps](end-user-experiences.md) at `https://myapps.microsoft.com` is a web-based portal that provides users with a single point of entry for their assigned cloud-based applications. As additional capabilities like group management and self-service password reset are added, users can find them in My Apps. See [Plan My Apps deployment](access-panel-deployment-plan.md).
-| Use group assignment | If included in your subscription, assign groups to an application so you can delegate ongoing access management to the group owner. (See [Developer guidance for integrating applications](developer-guidance-for-integrating-applications.md).) |
+| Use group assignment | If included in your subscription, assign groups to an application so you can delegate ongoing access management to the group owner. |
| Establish a process for managing certificates | The maximum lifetime of a signing certificate is three years. To prevent or minimize outage due to a certificate expiring, use roles and email distribution lists to ensure that certificate-related change notifications are closely monitored. | ## Provisioning recommendations
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-add-on-premises-application https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-proxy-add-on-premises-application.md
@@ -92,7 +92,7 @@ To enable TLS 1.2:
1. Restart the server. > [!Note]
-> Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. See [Azure TLS certificate changes](https://docs.microsoft.com/azure/security/fundamentals/tls-certificate-changes) for more information.
+> Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements. See [Azure TLS certificate changes](../../security/fundamentals/tls-certificate-changes.md) for more information.
## Prepare your on-premises environment
@@ -265,4 +265,4 @@ You did these things:
You're ready to configure the application for single sign-on. Use the following link to choose a single sign-on method and to find single sign-on tutorials. > [!div class="nextstepaction"]
-> [Configure single sign-on](sso-options.md#choosing-a-single-sign-on-method)
+> [Configure single sign-on](sso-options.md#choosing-a-single-sign-on-method)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers.md
@@ -165,7 +165,7 @@ The best way to identify and troubleshoot connector connectivity issues is to ta
You can use the monitoring tool of your choice. For the purposes of this article, we used Microsoft Message Analyzer. > [!NOTE]
-> [Microsoft Message Analyzer (MMA) was retired](https://docs.microsoft.com/openspecs/blog/ms-winintbloglp/dd98b93c-0a75-4eb0-b92e-e760c502394f) and its download packages removed from microsoft.com sites on November 25 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, please consider using a 3rd party network protocol analyzer tool such as Wireshark.
+> [Microsoft Message Analyzer (MMA) was retired](/openspecs/blog/ms-winintbloglp/dd98b93c-0a75-4eb0-b92e-e760c502394f) and its download packages removed from microsoft.com sites on November 25 2019. There is currently no Microsoft replacement for Microsoft Message Analyzer in development at this time. For similar functionality, please consider using a 3rd party network protocol analyzer tool such as Wireshark.
The following examples are specific to Message Analyzer, but the principles can be applied to any analysis tool.
@@ -207,4 +207,4 @@ If you see other response codes, such as 407 or 502, that means that the proxy i
## Next steps * [Understand Azure AD Application Proxy connectors](application-proxy-connectors.md)
-* If you have problems with connector connectivity issues, ask your question in the [Microsoft Q&A question page for Azure Active Directory](/answers/topics/azure-active-directory.html) or create a ticket with our support team.
+* If you have problems with connector connectivity issues, ask your question in the [Microsoft Q&A question page for Azure Active Directory](/answers/topics/azure-active-directory.html) or create a ticket with our support team.
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/developer-guidance-for-integrating-applications https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/developer-guidance-for-integrating-applications.md deleted file mode 100644
@@ -1,71 +0,0 @@
-title: Register your application to use Azure Active Directory | Microsoft Docs
-description: Written for the IT Pro, this article provides guidelines for integrating Azure applications with Active Directory.
-services: active-directory
-documentationcenter: ''
-author: kenwith
-manager: celestedg
-ms.service: active-directory
-ms.subservice: app-mgmt
-ms.workload: identity
-ms.topic: conceptual
-ms.date: 10/30/2018
-ms.author: kenwith
-ms.collection: M365-identity-device-management
-# Develop line-of-business apps for Azure Active Directory
-This guide provides an overview of developing line-of-business (LoB) applications for Azure Active Directory (AD).The intended audience is Active Directory/Microsoft 365 global administrators.
-
-## Overview
-Building applications integrated with Azure AD gives users in your organization single sign-on with Microsoft 365. Having the application in Azure AD gives you control over the authentication policy for the application. To learn more about Conditional Access and how to protect apps with multi-factor authentication (MFA) see [Configuring access rules](../authentication/tutorial-enable-azure-mfa.md).
-
-Register your application to use Azure Active Directory. Registering the application means that your developers can use Azure AD to authenticate users and request access to user resources such as email, calendar, and documents.
-
-Any member of your directory (not guests) can register an application, otherwise known as *creating an application object*. If you are unable to register an application then it means the global administrator of your directory has restricted this functionality and you may need to contact them for [obtaining proper rights](../roles/delegate-app-roles.md#assign-built-in-application-admin-roles) be able to register the application. To learn more about how to restrict user's see [Delegate app registration permissions in Azure Active Directory](../roles/delegate-app-roles.md#restrict-who-can-create-applications).
-
-Registering an application allows any user to do the following:
-
-* Get an identity for their application that Azure AD recognizes
-* Get one or more secrets/keys that the application can use to authenticate itself to AD
-* Brand the application in the Azure portal with a custom name, logo, etc.
-* Apply Azure AD authorization features to their app, including:
-
- * Role-Based Access Control (RBAC)
- * Azure Active Directory as oAuth authorization server (secure an API exposed by the application)
-* Declare required permissions necessary for the application to function as expected, including:
-
- - App permissions (global administrators only). For example: Role membership in another Azure AD application or role membership relative to an Azure Resource, Resource Group, or Subscription
- - Delegated permissions (any user). For example: Azure AD, Sign-in, and Read Profile
-
-> [!NOTE]
-> By default, any member can register an application. To learn how to restrict permissions for registering applications to specific members, see [How applications are added to Azure AD](../develop/active-directory-how-applications-are-added.md#who-has-permission-to-add-applications-to-my-azure-ad-instance).
->
->
-
-HereΓÇÖs what you, the global administrator, need to do to help developers make their application ready for production:
-
-* Configure access rules (access policy/MFA)
-* Configure the app to require user assignment and assign users
-* Suppress the default user consent experience
-
-## Configure access rules
-Configure per-application access rules to your SaaS apps. For example, you can require MFA or only allow access to users on trusted networks. The details for this are available in the document [Configuring access rules](../authentication/tutorial-enable-azure-mfa.md).
-
-## Configure the app to require user assignment and assign users
-By default, users can access applications without being assigned. However, if the application exposes roles or if you want the application to appear on a userΓÇÖs My Apps, you should require user assignment.
-
-If youΓÇÖre an Azure AD Premium or Enterprise Mobility Suite (EMS) subscriber, we strongly recommend using groups. Assigning groups to the application allows you to delegate ongoing access management to the owner of the group. You can create the group or ask the responsible party in your organization to create the group using your group management facility.
-
-[Assigning users and groups to an application](./assign-user-or-group-access-portal.md)
--
-## Suppress user consent
-By default, each user goes through a consent experience to sign in. The consent experience, asking users to grant permissions to an application, can be disconcerting for users who are unfamiliar with making such decisions.
-
-For applications that you trust, you can simplify the user experience by consenting to the application on behalf of your organization.
-
-For more information about user consent and the consent experience in Azure, see [Understanding Azure AD application consent experiences](../develop/application-consent-experience.md).
-
-## Related Articles
-* [Enable secure remote access to on-premises applications with Azure AD Application Proxy](application-proxy.md)
-* [Managing access to apps with Azure AD](what-is-access-management.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-aad-integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/f5-aad-integration.md
@@ -24,21 +24,22 @@ SHA addresses this blind spot by enabling organizations to continue using their
Having Azure AD pre-authenticate access to BIG-IP published services provides many benefits: -- Password-less authentication through [Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview),
-[MS Authenticator](https://docs.microsoft.com/azure/active-directory/user-help/user-help-auth-app-download-install), [Fast Identity Online (FIDO) keys](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key),
-and [Certificate-based authentication](https://docs.microsoft.com/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started)
+- Password-less authentication through [Windows Hello](/windows/security/identity-protection/hello-for-business/hello-overview),
+[MS Authenticator](../user-help/user-help-auth-app-download-install.md), [Fast Identity Online (FIDO) keys](../authentication/howto-authentication-passwordless-security-key.md),
+and [Certificate-based authentication](../authentication/active-directory-certificate-based-authentication-get-started.md)
-- Preemptive [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) and [Multi-factor authentication (MFA)](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks)
+- Preemptive [Conditional Access](../conditional-access/overview.md) and [Multi-factor authentication (MFA)](../authentication/concept-mfa-howitworks.md)
-- [Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection#:~:text=Identity%20Protection%20is%20a%20tool%20that%20allows%20organizations,detection%20data%20to%20third-party%20utilities%20for%20further%20analysis) - Adaptive control through user and session risk profiling
+- [Identity Protection](../identity-protection/overview-identity-protection.md) - Adaptive control through user and session risk profiling
-- [Leaked credential detection](https://docs.microsoft.com/azure/active-directory/identity-protection/concept-identity-protection-risks) -- [Self-service password reset (SSPR)](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-enable-sspr)
+- [Leaked credential detection](../identity-protection/concept-identity-protection-risks.md)
-- [Partner collaboration](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-external-users) - Entitlement management for governed guest access
+- [Self-service password reset (SSPR)](../authentication/tutorial-enable-sspr.md)
-- [Cloud App Security (CASB)](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) - For complete app discovery and control
+- [Partner collaboration](../governance/entitlement-management-external-users.md) - Entitlement management for governed guest access
+
+- [Cloud App Security (CASB)](/cloud-app-security/what-is-cloud-app-security) - For complete app discovery and control
- Threat monitoring - [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) for advanced threat analytics
@@ -58,7 +59,7 @@ Its Local Traffic Manager (LTM) allows secure publishing of services through rev
The integration is based on a standard federation trust between the APM and Azure AD, common to most SHA use cases that includes the [SSL-VPN scenario](f5-aad-password-less-vpn.md). Security Assertion Markup Language (SAML), OAuth and Open ID Connect (OIDC) resources are no exception either, as they too can be secured for remote access. There could also be scenarios where a BIG-IP becomes a choke point for Zero Trust access to all services, including SaaS apps.
-A BIG-IPΓÇÖs ability to integrate with Azure AD is what enables the protocol transitioning required to secure legacy or non-Azure AD-integrated services with modern controls such as [Password-less authentication](https://www.microsoft.com/security/business/identity/passwordless) and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview). In this scenario, a BIG-IP continues to fulfill its role as a reverse proxy, while handing off pre-authentication and authorization to Azure AD, on a per service basis.
+A BIG-IPΓÇÖs ability to integrate with Azure AD is what enables the protocol transitioning required to secure legacy or non-Azure AD-integrated services with modern controls such as [Password-less authentication](https://www.microsoft.com/security/business/identity/passwordless) and [Conditional Access](../conditional-access/overview.md). In this scenario, a BIG-IP continues to fulfill its role as a reverse proxy, while handing off pre-authentication and authorization to Azure AD, on a per service basis.
Steps 1-4 in the diagram illustrate the front-end pre-authentication exchange between a user, a BIG-IP, and Azure AD, in a service provider initiated flow. Steps 5-6 show subsequent APM session enrichment and SSO to individual backend services.
@@ -68,16 +69,16 @@ Steps 1-4 in the diagram illustrate the front-end pre-authentication exchange be
|:------|:-----------| | 1. | User selects an application icon in the portal, resolving URL to the SAML SP (BIG-IP) | | 2. | The BIG-IP redirects user to SAML IDP (Azure AD) for pre-authentication|
-| 3. | Azure AD processes Conditional Access policies and [session controls](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-session) for authorization|
+| 3. | Azure AD processes Conditional Access policies and [session controls](../conditional-access/concept-conditional-access-session.md) for authorization|
| 4. | User redirects back to BIG-IP presenting the SAML claims issued by Azure AD |
-| 5. | BIG-IP requests any additional session information to include in [SSO](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sso) and [Role based access control (RBAC)](https://docs.microsoft.com/azure/role-based-access-control/overview) to the published service |
+| 5. | BIG-IP requests any additional session information to include in [SSO](../hybrid/how-to-connect-sso.md) and [Role based access control (RBAC)](../../role-based-access-control/overview.md) to the published service |
| 6. | BIG-IP forwards the client request to the backend service ## User experience Whether a direct employee, affiliate, or consumer, most users are already acquainted with the Office 365 login experience, so accessing BIG-IP services via SHA remains largely familiar.
-Users now find their BIG-IP published services consolidated in the [MyApps](https://docs.microsoft.com/azure/active-directory/user-help/my-apps-portal-end-user-access) or [O365 launchpads](https://o365pp.blob.core.windows.net/media/Resources/Microsoft%20365%20Business/Launchpad%20Overview_for%20Partners_10292019.pdf) along with self-service capabilities to a broader set of services, no matter the type of device or location. Users can even continue accessing published services directly via the BIG-IPs proprietary Webtop portal, if preferred. When logging off, SHA ensures a usersΓÇÖ session is terminated at both ends, the BIG-IP and Azure AD, ensuring services remain fully protected from unauthorized access.
+Users now find their BIG-IP published services consolidated in the [MyApps](../user-help/my-apps-portal-end-user-access.md) or [O365 launchpads](https://o365pp.blob.core.windows.net/media/Resources/Microsoft%20365%20Business/Launchpad%20Overview_for%20Partners_10292019.pdf) along with self-service capabilities to a broader set of services, no matter the type of device or location. Users can even continue accessing published services directly via the BIG-IPs proprietary Webtop portal, if preferred. When logging off, SHA ensures a usersΓÇÖ session is terminated at both ends, the BIG-IP and Azure AD, ensuring services remain fully protected from unauthorized access.
The screenshots provided are from the Azure AD app portal that users access securely to find their BIG-IP published services and for managing their account properties.
@@ -89,7 +90,7 @@ The screenshots provided are from the Azure AD app portal that users access secu
A BIG-IPΓÇÖs role is critical to any business, so deployed BIG-IP instances should be monitored to ensure published services are highly available, both at an SHA level and operationally too.
-Several options exist for logging events either locally, or remotely through a Security Information and Event Management (SIEM) solution, enabling off-box storage and processing of telemetry. A highly effective solution for monitoring Azure AD and SHA-specific activity, is to use [Azure Monitor](https://docs.microsoft.com/azure/azure-monitor/overview) and [Azure Sentinel](https://docs.microsoft.com/azure/sentinel/overview), together offering:
+Several options exist for logging events either locally, or remotely through a Security Information and Event Management (SIEM) solution, enabling off-box storage and processing of telemetry. A highly effective solution for monitoring Azure AD and SHA-specific activity, is to use [Azure Monitor](../../azure-monitor/overview.md) and [Azure Sentinel](../../sentinel/overview.md), together offering:
- Detailed overview of your organization, potentially across multiple clouds, and on-premises locations, including BIG-IP infrastructure
@@ -123,9 +124,9 @@ Integrating F5 BIG-IP with Azure AD for SHA have the following pre-requisites:
- Azure AD licensing through either of the following options:
- - An Azure AD [free subscription](https://docs.microsoft.com/windows/client-management/mdm/register-your-free-azure-active-directory-subscription#:~:text=%20Register%20your%20free%20Azure%20Active%20Directory%20subscription,will%20take%20you%20to%20the%20Azure...%20More%20) provides the minimum core requirements for implementing SHA with password-less authentication
+ - An Azure AD [free subscription](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription#:~:text=%20Register%20your%20free%20Azure%20Active%20Directory%20subscription,will%20take%20you%20to%20the%20Azure...%20More%20) provides the minimum core requirements for implementing SHA with password-less authentication
- - A [Premium subscription](https://azure.microsoft.com/pricing/details/active-directory/) provides all additional value adds outlined in the preface, including [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview), [MFA](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks), and [Identity Protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection)
+ - A [Premium subscription](https://azure.microsoft.com/pricing/details/active-directory/) provides all additional value adds outlined in the preface, including [Conditional Access](../conditional-access/overview.md), [MFA](../authentication/concept-mfa-howitworks.md), and [Identity Protection](../identity-protection/overview-identity-protection.md)
No previous experience or F5 BIG-IP knowledge is necessary to implement SHA, but we do recommend familiarizing yourself with F5 BIG-IP terminology. F5ΓÇÖs rich [knowledge base](https://www.f5.com/services/resources/glossary) is also a good place to start building BIG-IP knowledge.
@@ -135,9 +136,9 @@ The following tutorials provide detailed guidance on implementing some of the mo
- [F5 BIG-IP in Azure deployment walk-through](f5-bigip-deployment-guide.md) -- [F5 BIG-IP APM and Azure AD SSO to Kerberos applications](https://docs.microsoft.com/azure/active-directory/saas-apps/kerbf5-tutorial#configure-f5-single-sign-on-for-kerberos-application)
+- [F5 BIG-IP APM and Azure AD SSO to Kerberos applications](../saas-apps/kerbf5-tutorial.md#configure-f5-single-sign-on-for-kerberos-application)
-- [F5 BIG-IP APM and Azure AD SSO to Header-based applications](https://docs.microsoft.com/azure/active-directory/saas-apps/headerf5-tutorial#configure-f5-single-sign-on-for-header-based-application)
+- [F5 BIG-IP APM and Azure AD SSO to Header-based applications](../saas-apps/headerf5-tutorial.md#configure-f5-single-sign-on-for-header-based-application)
- [Securing F5 BIG-IP SSL-VPN with Azure AD SHA](f5-aad-password-less-vpn.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-aad-password-less-vpn https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/f5-aad-password-less-vpn.md
@@ -19,13 +19,13 @@ In this tutorial, learn how to integrate F5ΓÇÖs BIG-IP based Secure socket laye
Integrating a BIG-IP SSL-VPN with Azure AD provides [many key benefits](f5-aad-integration.md), including: -- Improved Zero trust governance through [Azure AD pre-authentication and authorization](https://docs.microsoft.com/azure/app-service/overview-authentication-authorization)
+- Improved Zero trust governance through [Azure AD pre-authentication and authorization](../../app-service/overview-authentication-authorization.md)
- [Password-less authentication to the VPN service](https://www.microsoft.com/security/business/identity/passwordless) - Manage Identities and access from a single control plane - The [Azure portal](https://portal.azure.com/#home)
-Despite these great value adds, the classic VPN does however remain predicated on the notion of a network perimeter, where trusted is on the inside and untrusted the outside. This model is no longer effective in achieving a true Zero Trust posture, since corporate assets are no longer confined to the walls of an enterprise data center, but rather across multi-cloud environments with no fixed boundaries. For this reason, we encourage our customers to consider moving to a more Identity driven approach at managing [access on a per application basis](https://docs.microsoft.com/azure/active-directory/fundamentals/five-steps-to-full-application-integration-with-azure-ad).
+Despite these great value adds, the classic VPN does however remain predicated on the notion of a network perimeter, where trusted is on the inside and untrusted the outside. This model is no longer effective in achieving a true Zero Trust posture, since corporate assets are no longer confined to the walls of an enterprise data center, but rather across multi-cloud environments with no fixed boundaries. For this reason, we encourage our customers to consider moving to a more Identity driven approach at managing [access on a per application basis](../fundamentals/five-steps-to-full-application-integration-with-azure-ad.md).
## Scenario description
@@ -42,9 +42,9 @@ Prior experience or knowledge of F5 BIG-IP isn't necessary, however, you'll need
- An Azure AD [free subscription](https://azure.microsoft.com/trial/get-started-active-directory/) or above -- User identities should be [synchronized from their on-premises directory](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis) to Azure AD.
+- User identities should be [synchronized from their on-premises directory](../hybrid/how-to-connect-sync-whatis.md) to Azure AD.
-- An account with Azure AD application admin [permissions](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#application-administrator)
+- An account with Azure AD application admin [permissions](../roles/permissions-reference.md#application-administrator)
- An existing BIG-IP infrastructure with routing of client traffic to and from the BIG-IP or [deploy a BIG-IP Virtual Edition into Azure](f5-bigip-deployment-guide.md).
@@ -59,7 +59,7 @@ Familiarizing yourself with [F5 BIG-IP terminology](https://www.f5.com/services/
## Add F5 BIG-IP from the Azure AD gallery
-Setting up a SAML federation trust between the BIG-IP allows the Azure AD BIG-IP to hand off the pre-authentication and [Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/overview) to Azure AD, before granting access to the published VPN service.
+Setting up a SAML federation trust between the BIG-IP allows the Azure AD BIG-IP to hand off the pre-authentication and [Conditional Access](../conditional-access/overview.md) to Azure AD, before granting access to the published VPN service.
1. Sign in to the Azure AD portal using an account with application admin rights
@@ -100,7 +100,7 @@ Observe the properties of the **User Attributes & Claims** section, as Azure AD
![Image shows user attributes claims](media/f5-sso-vpn/user-attributes-claims.png)
-Feel free to add any other specific claims your BIG-IP published service might expect, while noting that any claims defined in addition to the default set will only be issued if they exist in Azure AD, as populated attributes. In the same way, directory [roles or group](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-group-claims) memberships also need defining against a user object in Azure AD before they can be issued as a claim.
+Feel free to add any other specific claims your BIG-IP published service might expect, while noting that any claims defined in addition to the default set will only be issued if they exist in Azure AD, as populated attributes. In the same way, directory [roles or group](../hybrid/how-to-connect-fed-group-claims.md) memberships also need defining against a user object in Azure AD before they can be issued as a claim.
![Image shows federation metadata download link](media/f5-sso-vpn/saml-signing-certificate.png)
@@ -294,11 +294,11 @@ With all the settings in place, the APM now requires a front-end virtual server
- [The end of passwords, go passwordless](https://www.microsoft.com/security/business/identity/passwordless) -- [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+- [What is Conditional Access?](../conditional-access/overview.md)
- [Microsoft Zero Trust framework to enable remote work](https://www.microsoft.com/security/blog/2020/04/02/announcing-microsoft-zero-trust-assessment-tool/) -- [Five steps to full application integration with Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/five-steps-to-full-application-integration-with-azure-ad)
+- [Five steps to full application integration with Azure AD](../fundamentals/five-steps-to-full-application-integration-with-azure-ad.md)
## Next steps
@@ -307,4 +307,4 @@ Open a browser on a remote Windows client and browse to the url of the **BIG-IP
![Image shows vpn launcher](media/f5-sso-vpn/vpn-launcher.png) Selecting the VPN tile will install the BIG-IP Edge client and establish a VPN connection configured for SHA.
-The F5 VPN application should also be visible as a target resource in Azure AD Conditional Access. See our [guidance](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-policies) for building Conditional Access policies and also enabling users for Azure AD [password-less authentication](https://www.microsoft.com/security/business/identity/passwordless).
\ No newline at end of file
+The F5 VPN application should also be visible as a target resource in Azure AD Conditional Access. See our [guidance](../conditional-access/concept-conditional-access-policies.md) for building Conditional Access policies and also enabling users for Azure AD [password-less authentication](https://www.microsoft.com/security/business/identity/passwordless).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/f5-bigip-deployment-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/f5-bigip-deployment-guide.md
@@ -260,7 +260,7 @@ A BIG-IP system is administered via its web config UI, which can be accessed usi
- From a VPN client connected to the BIG-IP-VMΓÇÖs internal network -- Published via [Azure AD Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-add-on-premises-application)
+- Published via [Azure AD Application Proxy](./application-proxy-add-on-premises-application.md)
YouΓÇÖll need to decide on the most suitable method before you can proceed with the remaining configurations. If necessary, you can connect directly to the web config from the internet by configuring the BIG-IPΓÇÖs primary IP with a public IP. Then adding an NSG rule to allow the 8443 traffic to that primary IP. Make sure to restrict the source to your own trusted IP, otherwise anyone will be able to connect.
@@ -272,7 +272,7 @@ Once ready, confirm you can connect to the BIG-IP VMΓÇÖs web config and login wi
A BIG-IP system can also be managed via its underlying SSH environment, which is typically used for command-line (CLI) tasks and root level access. Several options exist for connecting to the CLI, including: -- [Azure Bastion service](https://docs.microsoft.com/azure/bastion/bastion-overview): Allows fast and secure connections to any VM within a vNET, from any location
+- [Azure Bastion service](../../bastion/bastion-overview.md): Allows fast and secure connections to any VM within a vNET, from any location
- Connect directly via an SSH client like PuTTY through the JIT approach
@@ -419,7 +419,7 @@ With the BIG-IP system now fully provisioned, we recommend taking a full backup
6. Save the User configuration set (UCS) archive locally by choosing the link of the backup and select **Download**.
-As an optional step, you can also take a backup of the entire system disk using [Azure snapshots](https://docs.microsoft.com/azure/virtual-machines/windows/snapshot-copy-managed-disk), which unlike the web config backup would provide some contingency for testing between TMOS versions, or rolling back to a fresh system.
+As an optional step, you can also take a backup of the entire system disk using [Azure snapshots](../../virtual-machines/windows/snapshot-copy-managed-disk.md), which unlike the web config backup would provide some contingency for testing between TMOS versions, or rolling back to a fresh system.
```PowerShell # Install modules
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/plan-an-application-integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/plan-an-application-integration.md
@@ -1,21 +1,17 @@
---
-title: Get started integrating Azure AD with apps | Microsoft Docs
+title: Get started integrating Azure AD with apps
description: This article is a getting started guide for integrating Azure Active Directory (AD) with on-premises applications, and cloud applications. services: active-directory
-documentationcenter: ''
author: kenwith manager: celestedg ms.service: active-directory
-ms.subservice: app-mgmt
-ms.devlang: na
ms.topic: conceptual ms.tgt_pltfrm: na ms.workload: identity ms.date: 07/16/2018 ms.author: kenwith ms.reviewer: asteen
-ms.collection: M365-identity-device-management
--- # Integrating Azure Active Directory with applications getting started guide
@@ -74,9 +70,7 @@ Each of your applications may have different authentication requirements. With A
With Microsoft Azure AD Application Proxy, you can provide access to applications located inside your private network securely, from anywhere and on any device. After you have installed an application proxy connector within your environment, it can be easily configured with Azure AD. ### Integrating custom applications
-If you are writing a new application and want to assist developers in leveraging the power of Azure AD, see [Guiding developers](./developer-guidance-for-integrating-applications.md).
-
-If you want to add your custom application to the Azure Application Gallery, see [ΓÇ£Bring your own appΓÇ¥ with Azure AD Self-Service SAML configuration](https://cloudblogs.microsoft.com/enterprisemobility/2015/06/17/bring-your-own-app-with-azure-ad-self-service-saml-configuration-now-in-preview/).
+If you want to add your custom application to the Azure Application Gallery, see [Publish your app to the Azure AD app gallery](../develop/v2-howto-app-gallery-listing.md).
## Managing access to applications The following articles describe ways you can manage access to applications once they have been integrated with Azure AD using Azure AD Connectors and Azure AD.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/manage-apps/what-is-application-management.md
@@ -8,84 +8,75 @@ ms.service: active-directory
ms.subservice: app-mgmt ms.topic: overview ms.workload: identity
-ms.date: 07/01/2020
+ms.date: 01/22/2021
ms.author: kenwith
-ms.reviewer: arvinh
-ms.collection: M365-identity-device-management
-#Customer intent: As an IT manager, I want to understand what application management is in Azure AD so that I can determine if I want to integrate apps with it.
+ms.reviewer:
--- # What is application management? Azure AD is an Identity and Access Management (IAM) system. It provides a single place to store information about digital identities. You can configure your software applications to use Azure AD as the place where user information is stored.
-Azure AD must be configured to integrate with an application. In other words, it needs to know what applications are using it as an identity system. The process of keeping Azure AD aware of these applications, and how it should handle them, is known as application management.
+Azure AD must be configured to integrate with an application. In other words, it needs to know what apps are using it for identities. Making Azure AD aware of these apps, and how it should handle them, is known as application management.
-You manage applications on the **Enterprise applications** blade located in the Manage section of the Azure Active Directory portal.
+You manage applications on the **Enterprise applications** page located in the Manage section of the Azure Active Directory portal.
![The Enterprise applications option under the Manage section of the Azure AD portal.](media/what-is-application-management/enterprise-applications-in-nav.png) ## What is an Identity and Access Management (IAM) system?
-An application is a piece of software that is used for some purpose. Most applications require users to sign in so that the application can provide a tailored experience for that particular user. In other words, the application needs to know the identity of the user using the application. Because it knows what functionality to offer, or remove, for the user.
+An application is a piece of software that is used for some purpose. Most apps require users to sign in.
-If each application kept track of users separately then the result would be a silo of different usernames and logins for every application. One application wouldn't know anything about the users in other applications.
-
-A centralized identity system solves this problem by providing a single place to store user information that can then be used by all applications. These systems have come to be known as Identity and Access Management (IAM) systems. Azure Active AD is the IAM system for the Microsoft cloud.
+A centralized identity system provides a single place to store user information that can then be used by all applications. These systems have come to be known as Identity and Access Management (IAM) systems. Azure Active Directory is the IAM system for the Microsoft cloud.
>[!TIP] >An IAM system provides a single place to keep track of user identities. Azure AD is the IAM system for the Microsoft cloud. - ## Why manage applications with a cloud solution?
-Organizations often have hundreds of applications that users depend on to get their work done. Users access these applications from many devices and locations. New applications are added, developed, and sunset every day. With so many applications and access points, it's more critical than ever to use a cloud-based solution to manage user access to all applications.
+Organizations often have hundreds of applications that users depend on to get their work done. Users access these applications from many devices and locations. New applications are added, developed, and sunset all the time. With so many apps and access points, it's important to use an identity solution that works with them all.
>[!TIP]
->The Azure AD app gallery contains many popular applications that are already pre-configured to work with Azure AD as an identity provider.
+>The Azure AD app gallery contains many popular applications that are already pre-configured to work with Azure AD as an identity provider.
-## How does Azure AD work with applications?
+## How does Azure AD work with apps?
-Azure AD simplifies the way you manage your applications by providing a single identity system for your cloud and on-premises apps. You can add your software as a service (SaaS) applications, on-premises applications, and line of business (LOB) apps to Azure AD. Then users sign in once to securely and seamlessly access these applications, along with Microsoft 365 and other business applications from Microsoft. You can reduce administrative costs by [automating user provisioning](../app-provisioning/user-provisioning.md). You can also use multi-factor authentication and Conditional Access policies to provide secure application access.
+Azure AD sits in the middle and provides identity management for cloud and on-premises apps.
![Diagram that shows apps federated via Azure AD](media/what-is-application-management/app-management-overview.png)
-## What types of applications can I integrate with Azure AD?
-
-There are four main types of applications that you can add to your **Enterprise applications** and manage with Azure AD:
+>[!TIP]
+>Reduce administrative costs by [automating user provisioning](../app-provisioning/user-provisioning.md) so that users are automatically added to Azure AD when you add them to your company HR system.
-- **Azure AD Gallery applications** ΓÇô Azure AD has a gallery that contains thousands of applications that have been pre-integrated for single sign-on with Azure AD. Some of the applications your organization uses are probably in the gallery. [Learn about planning your app integration](plan-an-application-integration.md), or get detailed integration steps for individual apps in the [SaaS application tutorials](/azure/active-directory/saas-apps/).
+## What types of applications can I integrate with Azure AD?
-- **On-premises applications with Application Proxy** ΓÇô With Azure AD Application Proxy, you can integrate your on-premises web apps with Azure AD to support single sign-on. Then end users can access your on-premises web apps in the same way they access Microsoft 365 and other SaaS apps, see [Provide remote access to on-premises applications through Azure AD's Application Proxy](application-proxy.md).
+You can use Azure AD as your identity system for just about any app. Many apps are already pre-configured and can be set up with minimal effort. These pre-configured apps are published in the [Azure AD App Gallery](/azure/active-directory/saas-apps/).
-- **Custom-developed applications** ΓÇô When building your own line-of-business applications, you can integrate them with Azure AD to support single sign-on. By registering your application with Azure AD, you have control over the authentication policy for the application. For more information, see [guidance for developers](developer-guidance-for-integrating-applications.md).
+You can manually configure most apps for single sign-on if they aren't already in the gallery. Azure AD provides several SSO options. Some of the most popular are SAML-based SSO and OIDC-based SSO. To learn more about integrating apps to enable SSO, see [single sign-on options](sso-options.md).
-- **Non-Gallery applications** ΓÇô Bring your own applications! Support single sign-on for other apps by adding them to Azure AD. There are multiple ways to integrate an application, some of these are listed below. For more information, see [Configure SAML single sign-on](configure-saml-single-sign-on.md).
+Does your organization use on-premises apps? You can integrate them using App Proxy. To learn more, see [Provide remote access to on-premises applications through Azure AD's Application Proxy](application-proxy.md).
>[!TIP]
->You can integrate Azure AD with an application even if it is not already pre-configured and in the app gallery. You can **integrate Azure AD with any** of the following
-> - Any web link, or application, that renders a **username and password field**.
-> - Any application that supports **SAML or OpenID Connect protocols**.
-> - Any application that supports the **System for Cross-domain Identity Management (SCIM)** standard.
+>When building your own line-of-business applications, you can integrate them with Azure AD to support single sign-on. To learn more about developing apps for Azure AD, see [Microsoft identity platform](..//develop/v2-overview.md).
## Manage risk with Conditional Access policies
-Coupling Azure AD single sign-on (SSO) with [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) provides high levels of security for accessing applications. Security capabilities include cloud-scale identity protection, risk-based access control, native multi-factor authentication, and Conditional Access policies. These capabilities allow for granular control policies based on applications, or on groups that need higher levels of security.
+Coupling Azure AD single sign-on (SSO) with [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) provides high levels of security for accessing applications. Conditional Access policies provide granular control to apps based on conditions you set.
## Improve productivity with single sign-on
-Enabling single sign-on (SSO) across applications and Microsoft 365 provides a superior sign-in experience for existing users by reducing or eliminating sign-in prompts. The userΓÇÖs environment feels more cohesive and is less distracting without multiple prompts, or the need to manage multiple passwords. The business group can manage and approve access through self-service and dynamic membership. Allowing the right people in the business to manage access to an application improves the security of the identity system.
+Single sign-on (SSO) provides a unified user experience between Microsoft 365 and all the other apps you use. Say goodbye to constantly entering your username and password!
-SSO improves security. *Without single sign-on*, administrators need to create and update user accounts for each individual application, which takes time. Also, users have to track multiple credentials to access their applications. As a result, users tend to write down their passwords or use other password management solutions, which introduce data security risks. [Read more about single sign-on](what-is-single-sign-on.md).
+To learn more about single sign-on, see [what is single sign-on](what-is-single-sign-on.md).
## Address governance and compliance
-With Azure AD, you can monitor application sign-ins through reports that leverage Security Incident and Event Monitoring (SIEM) tools. You can access the reports from the portal, or from APIs. Programmatically audit who has access to your applications, and remove access to inactive users via access reviews.
+Monitor apps through reports that use Security Incident and Event Monitoring (SIEM) tools. You can access the reports from the portal, or from APIs. Programmatically audit who has access to your applications, and remove access to inactive users via access reviews.
## Manage costs By migrating to Azure AD, you can save costs and remove the hassle of managing your on-premises infrastructure. Azure AD also provides self-service access to applications, which saves time for both administrators and users. Single sign-on eliminates application-specific passwords. This ability to sign on once saves costs related to password reset for applications, and lost productivity while retrieving passwords.
-For Human Resources focused applications, or other applications with a large set of users, you can leverage App provisioning to automate the process of provisioning and deprovisioning users, see [What is application provisioning?](../app-provisioning/user-provisioning.md).
+For Human Resources focused applications, or other applications with a large set of users, you can use app provisioning to make your life easier. App provisioning automates the process of adding and removing users. To learn more, see [What is application provisioning?](../app-provisioning/user-provisioning.md)
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-assign-app-role-managed-identity-powershell.md
@@ -32,7 +32,7 @@ In this article, you learn how to assign a managed identity to an application ro
- If you don't already have an Azure account, [sign up for a free account](https://azure.microsoft.com/free/) before continuing. - To run the example scripts, you have two options: - Use the [Azure Cloud Shell](../../cloud-shell/overview.md), which you can open using the **Try It** button on the top-right corner of code blocks.
- - Run scripts locally by installing the latest version of [Azure AD PowerShell](https://docs.microsoft.com/powershell/azure/active-directory/install-adv2).
+ - Run scripts locally by installing the latest version of [Azure AD PowerShell](/powershell/azure/active-directory/install-adv2).
## Assign a managed identity access to another application's app role
@@ -133,4 +133,4 @@ New-AzureADServiceAppRoleAssignment `
## Next steps - [Managed identity for Azure resources overview](overview.md)-- To enable managed identity on an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using PowerShell](qs-configure-powershell-windows-vm.md).
+- To enable managed identity on an Azure VM, see [Configure managed identities for Azure resources on an Azure VM using PowerShell](qs-configure-powershell-windows-vm.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-token.md
@@ -122,7 +122,7 @@ Content-Type: application/json
## Get a token using the Microsoft.Azure.Services.AppAuthentication library for .NET
-For .NET applications and functions, the simplest way to work with managed identities for Azure resources is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine, using your user account from Visual Studio, the [Azure CLI](/cli/azure), or Active Directory Integrated Authentication. For more on local development options with this library, see the [Microsoft.Azure.Services.AppAuthentication reference](../../key-vault/general/service-to-service-authentication.md). This section shows you how to get started with the library in your code.
+For .NET applications and functions, the simplest way to work with managed identities for Azure resources is through the Microsoft.Azure.Services.AppAuthentication package. This library will also allow you to test your code locally on your development machine, using your user account from Visual Studio, the [Azure CLI](/cli/azure), or Active Directory Integrated Authentication. For more on local development options with this library, see the [Microsoft.Azure.Services.AppAuthentication reference](/dotnet/api/overview/azure/service-to-service-authentication). This section shows you how to get started with the library in your code.
1. Add references to the [Microsoft.Azure.Services.AppAuthentication](https://www.nuget.org/packages/Microsoft.Azure.Services.AppAuthentication) and [Microsoft.Azure.KeyVault](https://www.nuget.org/packages/Microsoft.Azure.KeyVault) NuGet packages to your application.
@@ -138,7 +138,7 @@ For .NET applications and functions, the simplest way to work with managed ident
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); ```
-To learn more about Microsoft.Azure.Services.AppAuthentication and the operations it exposes, see the [Microsoft.Azure.Services.AppAuthentication reference](../../key-vault/general/service-to-service-authentication.md) and the [App Service and KeyVault with managed identities for Azure resources .NET sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet).
+To learn more about Microsoft.Azure.Services.AppAuthentication and the operations it exposes, see the [Microsoft.Azure.Services.AppAuthentication reference](/dotnet/api/overview/azure/service-to-service-authentication) and the [App Service and KeyVault with managed identities for Azure resources .NET sample](https://github.com/Azure-Samples/app-service-msi-keyvault-dotnet).
## Get a token using C#
@@ -399,4 +399,4 @@ See [Azure services that support Azure AD authentication](./services-support-man
## Next steps -- To enable managed identities for Azure resources on an Azure VM, see [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md).
+- To enable managed identities for Azure resources on an Azure VM, see [Configure managed identities for Azure resources on a VM using the Azure portal](qs-configure-portal-windows-vm.md).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
@@ -321,9 +321,9 @@ Refer to the following list to configure managed identity for Azure Virtual Mach
| Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet | | --- | :-: | :-: | :-: | :-: | | System assigned | Not Available | Not Available | Not Available | Not Available |
-| User assigned | [Available in supported regions](../../virtual-machines/windows/image-builder-overview.md#regions) | Not Available | Not Available | Not Available |
+| User assigned | [Available in supported regions](../../virtual-machines/image-builder-overview.md#regions) | Not Available | Not Available | Not Available |
-To learn how to configure managed identity for Azure VM Image Builder (in regions where available), see the [Image Builder overview](../../virtual-machines/windows/image-builder-overview.md#permissions).
+To learn how to configure managed identity for Azure VM Image Builder (in regions where available), see the [Image Builder overview](../../virtual-machines/image-builder-overview.md#permissions).
### Azure SignalR Service Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
@@ -430,4 +430,4 @@ Refer to the following list to configure access to Azure Resource Manager:
> Microsoft Power BI also [supports managed identities](../../stream-analytics/powerbi-output-managed-identity.md).
-[check]: media/services-support-managed-identities/check.png "Available"
+[check]: media/services-support-managed-identities/check.png "Available"
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-provisioning-logs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/concept-provisioning-logs.md
@@ -44,7 +44,7 @@ This topic gives you an overview of the provisioning logs. They provide answers
### Who can access the data? * Application owners can view logs for applications they own * Users in the Security Administrator, Security Reader, Report Reader, Application Administrator, and Cloud Application Administrator roles
-* Users in a custom role with the [provisioningLogs permission](https://docs.microsoft.com/azure/active-directory/roles/custom-enterprise-app-permissions#full-list-of-permissions)
+* Users in a custom role with the [provisioningLogs permission](../roles/custom-enterprise-app-permissions.md#full-list-of-permissions)
* Global Administrators
@@ -301,4 +301,4 @@ Use the table below to better understand how to resolve errors you may find in t
* [Check the status of user provisioning](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) * [Problem configuring user provisioning to an Azure AD Gallery application](../app-provisioning/application-provisioning-config-problem.md)
-* [Provisioning logs graph API](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta)
+* [Provisioning logs graph API](/graph/api/resources/provisioningobjectsummary?view=graph-rest-beta)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-add-manage-groups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/admin-units-add-manage-groups.md
@@ -3,14 +3,14 @@ title: Add, remove, and list groups in an administrative unit - Azure Active Dir
description: Manage groups and their role permissions in an administrative unit in Azure Active Directory. services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.topic: how-to ms.subservice: roles ms.workload: identity ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: anandy ms.custom: oldportal;it-pro; ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-add-manage-users https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/admin-units-add-manage-users.md
@@ -3,14 +3,14 @@ title: Add, remove, and list users in an administrative unit - Azure Active Dire
description: Manage users and their role permissions in an administrative unit in Azure Active Directory services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.topic: how-to ms.subservice: roles ms.workload: identity ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: anandy ms.custom: oldportal;it-pro; ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-assign-roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/admin-units-assign-roles.md
@@ -3,14 +3,14 @@ title: Assign and list roles with administrative unit scope - Azure Active Direc
description: Use administrative units to restrict the scope of role assignments in Azure Active Directory. services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.topic: how-to ms.subservice: roles ms.workload: identity ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: anandy ms.custom: oldportal;it-pro; ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-faq-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/admin-units-faq-troubleshoot.md
@@ -3,14 +3,14 @@ title: Administrative units troubleshooting and FAQ - Azure Active Directory | M
description: Investigate administrative units to grant permissions with restricted scope in Azure Active Directory. services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.topic: how-to ms.subservice: roles ms.workload: identity ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: anandy ms.custom: oldportal;it-pro; ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/admin-units-manage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/admin-units-manage.md
@@ -3,14 +3,14 @@ title: Add and remove administrative units - Azure Active Directory | Microsoft
description: Use administrative units to restrict the scope of role permissions in Azure Active Directory. services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.topic: how-to ms.subservice: roles ms.workload: identity ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: anandy ms.custom: oldportal;it-pro; ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/administrative-units https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/administrative-units.md
@@ -3,14 +3,14 @@ title: Administrative units in Azure Active Directory | Microsoft Docs
description: Use administrative units for more granular delegation of permissions in Azure Active Directory. services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.topic: overview ms.subservice: roles ms.workload: identity ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: anandy ms.custom: oldportal;it-pro; ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-delegation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/concept-delegation.md
@@ -3,7 +3,7 @@ title: Understand admin role delegation - Azure Active Directory | Microsoft Doc
description: Delegation models, examples, and role security in Azure Active Directory services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: mtillman editor: ''
@@ -12,7 +12,7 @@ ms.workload: identity
ms.subservice: roles ms.topic: conceptual ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro #As an Azure AD administrator, I want to know how to organize my approach to delegating roles
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/concept-understand-roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/concept-understand-roles.md
@@ -2,14 +2,14 @@
title: Understand Azure Active Directory role concepts description: Learn how to understand Azure Active Directory built-in and custom roles with resource scope in Azure Active Directory. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: overview ms.date: 11/20/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-assign-graph https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-assign-graph.md
@@ -2,14 +2,14 @@
title: Assign Azure AD admin roles with Microsoft Graph API | Microsoft Docs description: Assign and remove Azure AD administrator roles with Graph API in Azure Active Directory services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-assign-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-assign-powershell.md
@@ -2,14 +2,14 @@
title: Assign custom roles using Azure AD PowerShell - Azure AD | Microsoft Docs description: Manage members of an Azure AD administrator custom role with Azure AD PowerShell. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-available-permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-available-permissions.md
@@ -2,14 +2,14 @@
title: Custom role permissions for app registration - Azure AD | Microsoft Docs description: Delegate custom administrator role permissions for managing app registrations. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-consent-permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-consent-permissions.md
@@ -2,14 +2,14 @@
title: App consent permissions for custom roles in Azure Active Directory | Microsoft Docs description: Preview app consent permissions for custom Azure AD roles in the Azure portal, PowerShell, or Graph API. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: overview ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: psignoret ms.custom: it-pro ---
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-create https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-create.md
@@ -2,14 +2,14 @@
title: Create custom roles in Azure AD role-based access control | Microsoft Docs description: Create and assign custom Azure AD roles with resource scope on Azure Active Directory resources. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 01/05/2021
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-app-permissions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-enterprise-app-permissions.md
@@ -2,14 +2,14 @@
title: App permissions for custom roles in Azure Active Directory | Microsoft Docs description: Preview enterprise app permissions for custom Azure AD roles in the Azure portal, PowerShell, or Graph API. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: overview ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ---
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-enterprise-apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-enterprise-apps.md
@@ -2,14 +2,14 @@
title: Custom role permissions for enterprise app access assignments - Azure Active Directory | Microsoft Docs description: Create and assign custom Azure AD roles for enterprise apps access in Azure Active Directory services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-overview.md
@@ -2,14 +2,14 @@
title: Overview of Azure Active Directory role-based access control (RBAC) description: Learn how to understand the parts of a role assignment and restricted scope in Azure Active Directory. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: overview ms.date: 11/20/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
@@ -27,14 +27,14 @@ Both systems contain similarly used role definitions and role assignments. Howev
## Understand Azure AD role-based access control Azure AD supports 2 types of roles definitions -
-* [Built-in roles](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference)
-* [Custom roles](https://docs.microsoft.com/azure/active-directory/roles/custom-create)
+* [Built-in roles](./permissions-reference.md)
+* [Custom roles](./custom-create.md)
-Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. There are many [built-in roles](https://docs.microsoft.com/azure/active-directory/roles/permissions-reference) that Azure AD supports, and the list is growing. To round off the edges and meet your sophisticated requirements, Azure AD also supports [custom roles](https://docs.microsoft.com/azure/active-directory/roles/custom-create). Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.
+Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. There are many [built-in roles](./permissions-reference.md) that Azure AD supports, and the list is growing. To round off the edges and meet your sophisticated requirements, Azure AD also supports [custom roles](./custom-create.md). Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.
Once youΓÇÖve created your custom role definition (or using a built-in role), you can assign it to a user by creating a role assignment. A role assignment grants the user the permissions in a role definition at a specified scope. This two-step process allows you to create a single role definition and assign it many times at different scopes. A scope defines the set of Azure AD resources the role member has access to. The most common scope is organization-wide (org-wide) scope. A custom role can be assigned at org-wide scope, meaning the role member has the role permissions over all resources in the organization. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. The same role can be assigned to one user over all applications in the organization and then to another user with a scope of only the Contoso Expense Reports app.
-Azure AD built-in and custom roles operate on concepts similar to [Azure role-based access control (Azure RBAC)](https://docs.microsoft.com/azure/active-directory/develop/access-tokens#payload-claims). The [difference between these two role-based access control systems](../../role-based-access-control/rbac-and-directory-admin-roles.md) is that Azure RBAC controls access to Azure resources such as virtual machines or storage using Azure Resource Management, and Azure AD custom roles control access to Azure AD resources using Graph API. Both systems leverage the concept of role definitions and role assignments. Azure AD RBAC permissions cannot be included in Azure roles and vice versa.
+Azure AD built-in and custom roles operate on concepts similar to [Azure role-based access control (Azure RBAC)](../develop/access-tokens.md#payload-claims). The [difference between these two role-based access control systems](../../role-based-access-control/rbac-and-directory-admin-roles.md) is that Azure RBAC controls access to Azure resources such as virtual machines or storage using Azure Resource Management, and Azure AD custom roles control access to Azure AD resources using Graph API. Both systems leverage the concept of role definitions and role assignments. Azure AD RBAC permissions cannot be included in Azure roles and vice versa.
### How Azure AD determines if a user has access to a resource
@@ -85,4 +85,4 @@ Using built-in roles in Azure AD is free, while custom roles requires an Azure A
- [Understand Azure AD roles](concept-understand-roles.md) - Create custom role assignments using [the Azure portal, Azure AD PowerShell, and Graph API](custom-create.md)-- [View the assignments for a custom role](custom-view-assignments.md)
+- [View the assignments for a custom role](custom-view-assignments.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-view-assignments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/custom-view-assignments.md
@@ -2,14 +2,14 @@
title: View custom role assignments in the Azure AD portal | Microsoft Docs description: You can now see and manage members of an Azure AD administrator role in the Azure AD admin center. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-app-roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/delegate-app-roles.md
@@ -3,14 +3,14 @@ title: Delegate application management administrator permissions - Azure AD | Mi
description: Grant permissions for application access management in Azure Active Directory services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/04/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro #As an Azure AD administrator, I want to reduce overusing the Global Administrator role by delegating app access management to lower-privilege roles.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/delegate-by-task https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/delegate-by-task.md
@@ -3,14 +3,14 @@ title: Delegate roles by admin task - Azure Active Directory | Microsoft Docs
description: Roles to delegate for identity tasks in Azure Active Directory services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: reference ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro #As an Azure AD administrator, I want to know which role has the least privilege for a given task to make my Azure AD organization more secure.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-assign-role https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-assign-role.md
@@ -2,14 +2,14 @@
title: Assign a role to a cloud group in Azure Active Directory | Microsoft Docs description: Assign an Azure AD role to a role-assignable group in the Azure portal, PowerShell, or Graph API. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: article ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-concept.md
@@ -2,14 +2,14 @@
title: Use cloud groups to manage role assignments in Azure Active Directory | Microsoft Docs description: Preview custom Azure AD roles for delegating identity management. Manage Azure role assignments in the Azure portal, PowerShell, or Graph API. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: article ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-create-eligible https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-create-eligible.md
@@ -2,14 +2,14 @@
title: Create a group for assigning roles in Azure Active Directory | Microsoft Docs description: Learn how to create a role-assignable group in Azure AD. Manage Azure roles in the Azure portal, PowerShell, or Graph API. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: article ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-faq-troubleshooting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-faq-troubleshooting.md
@@ -2,14 +2,14 @@
title: Troubleshooting roles assigned to cloud group FAQ - Azure Active Directory | Microsoft Docs description: Learn some common questions and troubleshooting tips for assigning roles to groups in Azure Active Directory. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: article ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-pim-eligible https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-pim-eligible.md
@@ -2,14 +2,14 @@
title: Assign a role to a group using Privileged Identity Management in Azure AD | Microsoft Docs description: Learn how you can assign an Azure Active Directory (Azure AD) role to a group using Azure AD Privileged Identity Management (PIM). services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: article ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-remove-assignment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-remove-assignment.md
@@ -2,14 +2,14 @@
title: Remove role assignments from a group in Azure Active Directory | Microsoft Docs description: Preview custom Azure AD roles for delegating identity management. Manage Azure roles in the Azure portal, PowerShell, or Graph API. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: article ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-view-assignments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/groups-view-assignments.md
@@ -2,14 +2,14 @@
title: View roles assigned to a group in Azure Active Directory | Microsoft Docs description: Learn how the roles assigned to a group can be viewed using Azure AD admin center. Viewing groups and assigned roles are default user permissions. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: article ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/m365-workload-docs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/m365-workload-docs.md
@@ -3,14 +3,14 @@ title: Admin role docs across Microsoft 365 services - Azure AD | Microsoft Docs
description: Find content and API references for administrator roles for Microsoft 365 services in Azure Active Directory services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: reference ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro #As an Azure AD administrator, to delegate permissions across Microsoft 365 services quickly and accurately I want to know where the content is for admin roles.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/manage-roles-portal.md
@@ -2,14 +2,14 @@
title: View and assign administrator role permissions - Azure AD | Microsoft Docs description: You can now see and manage members of an Azure AD administrator role in the portal. For those who frequently manage role assignments. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/my-staff-configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/my-staff-configure.md
@@ -3,14 +3,14 @@ title: Use My Staff to delegate user management (preview) - Azure AD | Microsoft
description: Delegate user management using My Staff and administrative units services: active-directory documentationcenter: ''
-author: curtand
+author: rolyon
manager: daveba ms.topic: how-to ms.service: active-directory ms.subservice: user-help ms.workload: identity ms.date: 05/08/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: sahenry ms.custom: oldportal;it-pro;
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md
@@ -2,7 +2,7 @@
title: Azure AD role descriptions and permissions - Azure Active Directory | Microsoft Docs description: An admin role can add users, assign administrative roles, reset user passwords, manage user licenses, or manage domains. services: active-directory
-author: curtand
+author: rolyon
manager: daveba search.appverid: MET150 ms.service: active-directory
@@ -10,7 +10,7 @@ ms.workload: identity
ms.subservice: roles ms.topic: reference ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro, fasttrack-edit ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/quickstart-app-registration-limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/quickstart-app-registration-limits.md
@@ -2,14 +2,14 @@
title: Remove limits on creating app registrations - Azure AD | Microsoft Docs description: Assign a custom role to grant unrestricted app registrations in the Azure AD Active Directory services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: quickstart ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro, devx-track-azurepowershell
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/security-emergency-access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/security-emergency-access.md
@@ -4,7 +4,7 @@ description: This article describes how to use emergency access accounts to help
services: active-directory author: markwahl-msft manager: daveba
-ms.author: curtand
+ms.author: rolyon
ms.date: 11/05/2020 ms.topic: conceptual ms.service: active-directory
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/security-planning.md
@@ -4,9 +4,9 @@ title: Secure access practices for administrators in Azure AD | Microsoft Docs
description: Ensure that your organization's administrative access and admin accounts are secure. For system architects and IT pros who configure Azure AD, Azure, and Microsoft Online Services. services: active-directory keywords:
-author: curtand
+author: rolyon
manager: daveba
-ms.author: curtand
+ms.author: rolyon
ms.date: 11/05/2020 ms.topic: conceptual ms.service: active-directory
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/view-assignments https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/view-assignments.md
@@ -2,14 +2,14 @@
title: View custom role assignments in the Azure Active Directory portal | Microsoft Docs description: You can now see and manage members of an Azure Active Directory administrator role in the Azure Active Directory admin center. services: active-directory
-author: curtand
+author: rolyon
manager: daveba ms.service: active-directory ms.workload: identity ms.subservice: roles ms.topic: how-to ms.date: 11/05/2020
-ms.author: curtand
+ms.author: rolyon
ms.reviewer: vincesm ms.custom: it-pro ms.collection: M365-identity-device-management
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/academy-attendance-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/academy-attendance-tutorial.md
@@ -94,7 +94,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| role | user.assignedroles | > [!NOTE]
- > Academy Attendance supports two roles for users: **Lecturer** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. Please refer to [this](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) doc which explains how to create custom roles in Azure AD.
+ > Academy Attendance supports two roles for users: **Lecturer** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. Please refer to [this](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) doc which explains how to create custom roles in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -144,9 +144,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Academy Attendance Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Academy Attendance tile in the My Apps, this will redirect to Academy Attendance Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Academy Attendance tile in the My Apps, this will redirect to Academy Attendance Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Academy Attendance you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Academy Attendance you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/adobe-identity-management-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/adobe-identity-management-tutorial.md
@@ -162,7 +162,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Adobe Identity Management Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Adobe Identity Management tile in the My Apps, this will redirect to Adobe Identity Management Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Adobe Identity Management tile in the My Apps, this will redirect to Adobe Identity Management Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/adpfederatedsso-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/adpfederatedsso-tutorial.md
@@ -204,9 +204,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the ADP for which you set up the SSO
-* You can use Microsoft My Apps. When you click the ADP tile in the My Apps, you should be automatically signed in to the ADP for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the ADP tile in the My Apps, you should be automatically signed in to the ADP for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure ADP you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure ADP you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/alibaba-cloud-service-role-based-sso-tutorial.md
@@ -89,7 +89,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
> [!Note] > If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.
-1. Alibaba Cloud Service (Role-based SSO) require roles to be configured in Azure AD. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+1. Alibaba Cloud Service (Role-based SSO) require roles to be configured in Azure AD. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -241,4 +241,4 @@ After the preceding configurations are completed, test Alibaba Cloud Service (Ro
## Next steps
-Once you configure Alibaba Cloud Service (Role-based SSO) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Alibaba Cloud Service (Role-based SSO) you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/amazon-web-service-tutorial.md
@@ -115,7 +115,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| SessionDuration | "provide a value between 900 seconds (15 minutes) to 43200 seconds (12 hours)" | `https://aws.amazon.com/SAML/Attributes` | > [!NOTE]
- > AWS expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui)
+ > AWS expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview)
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** (Step 3) dialog box, select **Add a certificate**.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/andromedascm-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/andromedascm-tutorial.md
@@ -105,7 +105,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| company | CompanyName | > [!NOTE]
- > Andromeda expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > Andromeda expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
a. Click **Add new claim** to open the **Manage user claims** dialog.
@@ -213,8 +213,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Andromeda for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Andromeda tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Andromeda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Andromeda tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Andromeda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Andromeda you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Andromeda you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/appinux-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/appinux-tutorial.md
@@ -103,7 +103,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| `nameidentifier` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims` | `user.employeeid` | > [!NOTE]
- > Appinux expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > Appinux expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -156,9 +156,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Appinux Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Appinux tile in the My Apps, this will redirect to Appinux Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Appinux tile in the My Apps, this will redirect to Appinux Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Appinux you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Appinux you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/appneta-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/appneta-tutorial.md
@@ -102,7 +102,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| | | > [!NOTE]
- > **groups** refers to the security group in Appneta which is mapped to a **Role** in Azure AD. Please refer to [this](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) doc which explains how to create custom roles in Azure AD.
+ > **groups** refers to the security group in Appneta which is mapped to a **Role** in Azure AD. Please refer to [this](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) doc which explains how to create custom roles in Azure AD.
1. Click **Add new claim** to open the **Manage user claims** dialog.
@@ -168,9 +168,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to AppNeta Performance Monitor Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the AppNeta Performance Monitor tile in the My Apps, this will redirect to AppNeta Performance Monitor Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the AppNeta Performance Monitor tile in the My Apps, this will redirect to AppNeta Performance Monitor Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure AppNeta Performance Monitor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure AppNeta Performance Monitor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/apptio-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/apptio-tutorial.md
@@ -76,7 +76,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
In the **Identifier** text box, type a URL: `urn:federation:apptio`
-1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -124,9 +124,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Apptio for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Apptio tile in the My Apps, you should be automatically signed in to the Apptio for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Apptio tile in the My Apps, you should be automatically signed in to the Apptio for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Apptio you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Apptio you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/arc-facilities-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/arc-facilities-tutorial.md
@@ -95,7 +95,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
d. Click **Save**. > [!NOTE]
- > ARC Facilities expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > ARC Facilities expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -143,9 +143,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the ARC Facilities for which you set up the SSO
-* You can use Microsoft My Apps. When you click the ARC Facilities tile in the My Apps, you should be automatically signed in to the ARC Facilities for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the ARC Facilities tile in the My Apps, you should be automatically signed in to the ARC Facilities for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure ARC Facilities you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure ARC Facilities you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/arc-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/arc-tutorial.md
@@ -102,7 +102,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| groups | user.assignedroles | > [!NOTE]
- > Here the **groups** attribute is mapped with **user.assignedroles**. These are custom roles created in Azure AD to map the group names back in application. You can find more guidance [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) on how to create custom roles in Azure AD.
+ > Here the **groups** attribute is mapped with **user.assignedroles**. These are custom roles created in Azure AD to map the group names back in application. You can find more guidance [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) on how to create custom roles in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -161,9 +161,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Arc Publishing - SSO for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Arc Publishing - SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Arc Publishing - SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Arc Publishing - SSO tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Arc Publishing - SSO for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Arc Publishing - SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Arc Publishing - SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aruba-user-experience-insight-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/aruba-user-experience-insight-tutorial.md
@@ -152,10 +152,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Aruba User Experience Insight for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Aruba User Experience Insight tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Aruba User Experience Insight for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Aruba User Experience Insight tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Aruba User Experience Insight for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Aruba User Experience Insight you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Aruba User Experience Insight you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/askyourteam-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/askyourteam-tutorial.md
@@ -200,8 +200,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the AskYourTeam for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the AskYourTeam tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AskYourTeam for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the AskYourTeam tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AskYourTeam for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure AskYourTeam you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure AskYourTeam you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/awarego-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/awarego-tutorial.md
@@ -135,11 +135,9 @@ In this section, you can test your Azure AD single sign-on configuration by doin
* Go to the AwareGo sign-in page directly, and initiate the sign-in flow from there.
-* Go to Microsoft My Apps. When you select the **AwareGo** tile in My Apps, you're redirected to the AwareGo sign-in page. For more information, see [Sign in and start apps from the My Apps portal](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* Go to Microsoft My Apps. When you select the **AwareGo** tile in My Apps, you're redirected to the AwareGo sign-in page. For more information, see [Sign in and start apps from the My Apps portal](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-After you've configured AwareGo, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access App Control. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+After you've configured AwareGo, you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access App Control. For more information, see [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-clientvpn-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/aws-clientvpn-tutorial.md
@@ -153,11 +153,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to AWS ClientVPN Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the AWS ClientVPN tile in the My Apps, this will redirect to AWS ClientVPN Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the AWS ClientVPN tile in the My Apps, this will redirect to AWS ClientVPN Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure AWS ClientVPN you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure AWS ClientVPN you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/aws-multi-accounts-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/aws-multi-accounts-tutorial.md
@@ -139,7 +139,7 @@ In this section, you enable Azure AD single sign-on in the Azure portal and conf
g. Click **Save**. >[!NOTE]
- >For more information about roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ >For more information about roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** and save it on your computer.
@@ -383,4 +383,4 @@ Once you configure Amazon Web Services (AWS) you can enforce Session Control, wh
[38]: ./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-createnewaccesskey.png [39]: ./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-provisioning-automatic.png [40]: ./media/aws-multi-accounts-tutorial/tutorial-amazonwebservices-provisioning-testconnection.png
-[41]: ./media/aws-multi-accounts-tutorial/
\ No newline at end of file
+[41]: ./media/aws-multi-accounts-tutorial/
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/benchling-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/benchling-tutorial.md
@@ -149,9 +149,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Benchling for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Benchling tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Benchling for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Benchling tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Benchling for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Benchling you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Benchling you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bic-cloud-design-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bic-cloud-design-tutorial.md
@@ -154,7 +154,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to BIC Cloud Design Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the BIC Cloud Design tile in the My Apps, this will redirect to BIC Cloud Design Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the BIC Cloud Design tile in the My Apps, this will redirect to BIC Cloud Design Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bizagi-studio-for-digital-process-automation-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure Bizagi Studio for Digital Process Automation for automatic user provisioning
-This tutorial describes the steps you need to perform in both Bizagi Studio for Digital Process Automation and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured to do so, Azure AD automatically provisions and deprovisions users and groups to [Bizagi Studio for Digital Process Automation](https://www.bizagi.com/) by using the Azure AD provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Bizagi Studio for Digital Process Automation and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured to do so, Azure AD automatically provisions and deprovisions users and groups to [Bizagi Studio for Digital Process Automation](https://www.bizagi.com/) by using the Azure AD provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities supported
@@ -28,22 +28,22 @@ This tutorial describes the steps you need to perform in both Bizagi Studio for
> * Create users in Bizagi Studio for Digital Process Automation > * Remove users in Bizagi Studio for Digital Process Automation when they don't require access anymore > * Keep user attributes synchronized between Azure AD and Bizagi Studio for Digital Process Automation
-> * [Single sign-on](https://docs.microsoft.com/azure/active-directory/saas-apps/bizagi-studio-for-digital-process-automation-tutorial) to Bizagi Studio for Digital Process Automation (recommended)
+> * [Single sign-on](./bizagi-studio-for-digital-process-automation-tutorial.md) to Bizagi Studio for Digital Process Automation (recommended)
## Prerequisites The scenario outlined in this tutorial assumes that you already have the following:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant).
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning. Examples include application administrator, cloud application administrator, application owner, or global administrator.
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning. Examples include application administrator, cloud application administrator, application owner, or global administrator.
* Bizagi Studio for Digital Process Automation version 11.2.4.2X or later. ## Plan your provisioning deployment Follow these steps for planning:
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be [in scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Bizagi Studio for Digital Process Automation](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be [in scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Bizagi Studio for Digital Process Automation](../app-provisioning/customize-application-attributes.md).
## Configure to support provisioning with Azure AD To configure Bizagi Studio for Digital Process Automation to support provisioning with Azure AD, follow these steps:
@@ -65,17 +65,17 @@ To configure Bizagi Studio for Digital Process Automation to support provisionin
## Add the application from the Azure AD gallery
-To start managing provisioning to Bizagi Studio for Digital Process Automation, add the app from the Azure AD application gallery. If you have previously set up Bizagi Studio for Digital Process Automation for single sign-on, you can use the same application. When you're initially testing the integration, however, you should create a separate app. For more information, see [Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+To start managing provisioning to Bizagi Studio for Digital Process Automation, add the app from the Azure AD application gallery. If you have previously set up Bizagi Studio for Digital Process Automation for single sign-on, you can use the same application. When you're initially testing the integration, however, you should create a separate app. For more information, see [Quickstart: Add an application to your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal.md).
## Define who is in scope for provisioning
-With the Azure AD provisioning service, you can scope who is provisioned based on assignment to the application, based on attributes of the user and group, or both. If you scope based on assignment, see the steps in [Assign or unassign users, and groups, for an app using the Graph API](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you scope based solely on attributes of the user or group, you can use a scoping filter. For more information, see [Attribute-based application provisioning with scoping filters](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+With the Azure AD provisioning service, you can scope who is provisioned based on assignment to the application, based on attributes of the user and group, or both. If you scope based on assignment, see the steps in [Assign or unassign users, and groups, for an app using the Graph API](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you scope based solely on attributes of the user or group, you can use a scoping filter. For more information, see [Attribute-based application provisioning with scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
Note the following points about scoping:
-* When you're assigning users and groups to Bizagi Studio for Digital Process Automation, you must select a role other than **Default Access**. Users with the default access role are excluded from provisioning, and are marked in the provisioning logs as will be marked as not effectively entitled. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add more roles.
+* When you're assigning users and groups to Bizagi Studio for Digital Process Automation, you must select a role other than **Default Access**. Users with the default access role are excluded from provisioning, and are marked in the provisioning logs as will be marked as not effectively entitled. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When the scope is set to all users and groups, you can specify an [attribute-based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When the scope is set to all users and groups, you can specify an [attribute-based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Configure automatic user provisioning
@@ -117,7 +117,7 @@ This section guides you through the steps to configure the Azure AD provisioning
8. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Bizagi Studio for Digital Process Automation**.
-9. In the **Attribute-Mapping** section, review the user attributes that are synchronized from Azure AD to Bizagi Studio for Digital Process Automation. The attributes selected as **Matching** properties are used to match the user accounts in Bizagi Studio for Digital Process Automation for update operations. If you change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you must ensure that the Bizagi Studio for Digital Process Automation API supports filtering users based on that attribute. Select **Save** to commit any changes.
+9. In the **Attribute-Mapping** section, review the user attributes that are synchronized from Azure AD to Bizagi Studio for Digital Process Automation. The attributes selected as **Matching** properties are used to match the user accounts in Bizagi Studio for Digital Process Automation for update operations. If you change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you must ensure that the Bizagi Studio for Digital Process Automation API supports filtering users based on that attribute. Select **Save** to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---|
@@ -133,12 +133,12 @@ This section guides you through the steps to configure the Azure AD provisioning
![Edit attribute list.](media/bizagi-studio-for-digital-process-automation-provisioning-tutorial/edit.png)
- More information on how to add custom attributes can be found in [Customize Application Attributes](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+ More information on how to add custom attributes can be found in [Customize Application Attributes](../app-provisioning/customize-application-attributes.md).
> [!NOTE] > Only basic type properties are supported (for example, String, Integer, Boolean, DateTime, etc). The properties linked to parametric tables or multiple types are not supported yet.
-10. To configure scoping filters, see the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, see the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for Bizagi Studio for Digital Process Automation, in the **Settings** section, change the **Provisioning Status** to **On**.
@@ -157,15 +157,15 @@ This operation starts the initial synchronization cycle of all users and groups
## Monitor your deployment After you've configured provisioning, use the following resources to monitor your deployment: -- Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully.-- Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle, and how close it is to completion.-- If the provisioning configuration is in an unhealthy state, the application will go into quarantine. For more information, see [Application provisioning in quarantine status](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+- Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully.
+- Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle, and how close it is to completion.
+- If the provisioning configuration is in an unhealthy state, the application will go into quarantine. For more information, see [Application provisioning in quarantine status](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/blink-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/blink-provisioning-tutorial.md
@@ -151,9 +151,9 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Change log
@@ -162,9 +162,9 @@ Once you've configured provisioning, use the following resources to monitor your
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bluejeans-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bluejeans-provisioning-tutorial.md
@@ -86,49 +86,51 @@ This section guides you through the steps to configure the Azure AD provisioning
3. Select the **Provisioning** tab.
- ![Screenshot of the BlueJeans Enterprise Application sidebar with the Provisioning option highlighted and called out.](./media/bluejeans-provisioning-tutorial/BluejeansProvisioningTab.png)
+ ![Provisioning tab](common/provisioning.png)
4. Set the **Provisioning Mode** to **Automatic**.
- ![Screenshot of the Provisioning page with the provisioning Mode and Admin Credentials sections called out.](./media/bluejeans-provisioning-tutorial/Bluejeans1.png)
+ ![Provisioning tab automatic](common/provisioning-automatic.png)
-5. Under the **Admin Credentials** section, input the **Admin Username**, and **Admin Password** of your BlueJeans account. Examples of these values are:
+5. Under the **Admin Credentials** section, input your BlueJeans Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to BlueJeans. If the connection fails, ensure your BlueJeans account has Admin permissions and try again.
- * In the **Admin Username** field, populate the username of the admin account on your BlueJeans tenant. Example: admin@contoso.com.
+ ![Token](common/provisioning-testconnection-tenanturltoken.png)
- * In the **Admin Password** field, populate the password corresponding to the admin username.
-6. Upon populating the fields shown in Step 5, click **Test Connection** to ensure Azure AD can connect to BlueJeans. If the connection fails, ensure your BlueJeans account has Admin permissions and try again.
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**.
- ![Screenshot of the Admin Credentials section with the Test Connection option called out.](./media/bluejeans-provisioning-tutorial/BluejeansTestConnection.png)
+ ![Notification Email](common/provisioning-notification-email.png)
-7. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and check the checkbox - **Send an email notification when a failure occurs**.
+7. Click **Save**.
- ![Screenshot of the Notification Email text box.](./media/bluejeans-provisioning-tutorial/BluejeansNotificationEmail.png)
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to BlueJeans**.
-8. Click **Save**.
+9. Review the user attributes that are synchronized from Azure AD to BlueJeans in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in BlueJeans for update operations. Select the **Save** button to commit any changes.
-9. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to BlueJeans**.
+|Attribute|Type|Supported for filtering|
+|---|---|---|
+|userName|String|&check;|
+|active|Boolean|
+|title|String|
+|emails[type eq "work"].value|String|
+|name.givenName|String|
+|name.familyName|String|
+|phoneNumbers[type eq "work"].value|String|
+|urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|String|
- ![Screenshot of the Mappings section with the Synchronize Azure Active Directory Users to BlueJeans option highlighted.](./media/bluejeans-provisioning-tutorial/BluejeansMapping.png)
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-10. Review the user attributes that are synchronized from Azure AD to BlueJeans in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in BlueJeans for update operations. Select the **Save** button to commit any changes.
+11. To enable the Azure AD provisioning service for BlueJeans, change the **Provisioning Status** to **On** in the **Settings** section.
- ![Screenshot of the Attribute Mappings section with seven mappings displayed.](./media/bluejeans-provisioning-tutorial/BluejeansUserMappingAtrributes.png)
+ ![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
-11. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+12. Define the users and/or groups that you would like to provision to BlueJeans by choosing the desired values in **Scope** in the **Settings** section.
-12. To enable the Azure AD provisioning service for BlueJeans, change the **Provisioning Status** to **On** in the **Settings** section.
+ ![Provisioning Scope](common/provisioning-scope.png)
- ![Screenshot of the Settings section with the Provisioning Status option set to On.](./media/bluejeans-provisioning-tutorial/BluejeansProvisioningStatus.png)
+13. When you are ready to provision, click **Save**.
-13. Define the users and/or groups that you would like to provision to BlueJeans by choosing the desired values in **Scope** in the **Settings** section.
-
- ![Screenshot of the Scope setting with the Sync only assigned users and groups option highlighted.](./media/bluejeans-provisioning-tutorial/UserGroupSelection.png)
-
-14. When you are ready to provision, click **Save**.
-
- ![Screenshot of the BlueJeans Enterprise Application sidebar with the Save option called out.](./media/bluejeans-provisioning-tutorial/SaveProvisioning.png)
+ ![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
This operation starts the initial synchronization of all users and/or groups defined in **Scope** in the **Settings** section. The initial sync takes longer to perform than subsequent syncs, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. You can use the **Synchronization Details** section to monitor progress and follow links to provisioning activity report, which describes all actions performed by the Azure AD provisioning service on BlueJeans.
@@ -136,7 +138,7 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti
## Connector Limitations
-* Bluejeans does not allow usernames that exceed 30 characters.
+* Bluejeans does not allow userNames that exceed 30 characters.
## Additional resources
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bomgarremotesupport-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bomgarremotesupport-tutorial.md
@@ -188,8 +188,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to BeyondTrust Remote Support Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the BeyondTrust Remote Support tile in the My Apps, this will redirect to BeyondTrust Remote Support Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the BeyondTrust Remote Support tile in the My Apps, this will redirect to BeyondTrust Remote Support Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure the BeyondTrust Remote Support you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
+Once you configure the BeyondTrust Remote Support you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/box-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/box-tutorial.md
@@ -150,9 +150,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Box Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Box tile in the My Apps, this will redirect to Box Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Box tile in the My Apps, this will redirect to Box Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Box you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure Box you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bridgelineunbound-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bridgelineunbound-tutorial.md
@@ -140,9 +140,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Bridgeline Unbound for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Bridgeline Unbound tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Bridgeline Unbound for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Bridgeline Unbound tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Bridgeline Unbound for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Bridgeline Unbound you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Bridgeline Unbound you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/burp-suite-enterprise-edition-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/burp-suite-enterprise-edition-tutorial.md
@@ -142,9 +142,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Burp Suite Enterprise Edition for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Burp Suite Enterprise Edition tile in the My Apps, you should be automatically signed in to the Burp Suite Enterprise Edition for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Burp Suite Enterprise Edition tile in the My Apps, you should be automatically signed in to the Burp Suite Enterprise Edition for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Burp Suite Enterprise Edition you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Burp Suite Enterprise Edition you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bynder-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bynder-tutorial.md
@@ -159,9 +159,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Bynder for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Bynder tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Bynder for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Bynder tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Bynder for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Bynder you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Bynder you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/catchpoint-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/catchpoint-tutorial.md
@@ -96,7 +96,7 @@ Follow these steps in the Azure portal to enable Azure AD SSO:
| namespace | user.assignedrole | > [!NOTE]
- > The `namespace` claim needs to be mapped with the account name. This account name should be set up with a role in Azure AD to be passed back in SAML response. For more information about roles in Azure AD, see [Configure the role claim issued in the SAML token for enterprise applications](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > The `namespace` claim needs to be mapped with the account name. This account name should be set up with a role in Azure AD to be passed back in SAML response. For more information about roles in Azure AD, see [Configure the role claim issued in the SAML token for enterprise applications](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. Go to the **Set Up Single Sign-On with SAML** page. In the **SAML Signing Certificate** section, find **Certificate (Base64)**. Select **Download** to save the certificate to your computer.
@@ -171,7 +171,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Catchpoint for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Catchpoint tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Catchpoint for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Catchpoint tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Catchpoint for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
> [!NOTE]
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cequence-application-security-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cequence-application-security-tutorial.md
@@ -137,11 +137,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
2. Go to Cequence Application Security Platform Sign-on URL directly and initiate the login flow from there.
-3. You can use Microsoft Access Panel. When you click the Cequence Application Security Platform tile in the Access Panel, this will redirect to Cequence Application Security Platform Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+3. You can use Microsoft Access Panel. When you click the Cequence Application Security Platform tile in the Access Panel, this will redirect to Cequence Application Security Platform Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Cequence Application Security Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Cequence Application Security Platform you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/certent-equity-management-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/certent-equity-management-tutorial.md
@@ -93,7 +93,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| ROLE | user.assignedroles | > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure **Role** in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure **Role** in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -141,9 +141,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Certent Equity Management for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Certent Equity Management tile in the My Apps, you should be automatically signed in to the Certent Equity Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Certent Equity Management tile in the My Apps, you should be automatically signed in to the Certent Equity Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Certent Equity Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Certent Equity Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/citrix-netscaler-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/citrix-netscaler-tutorial.md
@@ -438,7 +438,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Citrix ADC Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Citrix ADC tile in the My Apps, this will redirect to Citrix ADC Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Citrix ADC tile in the My Apps, this will redirect to Citrix ADC Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/clever-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clever-tutorial.md
@@ -135,7 +135,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Clever Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Clever tile in the My Apps, this will redirect to Clever Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Clever tile in the My Apps, this will redirect to Clever Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cloud-academy-sso-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cloud-academy-sso-tutorial.md
@@ -156,9 +156,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Cloud Academy - SSO Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Cloud Academy - SSO tile in the My Apps, this will redirect to Cloud Academy - SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Cloud Academy - SSO tile in the My Apps, this will redirect to Cloud Academy - SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Cloud Academy - SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Cloud Academy - SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/colortokens-ztna-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/colortokens-ztna-tutorial.md
@@ -88,7 +88,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| Group | user.groups | > [!NOTE]
- > Click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to create roles in Azure AD.
+ > Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to create roles in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -138,9 +138,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to ColorTokens ZTNA Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the ColorTokens ZTNA tile in the My Apps, this will redirect to ColorTokens ZTNA Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the ColorTokens ZTNA tile in the My Apps, this will redirect to ColorTokens ZTNA Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure ColorTokens ZTNA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure ColorTokens ZTNA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/concur-travel-and-expense-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/concur-travel-and-expense-tutorial.md
@@ -162,7 +162,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Concur Travel and Expense for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Concur Travel and Expense tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Concur Travel and Expense for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Concur Travel and Expense tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Concur Travel and Expense for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/concur-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/concur-tutorial.md
@@ -140,7 +140,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Concur Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Concur tile in the My Apps, this will redirect to Concur Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Concur tile in the My Apps, this will redirect to Concur Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/confluencemicrosoft-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/confluencemicrosoft-tutorial.md
@@ -250,9 +250,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Confluence SAML SSO by Microsoft Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Confluence SAML SSO by Microsoft tile in the My Apps, this will redirect to Confluence SAML SSO by Microsoft Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Confluence SAML SSO by Microsoft tile in the My Apps, this will redirect to Confluence SAML SSO by Microsoft Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Confluence SAML SSO by Microsoft you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure Confluence SAML SSO by Microsoft you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/contentsquare-sso-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/contentsquare-sso-tutorial.md
@@ -127,10 +127,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Contentsquare SSO Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Contentsquare SSO tile in the My Apps, this will redirect to Contentsquare SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Contentsquare SSO tile in the My Apps, this will redirect to Contentsquare SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Contentsquare SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Contentsquare SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/cornerstone-ondemand-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cornerstone-ondemand-tutorial.md
@@ -139,8 +139,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Cornerstone OnDemand Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Cornerstone OnDemand tile in the My Apps, this will redirect to Cornerstone OnDemand Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Cornerstone OnDemand tile in the My Apps, this will redirect to Cornerstone OnDemand Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Cornerstone OnDemand you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure Cornerstone OnDemand you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/count-me-in-operations-dashboard-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/count-me-in-operations-dashboard-tutorial.md
@@ -94,7 +94,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| assigned roles | user.assignedroles | > [!NOTE]
- > Count Me In - Operations Dashboard expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > Count Me In - Operations Dashboard expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -143,11 +143,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Count Me In - Operations Dashboard Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Count Me In - Operations Dashboard tile in the My Apps, this will redirect to Count Me In - Operations Dashboard Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Count Me In - Operations Dashboard tile in the My Apps, this will redirect to Count Me In - Operations Dashboard Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Count Me In - Operations Dashboard you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Count Me In - Operations Dashboard you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/dome9arc-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dome9arc-tutorial.md
@@ -95,7 +95,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| memberof | user.assignedroles | >[!NOTE]
- >Click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to create roles in Azure AD.
+ >Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to create roles in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -210,9 +210,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Check Point CloudGuard Dome9 Arc tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Check Point CloudGuard Dome9 Arc tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Check Point CloudGuard Dome9 Arc you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Check Point CloudGuard Dome9 Arc you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/dotcom-monitor-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dotcom-monitor-tutorial.md
@@ -89,7 +89,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| Roles | user.assignedroles | > [!NOTE]
- > You can find more guidance [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) on how to create custom roles in Azure AD.
+ > You can find more guidance [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) on how to create custom roles in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -139,9 +139,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Dotcom-Monitor Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Dotcom-Monitor tile in the My Apps, this will redirect to Dotcom-Monitor Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Dotcom-Monitor tile in the My Apps, this will redirect to Dotcom-Monitor Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Dotcom-Monitor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Dotcom-Monitor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/e-days-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/e-days-tutorial.md
@@ -150,7 +150,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the E-days for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the E-days tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the E-days for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the E-days tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the E-days for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/easysso-for-bamboo-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/easysso-for-bamboo-tutorial.md
@@ -197,7 +197,7 @@ However, if you do not wish to enable automatic user provisioning on the user fi
In this section, you test your Azure AD single sign-on configuration using the My Apps.
-When you click the EasySSO for Bamboo tile in the My Apps, you should be automatically signed in to the Bamboo instance for which you set up SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+When you click the EasySSO for Bamboo tile in the My Apps, you should be automatically signed in to the Bamboo instance for which you set up SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
### SP-initiated workflow
@@ -217,4 +217,4 @@ Should you have any issues digesting the log messages, please contact [EasySSO s
## Next steps
-Once you configure EasySSO for Bamboo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure EasySSO for Bamboo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/easysso-for-bitbucket-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/easysso-for-bitbucket-tutorial.md
@@ -199,7 +199,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the EasySSO for BitBucket for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the EasySSO for BitBucket tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the EasySSO for BitBucket for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the EasySSO for BitBucket tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the EasySSO for BitBucket for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/easysso-for-confluence-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/easysso-for-confluence-tutorial.md
@@ -195,7 +195,7 @@ However, if you do not wish to enable automatic user provisioning on the user fi
In this section, you test your Azure AD single sign-on configuration using the My Apps.
-When you click the EasySSO for Confluence tile in the My Apps, you should be automatically signed in to the Confluence instance for which you set up SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+When you click the EasySSO for Confluence tile in the My Apps, you should be automatically signed in to the Confluence instance for which you set up SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
### SP-initiated workflow
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ekarda-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ekarda-tutorial.md
@@ -178,7 +178,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the ekarda for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the ekarda tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ekarda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the ekarda tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ekarda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ephoto-dam-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ephoto-dam-tutorial.md
@@ -139,11 +139,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the EPHOTO DAM for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the EPHOTO DAM tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the EPHOTO DAM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the EPHOTO DAM tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the EPHOTO DAM for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure EPHOTO DAM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure EPHOTO DAM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/equinix-federation-app-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/equinix-federation-app-tutorial.md
@@ -131,11 +131,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Equinix Federation App Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Equinix Federation App tile in the My Apps, this will redirect to Equinix Federation App Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Equinix Federation App tile in the My Apps, this will redirect to Equinix Federation App Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Equinix Federation App you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Equinix Federation App you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortes-change-cloud-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fortes-change-cloud-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure Fortes Change Cloud for automatic user provisioning
-This tutorial describes the steps you need to perform in both Fortes Change Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Fortes Change Cloud](https://fortesglobal.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Fortes Change Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Fortes Change Cloud](https://fortesglobal.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
@@ -34,15 +34,15 @@ This tutorial describes the steps you need to perform in both Fortes Change Clou
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A Fortes Change Cloud tenant. * A user account in Fortes Change Cloud with Admin permissions. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Fortes Change Cloud](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Fortes Change Cloud](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Fortes Change Cloud to support provisioning with Azure AD
@@ -56,15 +56,15 @@ The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add Fortes Change Cloud from the Azure AD application gallery
-Add Fortes Change Cloud from the Azure AD application gallery to start managing provisioning to Fortes Change Cloud. If you have previously setup Fortes Change Cloud for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Fortes Change Cloud from the Azure AD application gallery to start managing provisioning to Fortes Change Cloud. If you have previously setup Fortes Change Cloud for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Fortes Change Cloud, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to Fortes Change Cloud, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to Fortes Change Cloud
@@ -101,7 +101,7 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Fortes Change Cloud**.
-9. Review the user attributes that are synchronized from Azure AD to Fortes Change Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Fortes Change Cloud for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Fortes Change Cloud API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Fortes Change Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Fortes Change Cloud for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Fortes Change Cloud API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---|
@@ -117,7 +117,7 @@ This section guides you through the steps to configure the Azure AD provisioning
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for Fortes Change Cloud, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -136,15 +136,15 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortigate-ssl-vpn-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fortigate-ssl-vpn-tutorial.md
@@ -259,9 +259,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to FortiGate VPN Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the FortiGate VPN tile in the My Apps, this will redirect to FortiGate VPN Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the FortiGate VPN tile in the My Apps, this will redirect to FortiGate VPN Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure FortiGate VPN you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure FortiGate VPN you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/fortiweb-web-application-firewall-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fortiweb-web-application-firewall-tutorial.md
@@ -243,11 +243,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to FortiWeb Web Application Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the FortiWeb Web Application tile in the My Apps, this will redirect to FortiWeb Web Application Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the FortiWeb Web Application tile in the My Apps, this will redirect to FortiWeb Web Application Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure FortiWeb Web Application Firewall you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure FortiWeb Web Application Firewall you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/github-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-tutorial.md
@@ -203,8 +203,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to GitHub Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the GitHub tile in the My Apps, this will redirect to GitHub Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the GitHub tile in the My Apps, this will redirect to GitHub Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure GitHub you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure GitHub you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/google-apps-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/google-apps-tutorial.md
@@ -244,7 +244,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Google Cloud (G Suite) Connector Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Google Cloud (G Suite) Connector tile in the My Apps, this will redirect to Google Cloud (G Suite) Connector Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Google Cloud (G Suite) Connector tile in the My Apps, this will redirect to Google Cloud (G Suite) Connector Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/greenhouse-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/greenhouse-tutorial.md
@@ -176,9 +176,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Greenhouse Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Greenhouse tile in the My Apps, this will redirect to Greenhouse Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Greenhouse tile in the My Apps, this will redirect to Greenhouse Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Greenhouse you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Greenhouse you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/grouptalk-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/grouptalk-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure GroupTalk for automatic user provisioning
-This tutorial describes the steps you need to perform in both GroupTalk and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [GroupTalk](https://www.grouptalk.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both GroupTalk and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [GroupTalk](https://www.grouptalk.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
@@ -34,14 +34,14 @@ This tutorial describes the steps you need to perform in both GroupTalk and Azur
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A user account in GroupTalk with Admin permissions. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and GroupTalk](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and GroupTalk](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure GroupTalk to support provisioning with Azure AD
@@ -62,15 +62,15 @@ Add **GroupTalk** from the Azure AD application gallery to start managing provis
3. Login with your AD Administrative account, and accept the GroupTalk application's access rights. You will get an error message after this is done indicating the user isn't present. This is expected since your user isn't provisioned to GroupTalk yet but you have now added GroupTalk to your tenant. 4. Go back to the Azure portal and verify that **GroupTalk** is now added to your Enterprise Applications.
-Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to GroupTalk, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to GroupTalk, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to GroupTalk
@@ -107,7 +107,7 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to GroupTalk**.
-9. Review the user attributes that are synchronized from Azure AD to GroupTalk in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in GroupTalk for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the GroupTalk API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to GroupTalk in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in GroupTalk for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the GroupTalk API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---|
@@ -138,7 +138,7 @@ This section guides you through the steps to configure the Azure AD provisioning
|externalId|String| |urn:ietf:params:scim:schemas:extension:grouptalk:2.0:Group:description|String|
-12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
13. To enable the Azure AD provisioning service for GroupTalk, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -157,16 +157,16 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
4. You can contact GroupTalk Support for additional provisioning logs set up as custom reports inside GroupTalk Admin. These may give additional hints why users and groups fail to provision properly. ## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/gtmhub-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/gtmhub-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure Gtmhub for automatic user provisioning
-This tutorial describes the steps you need to perform in both Gtmhub and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Gtmhub](https://www.gtmhub.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Gtmhub and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Gtmhub](https://www.gtmhub.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
>[!NOTE] >Currently, when automatic user provisioning is configured, Azure AD only automatically de-provisions users and groups to Gtmhub as well as map users to their respective teams using the Azure AD Provisioning service.But in 2021 once SSO is enabled with Gtmhub,users will be automatically provisioned when they log in through SSO and will be assigned to their respective team.
@@ -36,14 +36,14 @@ This tutorial describes the steps you need to perform in both Gtmhub and Azure A
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant).
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* An Enterprise Gtmhub account. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Gtmhub](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Gtmhub](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Gtmhub to support team mapping and user de-provisioning with Azure AD
@@ -76,15 +76,15 @@ In order to connect your provisioning application to your Gtmhub account you wil
## Step 3. Add Gtmhub from the Azure AD application gallery
-Add Gtmhub from the Azure AD application gallery to start managing provisioning to Gtmhub. If you have previously setup Gtmhub for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Gtmhub from the Azure AD application gallery to start managing provisioning to Gtmhub. If you have previously setup Gtmhub for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Gtmhub, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to Gtmhub, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to Gtmhub
@@ -121,7 +121,7 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Gtmhub**.
-9. Review the user attributes that are synchronized from Azure AD to Gtmhub in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Gtmhub for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Gtmhub API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Gtmhub in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Gtmhub for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Gtmhub API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---|
@@ -129,7 +129,7 @@ This section guides you through the steps to configure the Azure AD provisioning
|externalId|String|&check;| |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|Reference|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
13. To enable the Azure AD provisioning service for Gtmhub, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -148,15 +148,15 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/header-citrix-netscaler-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/header-citrix-netscaler-tutorial.md
@@ -429,7 +429,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Citrix ADC Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Citrix ADC tile in the My Apps, this will redirect to Citrix ADC Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Citrix ADC tile in the My Apps, this will redirect to Citrix ADC Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/heybuddy-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/heybuddy-tutorial.md
@@ -95,7 +95,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| | | > [!NOTE]
- > Please refer to this [link](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) on how to configure and setup the roles for the application.
+ > Please refer to this [link](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) on how to configure and setup the roles for the application.
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
@@ -144,9 +144,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to HeyBuddy Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the HeyBuddy tile in the My Apps, this will redirect to HeyBuddy Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the HeyBuddy tile in the My Apps, this will redirect to HeyBuddy Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure HeyBuddy you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure HeyBuddy you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/hubspot-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/hubspot-tutorial.md
@@ -206,7 +206,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the HubSpot for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the HubSpot tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the HubSpot for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the HubSpot tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the HubSpot for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/illusive-networks-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/illusive-networks-tutorial.md
@@ -140,11 +140,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Illusive Networks for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Illusive Networks tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Illusive Networks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Illusive Networks tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Illusive Networks for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Illusive Networks you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Illusive Networks you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/imperva-data-security-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/imperva-data-security-tutorial.md
@@ -132,11 +132,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Imperva Data Security for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Imperva Data Security tile in the My Apps, you should be automatically signed in to the Imperva Data Security for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Imperva Data Security tile in the My Apps, you should be automatically signed in to the Imperva Data Security for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Imperva Data Security you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Imperva Data Security you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/informacast-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/informacast-tutorial.md
@@ -129,11 +129,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the InformaCast for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the InformaCast tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the InformaCast for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the InformaCast tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the InformaCast for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next Steps
-Once you configure InformaCast you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure InformaCast you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/intacct-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/intacct-tutorial.md
@@ -202,7 +202,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Sage Intacct for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Sage Intacct tile in the My Apps, you should be automatically signed in to the Sage Intacct for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Sage Intacct tile in the My Apps, you should be automatically signed in to the Sage Intacct for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/international-sos-assistance-products-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/international-sos-assistance-products-tutorial.md
@@ -130,11 +130,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to International SOS Assistance Products Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the International SOS Assistance Products tile in the My Apps, this will redirect to International SOS Assistance Products Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the International SOS Assistance Products tile in the My Apps, this will redirect to International SOS Assistance Products Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure International SOS Assistance Products you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure International SOS Assistance Products you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/invision-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/invision-tutorial.md
@@ -196,7 +196,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the InVision for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the InVision tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the InVision for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the InVision tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the InVision for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jamfprosamlconnector-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jamfprosamlconnector-tutorial.md
@@ -220,7 +220,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Jamf Pro for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Jamf Pro tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Jamf Pro for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Jamf Pro tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Jamf Pro for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jira52microsoft-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jira52microsoft-tutorial.md
@@ -226,7 +226,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to JIRA SAML SSO by Microsoft (V5.2) Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the JIRA SAML SSO by Microsoft (V5.2) tile in the My Apps, this will redirect to JIRA SAML SSO by Microsoft (V5.2) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the JIRA SAML SSO by Microsoft (V5.2) tile in the My Apps, this will redirect to JIRA SAML SSO by Microsoft (V5.2) Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jiramicrosoft-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jiramicrosoft-tutorial.md
@@ -252,9 +252,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to JIRA SAML SSO by Microsoft Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the JIRA SAML SSO by Microsoft tile in the My Apps, this will redirect to JIRA SAML SSO by Microsoft Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the JIRA SAML SSO by Microsoft tile in the My Apps, this will redirect to JIRA SAML SSO by Microsoft Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure JIRA SAML SSO by Microsoft you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure JIRA SAML SSO by Microsoft you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/jll-tririga-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/jll-tririga-tutorial.md
@@ -136,11 +136,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the JLL TRIRIGA for which you set up the SSO
-* You can use Microsoft Access Panel. When you click the JLL TRIRIGA tile in the Access Panel, you should be automatically signed in to the JLL TRIRIGA for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft Access Panel. When you click the JLL TRIRIGA tile in the Access Panel, you should be automatically signed in to the JLL TRIRIGA for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure JLL TRIRIGA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure JLL TRIRIGA you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/kfadvance-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kfadvance-tutorial.md
@@ -139,11 +139,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the KFAdvance for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the KFAdvance tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the KFAdvance for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the KFAdvance tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the KFAdvance for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure KFAdvance you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure KFAdvance you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/kronos-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kronos-tutorial.md
@@ -144,7 +144,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Kronos for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Kronos tile in the My Apps, you should be automatically signed in to the Kronos for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Kronos tile in the My Apps, you should be automatically signed in to the Kronos for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/kumolus-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kumolus-tutorial.md
@@ -98,7 +98,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| role | user.assignedroles | > [!NOTE]
- > Kumolus expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > Kumolus expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -158,4 +158,4 @@ You can also use Microsoft Access Panel to test the application in any mode. Whe
## Next steps
-Once you configure Kumolus you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Kumolus you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/lablog-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/lablog-tutorial.md
@@ -144,11 +144,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to LabLog Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the LabLog tile in the My Apps, this will redirect to LabLog Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the LabLog tile in the My Apps, this will redirect to LabLog Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure LabLog you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure LabLog you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/linkedin-talent-solutions-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/linkedin-talent-solutions-tutorial.md
@@ -171,8 +171,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the LinkedIn Talent Solutions for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the LinkedIn Talent Solutions tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LinkedIn Talent Solutions for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the LinkedIn Talent Solutions tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LinkedIn Talent Solutions for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure LinkedIn Talent Solutions you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure LinkedIn Talent Solutions you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/linkedinlearning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/linkedinlearning-tutorial.md
@@ -162,9 +162,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the LinkedIn Learning for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the LinkedIn Learning tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LinkedIn Learning for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the LinkedIn Learning tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the LinkedIn Learning for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure LinkedIn Learning you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure LinkedIn Learning you can enforce Session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/litmus-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/litmus-tutorial.md
@@ -186,7 +186,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Litmus for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Litmus tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Litmus for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Litmus tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Litmus for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/mapbox-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mapbox-tutorial.md
@@ -86,7 +86,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| | | > [!NOTE]
- > To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Raw)** and select **Download** to download the certificate and save it on your computer.
@@ -158,9 +158,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Mapbox for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Mapbox tile in the My Apps, you should be automatically signed in to the Mapbox for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Mapbox tile in the My Apps, you should be automatically signed in to the Mapbox for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Mapbox you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Mapbox you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/marketo-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/marketo-tutorial.md
@@ -249,7 +249,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Marketo for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Marketo tile in the My Apps, you should be automatically signed in to the Marketo for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Marketo tile in the My Apps, you should be automatically signed in to the Marketo for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/meraki-dashboard-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/meraki-dashboard-tutorial.md
@@ -93,7 +93,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| `https://dashboard.meraki.com/saml/attributes/role` | user.assignedroles | > [!NOTE]
- > To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. In the **SAML Signing Certificate** section, click **Edit** button to open **SAML Signing Certificate** dialog.
@@ -187,9 +187,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Meraki Dashboard for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Meraki Dashboard tile in the My Apps, you should be automatically signed in to the Meraki Dashboard for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Meraki Dashboard tile in the My Apps, you should be automatically signed in to the Meraki Dashboard for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Meraki Dashboard you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Meraki Dashboard you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/mondaycom-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/mondaycom-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure monday.com for automatic user provisioning
-This tutorial describes the steps you need to perform in both monday.com and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [monday.com](https://www.monday.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both monday.com and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [monday.com](https://www.monday.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
@@ -35,14 +35,14 @@ This tutorial describes the steps you need to perform in both monday.com and Azu
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* An **Enterprise** monday.com account. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and monday.com](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and monday.com](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure monday.com to support provisioning with Azure AD 1. Login to [monday.com](https://www.monday.com/). Click on your profile picture , on the left navigation pane.
@@ -58,15 +58,15 @@ The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add monday.com from the Azure AD application gallery
-Add monday.com from the Azure AD application gallery to start managing provisioning to monday.com. If you have previously setup monday.com for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add monday.com from the Azure AD application gallery to start managing provisioning to monday.com. If you have previously setup monday.com for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to monday.com, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to monday.com, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to monday.com
@@ -103,11 +103,12 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to monday.com**.
-9. Review the user attributes that are synchronized from Azure AD to monday.com in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in monday.com for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the monday.com API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to monday.com in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in monday.com for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the monday.com API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---| |userName|String|&check;|
+ |userType|String|
|displayName|String| |title|String| |emails[type eq "work"].value|String|
@@ -123,7 +124,7 @@ This section guides you through the steps to configure the Azure AD provisioning
|displayName|String|&check;| |members|Reference|
-12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
13. To enable the Azure AD provisioning service for monday.com, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -142,15 +143,21 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## Connector Limitations
+* monday.com only supports the userType "admin" , "guest", "member" and "viewer". The userType "User" is not supported and will be removed in the future.
+
+## Change log
+* 1/21/2021 - Added support for core attribute "userType" for users.
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/navex-one-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/navex-one-tutorial.md
@@ -121,10 +121,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to NAVEX One Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the NAVEX One tile in the My Apps, this will redirect to NAVEX One Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the NAVEX One tile in the My Apps, this will redirect to NAVEX One Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure NAVEX One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure NAVEX One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/netskope-cloud-security-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netskope-cloud-security-tutorial.md
@@ -99,7 +99,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| admin-role | user.assignedroles | > [!NOTE]
- > Click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to create roles in Azure AD.
+ > Click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to create roles in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -217,8 +217,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Netskope Administrator Console tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Netskope Administrator Console tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Netskope Administrator Console for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Netskope Administrator Console you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Netskope Administrator Console you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/netsuite-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/netsuite-provisioning-tutorial.md
@@ -15,10 +15,8 @@ ms.author: jeedes
The objective of this tutorial is to show you the steps you need to perform in NetSuite OneWorld and Azure AD to automatically provision and de-provision user accounts from Azure AD to NetSuite.
-> [!NOTE]
-> This integration currently authenticates using basic authentication (username and password). NetSuite has implemented a multi-factor authentication requirement that prevents customers from using this integration unless they have an exemption from this requirement. We are working with NetSuite to update this integration to a newer authentication method to enable customers without an exemption to use it again. We will update this document with an ETA once one is available.
-
-Recommended action: Please wait until we release an update to the authentication behavior for this integration or reach out to NetSuite support to inquire about an exemption to the multi-factor authentication requirement.
+> [!WARNING]
+> This provisioning integration will stop working in February 2020 due to a change to the NetSuite APIs that are used by Microsoft to provision users into NetSuite. As a result of this, the provisioning functionality of the NetSuite application in the Azure Active Directory Enterprise App Gallery will be removed soon. The application's SSO functionality will remain intact. Microsoft is working with NetSuite to build a new modernized provisioning integration, but there is currently no ETA on when this will be completed.
## Prerequisites
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/notion-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/notion-tutorial.md
@@ -150,11 +150,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Notion for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Notion tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Notion for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Notion tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Notion for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Notion you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Notion you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/oktopost-saml-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/oktopost-saml-tutorial.md
@@ -168,11 +168,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Oktopost SAML for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Oktopost SAML tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Oktopost SAML for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Oktopost SAML tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Oktopost SAML for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Oktopost SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Oktopost SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/openidoauth-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/openidoauth-tutorial.md
@@ -154,4 +154,4 @@ Imagine that an application requires admin consent, and an admin signs in withou
## Next steps
-[Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant](https://docs.microsoft.com/azure/active-directory/manage-apps/add-application-portal-setup-oidc-sso)
+[Set up OIDC-based single sign-on (SSO) for an application in your Azure Active Directory (Azure AD) tenant](../manage-apps/add-application-portal-setup-oidc-sso.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/opsgenie-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/opsgenie-tutorial.md
@@ -184,7 +184,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the OpsGenie for which you set up the SSO
-* You can use Microsoft My Apps. When you click the OpsGenie tile in the My Apps, you should be automatically signed in to the OpsGenie for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the OpsGenie tile in the My Apps, you should be automatically signed in to the OpsGenie for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/paloaltonetworks-captiveportal-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/paloaltonetworks-captiveportal-tutorial.md
@@ -146,7 +146,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Palo Alto Networks Captive Portal for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Palo Alto Networks Captive Portal tile in the My Apps, you should be automatically signed in to the Palo Alto Networks Captive Portal for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Palo Alto Networks Captive Portal tile in the My Apps, you should be automatically signed in to the Palo Alto Networks Captive Portal for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/papercut-cloud-print-management-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/papercut-cloud-print-management-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure PaperCut Cloud Print Management for automatic user provisioning
-This tutorial describes the steps you need to perform in both PaperCut Cloud Print Management and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [PaperCut Cloud Print Management](https://www.papercut.com/products/papercut-pocket/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both PaperCut Cloud Print Management and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [PaperCut Cloud Print Management](https://www.papercut.com/products/papercut-pocket/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
@@ -33,16 +33,16 @@ This tutorial describes the steps you need to perform in both PaperCut Cloud Pri
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant).
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A PaperCut Cloud Print Management administrator account. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and PaperCut Cloud Print Management](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and PaperCut Cloud Print Management](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure PaperCut Cloud Print Management to support provisioning with Azure AD
@@ -60,15 +60,15 @@ The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add PaperCut Cloud Print Management from the Azure AD application gallery
-Add PaperCut Cloud Print Management from the Azure AD application gallery to start managing provisioning to PaperCut Cloud Print Management. If you have previously setup PaperCut Cloud Print Management for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add PaperCut Cloud Print Management from the Azure AD application gallery to start managing provisioning to PaperCut Cloud Print Management. If you have previously setup PaperCut Cloud Print Management for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to PaperCut Cloud Print Management, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to PaperCut Cloud Print Management, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to PaperCut Cloud Print Management
@@ -105,7 +105,7 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Provision Azure Active Directory Users**. ![AAD Mapping](media/papercut-cloud-print-management-provisioning-tutorial/mapping.png)
-9. Review the user attributes that are synchronized from Azure AD to PaperCut Cloud Print Management in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in PaperCut Cloud Print Management for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the PaperCut Cloud Print Management API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to PaperCut Cloud Print Management in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in PaperCut Cloud Print Management for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the PaperCut Cloud Print Management API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---|
@@ -113,7 +113,7 @@ This section guides you through the steps to configure the Azure AD provisioning
|displayName|String| |emails[type eq "work"].value|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for PaperCut Cloud Print Management, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -133,15 +133,15 @@ This operation starts the initial synchronization cycle of all users and groups
Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/parsable-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/parsable-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure Parsable for automatic user provisioning
-This tutorial describes the steps you need to perform in both Parsable and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Parsable](https://www.parsable.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Parsable and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Parsable](https://www.parsable.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
@@ -33,15 +33,15 @@ This tutorial describes the steps you need to perform in both Parsable and Azure
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (e.g. Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* A Parsable tenant (team). * A user account in Parsable with Admin permissions. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Parsable](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Parsable](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Parsable to support provisioning with Azure AD
@@ -51,15 +51,15 @@ The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add Parsable from the Azure AD application gallery
-Add Parsable from the Azure AD application gallery to start managing provisioning to Parsable. If you have previously setup Parsable for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Parsable from the Azure AD application gallery to start managing provisioning to Parsable. If you have previously setup Parsable for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Parsable, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to Parsable, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to Parsable
@@ -96,14 +96,14 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Parsable**.
-9. Review the user attributes that are synchronized from Azure AD to Parsable in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Parsable for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Parsable API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Parsable in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Parsable for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Parsable API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---| |userName|String|&check;| |displayName|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for Parsable, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -122,15 +122,15 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/perimeter-81-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/perimeter-81-tutorial.md
@@ -136,10 +136,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Perimeter 81 for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Perimeter 81 tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Perimeter 81 for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Perimeter 81 tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Perimeter 81 for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Perimeter 81 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Perimeter 81 you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/printerlogic-saas-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/printerlogic-saas-tutorial.md
@@ -96,7 +96,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| Role | user.assignedroles | > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -152,9 +152,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the AskYourTeam for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the AskYourTeam tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AskYourTeam for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the AskYourTeam tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the AskYourTeam for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure PrinterLogic SaaS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure PrinterLogic SaaS you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/prodpad-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/prodpad-tutorial.md
@@ -93,7 +93,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| User.ProdpadRole | user.assignedroles | > [!NOTE]
- > ProdPad expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > ProdPad expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -153,4 +153,4 @@ You can also use Microsoft Access Panel to test the application in any mode. Whe
## Next steps
-Once you configure ProdPad you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure ProdPad you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/proprofs-knowledge-base-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/proprofs-knowledge-base-tutorial.md
@@ -120,11 +120,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the ProProfs Knowledge Base for which you set up the SSO
-* You can use Microsoft My Apps. When you click the ProProfs Knowledge Base tile in the My Apps, you should be automatically signed in to the ProProfs Knowledge Base for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the ProProfs Knowledge Base tile in the My Apps, you should be automatically signed in to the ProProfs Knowledge Base for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure ProProfs Knowledge Base you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure ProProfs Knowledge Base you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/proware-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/proware-tutorial.md
@@ -139,11 +139,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Proware for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Proware tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Proware for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Proware tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Proware for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Proware you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Proware you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/qliksense-enterprise-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/qliksense-enterprise-tutorial.md
@@ -246,7 +246,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Qlik Sense Enterprise Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Qlik Sense Enterprise tile in the My Apps, this will redirect to Qlik Sense Enterprise Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Qlik Sense Enterprise tile in the My Apps, this will redirect to Qlik Sense Enterprise Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/retrievermediadatabase-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/retrievermediadatabase-tutorial.md
@@ -114,10 +114,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
1. Click on Test this application in Azure portal and you should be automatically signed in to the RetrieverMediaDatabase for which you set up the SSO
-1. You can use Microsoft My Apps. When you click the RetrieverMediaDatabase tile in the My Apps, you should be automatically signed in to the RetrieverMediaDatabase for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+1. You can use Microsoft My Apps. When you click the RetrieverMediaDatabase tile in the My Apps, you should be automatically signed in to the RetrieverMediaDatabase for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure RetrieverMediaDatabase you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure RetrieverMediaDatabase you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/rightcrowd-workforce-management-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/rightcrowd-workforce-management-tutorial.md
@@ -146,11 +146,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the RightCrowd Workforce Management for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the RightCrowd Workforce Management tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the RightCrowd Workforce Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the RightCrowd Workforce Management tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the RightCrowd Workforce Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure RightCrowd Workforce Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure RightCrowd Workforce Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/salesforce-sandbox-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/salesforce-sandbox-tutorial.md
@@ -243,9 +243,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Salesforce Sandbox for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Salesforce Sandbox tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Salesforce Sandbox for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Salesforce Sandbox tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Salesforce Sandbox for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure the Salesforce Sandbox you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure the Salesforce Sandbox you can enforce session controls, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-customer-cloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sap-customer-cloud-tutorial.md
@@ -185,7 +185,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to SAP Cloud for Customer Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the SAP Cloud for Customer tile in the My Apps, this will redirect to SAP Cloud for Customer Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the SAP Cloud for Customer tile in the My Apps, this will redirect to SAP Cloud for Customer Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sap-hana-cloud-platform-identity-authentication-tutorial.md
@@ -203,7 +203,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the SAP Cloud Platform Identity Authentication for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the SAP Cloud Platform Identity Authentication tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAP Cloud Platform Identity Authentication for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the SAP Cloud Platform Identity Authentication tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SAP Cloud Platform Identity Authentication for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/saphana-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/saphana-tutorial.md
@@ -207,7 +207,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the SAP HANA for which you set up the SSO
-* You can use Microsoft My Apps. When you click the SAP HANA tile in the My Apps, you should be automatically signed in to the SAP HANA for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the SAP HANA tile in the My Apps, you should be automatically signed in to the SAP HANA for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicechannel-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/servicechannel-tutorial.md
@@ -80,7 +80,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. Here we suggest you to use the unique value of string in the Identifier. Contact [ServiceChannel Client support team](https://servicechannel.zendesk.com/hc/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui). You can refer ServiceChannel guide [here](https://servicechannel.zendesk.com/hc/articles/217514326-Azure-AD-Configuration-Example) for more guidance on claims.
+1. The role claim is pre-configured so you don't have to configure it but you still need to create them in Azure AD using this [article](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview). You can refer ServiceChannel guide [here](https://servicechannel.zendesk.com/hc/articles/217514326-Azure-AD-Configuration-Example) for more guidance on claims.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -128,9 +128,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the ServiceChannel for which you set up the SSO
-* You can use Microsoft My Apps. When you click the ServiceChannel tile in the My Apps, you should be automatically signed in to the ServiceChannel for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the ServiceChannel tile in the My Apps, you should be automatically signed in to the ServiceChannel for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure ServiceChannel you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure ServiceChannel you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/servicenow-provisioning-tutorial.md
@@ -150,7 +150,7 @@ Once you've configured provisioning, use the following resources to monitor your
* **IP Ranges**
- The Azure AD provisioning service currently operates under a particular IP ranges.So if required you can restrict other IP ranges and add these particular IP ranges to the allowlist of your application to allow traffic flow from Azure AD provisioning service to your application .Refer the documentation at [IP Ranges](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#ip-ranges).
+ The Azure AD provisioning service currently operates under a particular IP ranges.So if required you can restrict other IP ranges and add these particular IP ranges to the allowlist of your application to allow traffic flow from Azure AD provisioning service to your application .Refer the documentation at [IP Ranges](../app-provisioning/use-scim-to-provision-users-and-groups.md#ip-ranges).
## Additional resources
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/servicessosafe-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/servicessosafe-tutorial.md
@@ -154,8 +154,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the SoSafe for which you set up the SSO
-You can also use Microsoft Access Panel to test the application in any mode. When you click the SoSafe tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SoSafe for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft Access Panel to test the application in any mode. When you click the SoSafe tile in the Access Panel, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SoSafe for which you set up the SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure SoSafe you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure SoSafe you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/sharefile-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sharefile-tutorial.md
@@ -195,7 +195,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Citrix ShareFile Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Citrix ShareFile tile in the My Apps, this will redirect to Citrix ShareFile Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Citrix ShareFile tile in the My Apps, this will redirect to Citrix ShareFile Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/shmoopforschools-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/shmoopforschools-tutorial.md
@@ -91,7 +91,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| role | user.assignedroles | > [!NOTE]
- > Shmoop for School supports two roles for users: **Teacher** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > Shmoop for School supports two roles for users: **Teacher** and **Student**. Set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
@@ -140,9 +140,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Shmoop For Schools Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Shmoop For Schools tile in the My Apps, this will redirect to Shmoop For Schools Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Shmoop For Schools tile in the My Apps, this will redirect to Shmoop For Schools Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Shmoop For Schools you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Shmoop For Schools you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/shopify-plus-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/shopify-plus-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure Shopify Plus for automatic user provisioning
-This tutorial describes the steps you need to perform in both Shopify Plus and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Shopify Plus](https://www.shopify.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both Shopify Plus and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Shopify Plus](https://www.shopify.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities Supported
@@ -28,20 +28,20 @@ This tutorial describes the steps you need to perform in both Shopify Plus and A
> * Create users in Shopify Plus > * Remove users in Shopify Plus when they do not require access anymore > * Keep user attributes synchronized between Azure AD and Shopify Plus
-> * [Single sign-on](https://docs.microsoft.com/azure/active-directory/saas-apps/shopify-plus-tutorial) to Shopify Plus (recommended)
+> * [Single sign-on](./shopify-plus-tutorial.md) to Shopify Plus (recommended)
## Prerequisites The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant)
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md)
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* Verify your domain and create a SAML configuration. You can only manage users who are associated with a verified domain. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and Shopify Plus](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Shopify Plus](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure Shopify Plus to support provisioning with Azure AD
@@ -55,15 +55,15 @@ The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add Shopify Plus from the Azure AD application gallery
-Add Shopify Plus from the Azure AD application gallery to start managing provisioning to Shopify Plus. If you have previously setup Shopify Plus for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add Shopify Plus from the Azure AD application gallery to start managing provisioning to Shopify Plus. If you have previously setup Shopify Plus for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to Shopify Plus, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to Shopify Plus, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to Shopify Plus
@@ -100,7 +100,7 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Shopify Plus**.
-9. Review the user attributes that are synchronized from Azure AD to Shopify Plus in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Shopify Plus for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Shopify Plus API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to Shopify Plus in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Shopify Plus for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Shopify Plus API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for Filtering| |---|---|---|
@@ -110,7 +110,7 @@ This section guides you through the steps to configure the Azure AD provisioning
|name.familyName|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
11. To enable the Azure AD provisioning service for Shopify Plus, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -129,15 +129,15 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/slack-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/slack-tutorial.md
@@ -207,7 +207,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Slack Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Slack tile in the My Apps, this will redirect to Slack Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Slack tile in the My Apps, this will redirect to Slack Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/snowflake-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/snowflake-provisioning-tutorial.md
@@ -159,7 +159,7 @@ Once you've configured provisioning, use the following resources to monitor your
* **IP Ranges**
- The Azure AD provisioning service currently operates under a particular IP ranges. So if required you can restrict other IP ranges and add these particular IP ranges to the allowlist of your application to allow traffic flow from Azure AD provisioning service to your application .Refer the documentation at [IP Ranges](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#ip-ranges).
+ The Azure AD provisioning service currently operates under a particular IP ranges. So if required you can restrict other IP ranges and add these particular IP ranges to the allowlist of your application to allow traffic flow from Azure AD provisioning service to your application .Refer the documentation at [IP Ranges](../app-provisioning/use-scim-to-provision-users-and-groups.md#ip-ranges).
## Change Log
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/snowflake-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/snowflake-tutorial.md
@@ -182,7 +182,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Snowflake for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Snowflake tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Snowflake for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Snowflake tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Snowflake for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/software-ag-cloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/software-ag-cloud-tutorial.md
@@ -151,6 +151,4 @@ Assuming that the Microsoft Azure is configured as a provider in Software AG Clo
## Next steps
-Once you configure Software AG Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Software AG Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/splan-visitor-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/splan-visitor-tutorial.md
@@ -1,5 +1,5 @@
---
-title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Splan Visitor | Microsoft Docs'
+title: 'Tutorial: Integrate Azure Active Directory single sign-on (SSO) with Splan Visitor | Microsoft Docs'
description: Learn how to configure single sign-on between Azure Active Directory and Splan Visitor. services: active-directory author: jeevansd
@@ -14,113 +14,110 @@ ms.author: jeedes
---
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Splan Visitor
+# Tutorial: Integrate Azure Active Directory single sign-on (SSO) with Splan Visitor
In this tutorial, you'll learn how to integrate Splan Visitor with Azure Active Directory (Azure AD). When you integrate Splan Visitor with Azure AD, you can:
-* Control in Azure AD who has access to Splan Visitor.
-* Enable your users to be automatically signed-in to Splan Visitor with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+* Use Azure AD to control who has access to Splan Visitor.
+* Enable users to be automatically signed in to Splan Visitor with their Azure AD accounts.
+* Manage your accounts in one central location, the Azure portal.
## Prerequisites
-To get started, you need the following items:
+To get started, you need:
* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Splan Visitor single sign-on (SSO) enabled subscription.
+* A Splan Visitor single sign-on (SSO) enabled subscription.
## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment.
+In this tutorial, you'll configure and test Azure AD SSO in a test environment.
-* Splan Visitor supports **IDP** initiated SSO
+Splan Visitor supports IdP-initiated SSO.
-## Adding Splan Visitor from the gallery
+## Add Splan Visitor from the gallery
-To configure the integration of Splan Visitor into Azure AD, you need to add Splan Visitor from the gallery to your list of managed SaaS apps.
+To configure the integration of Splan Visitor into Azure AD, add Splan Visitor from the gallery to your list of managed SaaS apps.
-1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
-1. On the left navigation pane, select the **Azure Active Directory** service.
-1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. Sign in to the Azure portal by using a work or school account, or a personal Microsoft account.
+1. On the left pane, select the **Azure Active Directory** service.
+1. Go to **Enterprise Applications**, and then select **All Applications**.
1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Splan Visitor** in the search box.
-1. Select **Splan Visitor** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, enter **Splan Visitor** in the search box.
+1. Select **Splan Visitor** from the results panel, and then add the app. Wait a few seconds while the app is added to your tenant.
## Configure and test Azure AD SSO for Splan Visitor
-Configure and test Azure AD SSO with Splan Visitor using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Splan Visitor.
+Configure and test Azure AD SSO with Splan Visitor by using a test user named **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Splan Visitor.
To configure and test Azure AD SSO with Splan Visitor, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Splan Visitor SSO](#configure-splan-visitor-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Splan Visitor test user](#create-splan-visitor-test-user)** - to have a counterpart of B.Simon in Splan Visitor that is linked to the Azure AD representation of user.
-1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with test user B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Splan Visitor SSO](#configure-splan-visitor-sso)** to configure the single sign-on settings with Splan Visitor.
+ 1. **[Create a Splan Visitor test user](#create-a-splan-visitor-test-user)** to have a counterpart of B.Simon in Splan Visitor that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** to verify whether the configuration works.
## Configure Azure AD SSO
-Follow these steps to enable Azure AD SSO in the Azure portal.
+Follow these steps to enable Azure AD SSO in the Azure portal:
1. In the Azure portal, on the **Splan Visitor** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, select the **edit/pen** icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Screenshot highlighting the edit/pen icon for Basic SAML Configuration.](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, the application is pre-configured and the necessary URLs are already pre-populated with Azure. The user needs to save the configuration by clicking the **Save** button.
+1. In the **Basic SAML Configuration** section, the application is preconfigured and the necessary URLs are prepopulated with Azure. Select the **Save** button to save the configuration.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up Single Sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML**. Select **Download** to download the certificate and save it to your computer.
- ![The Certificate download link](common/metadataxml.png)
+ ![Screenshot highlighting the Federation Metadata XML download link.](common/metadataxml.png)
-1. On the **Set up Splan Visitor** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Splan Visitor** section, copy the appropriate URL or URLs based on your requirement.
+
+ ![Screenshot highlighting the configuration URLs section.](common/copy-configuration-urls.png)
- ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user
-In this section, you'll create a test user in the Azure portal called B.Simon.
+In this section, you'll create a test user named B.Simon in the Azure portal.
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. On the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
1. Select **New user** at the top of the screen. 1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. In the **Name** field, enter **B.Simon**.
+ 1. In the **User name** field, enter your username in _username@companydomain.extension_ format. For example, enter **B.Simon@contoso.com**.
1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
+ 1. Select **Create**.
### Assign the Azure AD test user In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Splan Visitor. 1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Splan Visitor**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
-1. In the **Add Assignment** dialog, click the **Assign** button.
+1. In the applications list, select **Splan Visitor** to open the app overview.
+1. Find the **Manage** section, and then select **Users and groups**.
+1. Select **Add user**, and then select **Users and groups** in the **Add Assignment** dialog box.
+1. In the **Users and groups** dialog box, select **B.Simon** from the **Users** list, and then click **Select** at the bottom of the screen.
+1. If the user will be assigned a role, select it from the **Select a role** drop-down menu. If no role has been set up for this app, leave the **Default Access** role selected.
+1. In the **Add Assignment** dialog box, select **Assign**.
## Configure Splan Visitor SSO
-To configure single sign-on on **Splan Visitor** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Splan Visitor support team](mailto:support@splan.com). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create Splan Visitor test user
-
-In this section, you create a user called Britta Simon in Splan Visitor. Work with [Splan Visitor support team](mailto:support@splan.com) to add the users in the Splan Visitor platform. Users must be created and activated before you use single sign-on.
+To configure single sign-on with Splan Visitor, send the **Federation Metadata XML** that you downloaded and appropriate copied URLs from the Azure portal to the [Splan Visitor support team](mailto:support@splan.com). This ensures that the SAML SSO connection is set properly on both sides.
-## Test SSO
+### Create a Splan Visitor test user
-In this section, you test your Azure AD single sign-on configuration with following options.
+Create a test user named **Britta Simon** in Splan Visitor. Work with the [Splan Visitor support team](mailto:support@splan.com) to add the user to Splan Visitor. You must create and activate the user before you use single sign-on.
-* Click on Test this application in Azure portal and you should be automatically signed in to the Splan Visitor for which you set up the SSO
+## Test SSO
-* You can use Microsoft My Apps. When you click the Splan Visitor tile in the My Apps, you should be automatically signed in to the Splan Visitor for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+Test your Azure AD single sign-on configuration with one of the following options:
+* **Azure portal**: Select **Test this application** to automatically sign in to the Splan Visitor for which you set up SSO.
+* **Microsoft My Apps portal**: Select the **Splan Visitor** tile to automatically sign in to the Splan Visitor for which you set up SSO. For more information about the My Apps portal, see [Sign in and start apps from the My Apps portal](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
## Next steps
-Once you configure Splan Visitor you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+After you configure Splan Visitor, you can [learn how to enforce session controls in Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app). Session controls help protect exfiltration and infiltration of your organization's sensitive data in real time. Session controls extend from Conditional Access.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/statuspage-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/statuspage-tutorial.md
@@ -200,8 +200,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the StatusPage for which you set up the SSO
-* You can use Microsoft My Apps. When you click the StatusPage tile in the My Apps, you should be automatically signed in to the StatusPage for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the StatusPage tile in the My Apps, you should be automatically signed in to the StatusPage for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure StatusPage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure StatusPage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/successfactors-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/successfactors-tutorial.md
@@ -220,7 +220,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to SuccessFactors Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the SuccessFactors tile in the My Apps, this will redirect to SuccessFactors Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the SuccessFactors tile in the My Apps, this will redirect to SuccessFactors Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/syndio-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/syndio-tutorial.md
@@ -134,11 +134,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Syndio Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Syndio tile in the My Apps, this will redirect to Syndio Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Syndio tile in the My Apps, this will redirect to Syndio Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Syndio you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Syndio you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/synerise-ai-growth-ecosystem-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/synerise-ai-growth-ecosystem-tutorial.md
@@ -169,11 +169,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Synerise for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Synerise tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Synerise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Synerise tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Synerise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Synerise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Synerise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tableauonline-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tableauonline-tutorial.md
@@ -189,7 +189,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Tableau Online Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Tableau Online tile in the My Apps, this will redirect to Tableau Online Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Tableau Online tile in the My Apps, this will redirect to Tableau Online Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tableauserver-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tableauserver-tutorial.md
@@ -163,7 +163,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Tableau Server Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Tableau Server tile in the My Apps, this will redirect to Tableau Server Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Tableau Server tile in the My Apps, this will redirect to Tableau Server Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/teamzskill-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/teamzskill-tutorial.md
@@ -104,7 +104,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| role | user.assignedroles | > [!NOTE]
- > TeamzSkill expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > TeamzSkill expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
@@ -179,4 +179,4 @@ You can also use Microsoft Access Panel to test the application in any mode. Whe
## Next steps
-Once you configure TeamzSkill you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure TeamzSkill you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/templafy-openid-connect-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-openid-connect-provisioning-tutorial.md
@@ -128,7 +128,26 @@ This section guides you through the steps to configure the Azure AD provisioning
9. Review the user attributes that are synchronized from Azure AD to Templafy OpenID Connect in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Templafy OpenID Connect for update operations. Select the **Save** button to commit any changes.
- ![Templafy OpenID Connect User Attributes](media/templafy-openid-connect-provisioning-tutorial/user-attribute.png)
+ |Attribute|Type|Supported for filtering|
+ |---|---|---|
+ |userName|String|&check;|
+ |active|Boolean|
+ |displayName|String|
+ |title|String|
+ |preferredLanguage|String|
+ |name.givenName|String|
+ |name.familyName|String|
+ |phoneNumbers[type eq "work"].value|String|
+ |phoneNumbers[type eq "mobile"].value|String|
+ |phoneNumbers[type eq "fax"].value|String|
+ |externalId|String|
+ |addresses[type eq "work"].locality|String|
+ |addresses[type eq "work"].postalCode|String|
+ |addresses[type eq "work"].region|String|
+ |addresses[type eq "work"].streetAddress|String|
+ |addresses[type eq "work"].country|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String|
10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Templafy**.
@@ -136,7 +155,11 @@ This section guides you through the steps to configure the Azure AD provisioning
11. Review the group attributes that are synchronized from Azure AD to Templafy OpenID Connect in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Templafy OpenID Connect for update operations. Select the **Save** button to commit any changes.
- ![Templafy OpenID Connect Group Attributes](media/templafy-openid-connect-provisioning-tutorial/group-attribute.png)
+ |Attribute|Type|Supported for filtering|
+ |---|---|---|
+ |displayName|String|&check;|
+ |members|Reference|
+ |externalId|String|
12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/templafy-saml-2-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/templafy-saml-2-provisioning-tutorial.md
@@ -128,7 +128,26 @@ This section guides you through the steps to configure the Azure AD provisioning
9. Review the user attributes that are synchronized from Azure AD to Templafy SAML2 in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the user accounts in Templafy SAML2 for update operations. Select the **Save** button to commit any changes.
- ![Templafy SAML2 User Attributes](media/templafy-saml-2-provisioning-tutorial/user-attribute.png)
+ |Attribute|Type|Supported for filtering|
+ |---|---|---|
+ |userName|String|&check;|
+ |active|Boolean|
+ |displayName|String|
+ |title|String|
+ |preferredLanguage|String|
+ |name.givenName|String|
+ |name.familyName|String|
+ |phoneNumbers[type eq "work"].value|String|
+ |phoneNumbers[type eq "mobile"].value|String|
+ |phoneNumbers[type eq "fax"].value|String|
+ |externalId|String|
+ |addresses[type eq "work"].locality|String|
+ |addresses[type eq "work"].postalCode|String|
+ |addresses[type eq "work"].region|String|
+ |addresses[type eq "work"].streetAddress|String|
+ |addresses[type eq "work"].country|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department|String|
+ |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String|
10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Templafy**.
@@ -136,7 +155,12 @@ This section guides you through the steps to configure the Azure AD provisioning
11. Review the group attributes that are synchronized from Azure AD to Templafy SAML2 in the **Attribute Mappings** section. The attributes selected as **Matching** properties are used to match the groups in Templafy SAML2 for update operations. Select the **Save** button to commit any changes.
- ![Templafy SAML2 Group Attributes](media/templafy-saml-2-provisioning-tutorial/group-attribute.png)
+ |Attribute|Type|Supported for filtering|
+ |---|---|---|
+ |displayName|String|&check;|
+ |members|Reference|
+ |externalId|String|
+ 12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/thousandeyes-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/thousandeyes-provisioning-tutorial.md
@@ -82,7 +82,7 @@ generated by your ThousandEyes's account (you can find and or generate a token u
9. Under the Mappings section, select **Synchronize Azure Active Directory Users to ThousandEyes**.
-10. Review the user attributes that are synchronized from Azure AD to ThousandEyes in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Parsable for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the Parsable API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+10. Review the user attributes that are synchronized from Azure AD to ThousandEyes in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Parsable for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the Parsable API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---|
@@ -94,7 +94,7 @@ generated by your ThousandEyes's account (you can find and or generate a token u
|name.formatted|String|
-11. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+11. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
12. To enable the Azure AD provisioning service for ThousandEyes, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -113,15 +113,15 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-1. Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-2. Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/tickitlms-learn-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/tickitlms-learn-tutorial.md
@@ -93,7 +93,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| reportsto | user.reportsto | > [!NOTE]
- > TickitLMS Learn expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).
+ > TickitLMS Learn expects roles for users assigned to the application. Please set up these roles in Azure AD so that users can be assigned the appropriate roles. To understand how to configure roles in Azure AD, see [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview).
1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
@@ -144,9 +144,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the TickitLMS Learn for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the TickitLMS Learn tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TickitLMS Learn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the TickitLMS Learn tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the TickitLMS Learn for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure TickitLMS Learn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure TickitLMS Learn you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/timeclock-365-saml-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/timeclock-365-saml-tutorial.md
@@ -140,11 +140,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Timeclock 365 SAML Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Timeclock 365 SAML tile in the My Apps, this will redirect to Timeclock 365 SAML Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Timeclock 365 SAML tile in the My Apps, this will redirect to Timeclock 365 SAML Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Timeclock 365 SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Timeclock 365 SAML you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/ultipro-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ultipro-tutorial.md
@@ -147,7 +147,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to UltiPro Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the UltiPro tile in the My Apps, this will redirect to UltiPro Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the UltiPro tile in the My Apps, this will redirect to UltiPro Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/upshotly-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/upshotly-tutorial.md
@@ -150,7 +150,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Upshotly for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Upshotly tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Upshotly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Upshotly tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Upshotly for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/vonage-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/vonage-tutorial.md
@@ -162,10 +162,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the vonage for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the vonage tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the vonage for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the vonage tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the vonage for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure vonage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure vonage you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/webroot-security-awareness-training-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/webroot-security-awareness-training-provisioning-tutorial.md
@@ -153,7 +153,10 @@ Once you've configured provisioning, use the following resources to monitor your
1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully 2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
-3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## Change log
+* 1/21/2021 - Added support for core attribute "userName" for users.
## Additional resources
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/wedo-provisioning-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wedo-provisioning-tutorial.md
@@ -20,7 +20,7 @@ ms.author: Zhchia
# Tutorial: Configure WEDO for automatic user provisioning
-This tutorial describes the steps you need to perform in both WEDO and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [WEDO](https://www.wedo.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md).
+This tutorial describes the steps you need to perform in both WEDO and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [WEDO](https://www.wedo.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md).
## Capabilities supported
@@ -34,14 +34,14 @@ This tutorial describes the steps you need to perform in both WEDO and Azure Act
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
-* [An Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/quickstart-create-new-tenant).
-* A user account in Azure AD with [permission](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md).
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
* WEDO **Enterprise** Subscription. ## Step 1. Plan your provisioning deployment
-1. Learn about [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/manage-apps/user-provisioning).
-2. Determine who will be in [scope for provisioning](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
-3. Determine what data to [map between Azure AD and WEDO](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes).
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and WEDO](../app-provisioning/customize-application-attributes.md).
## Step 2. Configure WEDO to support provisioning with Azure AD
@@ -49,15 +49,15 @@ The scenario outlined in this tutorial assumes that you already have the followi
## Step 3. Add WEDO from the Azure AD application gallery
-Add WEDO from the Azure AD application gallery to start managing provisioning to WEDO. If you have previously setup WEDO for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](https://docs.microsoft.com/azure/active-directory/manage-apps/add-gallery-app).
+Add WEDO from the Azure AD application gallery to start managing provisioning to WEDO. If you have previously setup WEDO for SSO you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md).
## Step 4. Define who will be in scope for provisioning
-The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
-* When assigning users and groups to WEDO, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps) to add additional roles.
+* When assigning users and groups to WEDO, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add additional roles.
-* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](https://docs.microsoft.com/azure/active-directory/manage-apps/define-conditional-rules-for-provisioning-user-accounts).
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
## Step 5. Configure automatic user provisioning to WEDO
@@ -94,7 +94,7 @@ This section guides you through the steps to configure the Azure AD provisioning
8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to WEDO**.
-9. Review the user attributes that are synchronized from Azure AD to WEDO in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in WEDO for update operations. If you choose to change the [matching target attribute](https://docs.microsoft.com/azure/active-directory/manage-apps/customize-application-attributes), you will need to ensure that the WEDO API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+9. Review the user attributes that are synchronized from Azure AD to WEDO in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in WEDO for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the WEDO API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
|Attribute|Type|Supported for filtering| |---|---|---|
@@ -108,7 +108,7 @@ This section guides you through the steps to configure the Azure AD provisioning
|preferredLanguage|String| |userType|String|
-10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../manage-apps/define-conditional-rules-for-provisioning-user-accounts.md).
+10. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
13. To enable the Azure AD provisioning service for WEDO, change the **Provisioning Status** to **On** in the **Settings** section.
@@ -127,15 +127,15 @@ This operation starts the initial synchronization cycle of all users and groups
## Step 6. Monitor your deployment Once you've configured provisioning, use the following resources to monitor your deployment:
-* Use the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to determine which users have been provisioned successfully or unsuccessfully
-* Check the [progress bar](https://docs.microsoft.com/azure/active-directory/app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user) to see the status of the provisioning cycle and how close it is to completion
-* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](https://docs.microsoft.com/azure/active-directory/manage-apps/application-provisioning-quarantine-status).
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
## Additional resources
-* [Managing user account provisioning for Enterprise Apps](../manage-apps/configure-automatic-user-provisioning-portal.md)
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md) ## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../manage-apps/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/whimsical-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/whimsical-tutorial.md
@@ -166,8 +166,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the Whimsical for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Whimsical tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Whimsical for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Whimsical tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Whimsical for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Whimsical you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Whimsical you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/whosoffice-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/whosoffice-tutorial.md
@@ -177,7 +177,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on **Test this application** in Azure portal and you should be automatically signed in to the WhosOffice for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the WhosOffice tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the WhosOffice for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+You can also use Microsoft My Apps to test the application in any mode. When you click the WhosOffice tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the WhosOffice for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/workplacebyfacebook-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/workplacebyfacebook-tutorial.md
@@ -203,7 +203,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Workplace by Facebook Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Workplace by Facebook tile in the My Apps, this will redirect to Workplace by Facebook Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Workplace by Facebook tile in the My Apps, this will redirect to Workplace by Facebook Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Test SSO for Workplace by Facebook (mobile)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/xmatters-ondemand-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/xmatters-ondemand-tutorial.md
@@ -175,8 +175,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the xMatters OnDemand for which you set up the SSO
-* You can use Microsoft My Apps. When you click the xMatters OnDemand tile in the My Apps, you should be automatically signed in to the xMatters OnDemand for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the xMatters OnDemand tile in the My Apps, you should be automatically signed in to the xMatters OnDemand for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure xMatters OnDemand you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure xMatters OnDemand you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/yello-enterprise-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/yello-enterprise-tutorial.md
@@ -134,11 +134,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Yello Enterprise for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Yello Enterprise tile in the My Apps, you should be automatically signed in to the Yello Enterprise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Yello Enterprise tile in the My Apps, you should be automatically signed in to the Yello Enterprise for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Yello Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
--
+Once you configure Yello Enterprise you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zendesk-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zendesk-tutorial.md
@@ -170,7 +170,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zendesk Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zendesk tile in the My Apps, this will redirect to Zendesk Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zendesk tile in the My Apps, this will redirect to Zendesk Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zoom-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zoom-tutorial.md
@@ -181,8 +181,8 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zoom Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zoom tile in the My Apps, this will redirect to Zoom Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zoom tile in the My Apps, this will redirect to Zoom Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Azure AD Zoom you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
+Once you configure Azure AD Zoom you can enforce Session Control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-beta-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-beta-tutorial.md
@@ -102,7 +102,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
g. Select **Save**. > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, select **Download** to download the **Certificate (Base64)**. Save it on your computer.
@@ -230,9 +230,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zscaler Beta Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zscaler Beta tile in the My Apps, this will redirect to Zscaler Beta Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zscaler Beta tile in the My Apps, this will redirect to Zscaler Beta Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler Beta you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Zscaler Beta you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-internet-access-administrator-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-internet-access-administrator-tutorial.md
@@ -113,7 +113,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
d. Click **Save**. > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
@@ -183,7 +183,7 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Click on Test this application in Azure portal and you should be automatically signed in to the Zscaler Internet Access Administrator for which you set up the SSO
-* You can use Microsoft My Apps. When you click the Zscaler Internet Access Administrator tile in the My Apps, you should be automatically signed in to the Zscaler Internet Access Administrator for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zscaler Internet Access Administrator tile in the My Apps, you should be automatically signed in to the Zscaler Internet Access Administrator for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-one-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-one-tutorial.md
@@ -101,7 +101,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
f. Click **Save**. > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
@@ -229,9 +229,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zscaler One Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zscaler One tile in the My Apps, this will redirect to Zscaler One Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zscaler One tile in the My Apps, this will redirect to Zscaler One Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Zscaler One you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-three-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-three-tutorial.md
@@ -90,7 +90,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
| memberOf | user.assignedroles | > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -224,9 +224,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zscaler Three Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zscaler Three tile in the My Apps, this will redirect to Zscaler Three Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zscaler Three tile in the My Apps, this will redirect to Zscaler Three Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler Three you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Zscaler Three you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-tutorial.md
@@ -100,7 +100,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
f. Click **Save**. > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
@@ -229,9 +229,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zscaler Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zscaler tile in the My Apps, this will redirect to Zscaler Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zscaler tile in the My Apps, this will redirect to Zscaler Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Zscaler you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-two-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-two-tutorial.md
@@ -103,7 +103,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
f. Click **Save**. > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
@@ -241,9 +241,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zscaler Two Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zscaler Two tile in the My Apps, this will redirect to Zscaler Two Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zscaler Two tile in the My Apps, this will redirect to Zscaler Two Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler Two you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Zscaler Two you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/zscaler-zscloud-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/zscaler-zscloud-tutorial.md
@@ -103,7 +103,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
f. Click **Save**. > [!NOTE]
- > Please click [here](https://docs.microsoft.com/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui) to know how to configure Role in Azure AD.
+ > Please click [here](../develop/howto-add-app-roles-in-azure-ad-apps.md#app-roles-ui--preview) to know how to configure Role in Azure AD.
7. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Certificate (Base64)** from the given options as per your requirement and save it on your computer.
@@ -243,9 +243,9 @@ In this section, you test your Azure AD single sign-on configuration with follow
* Go to Zscaler ZSCloud Sign-on URL directly and initiate the login flow from there.
-* You can use Microsoft My Apps. When you click the Zscaler ZSCloud tile in the My Apps, this will redirect to Zscaler ZSCloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+* You can use Microsoft My Apps. When you click the Zscaler ZSCloud tile in the My Apps, this will redirect to Zscaler ZSCloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Zscaler ZSCloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Zscaler ZSCloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
advisor https://docs.microsoft.com/en-us/azure/advisor/advisor-performance-recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/advisor-performance-recommendations.md
@@ -175,7 +175,7 @@ Learn more about [Immersive reader SDK](../cognitive-services/immersive-reader/i
Advisor detects that you have a host pool that has depth first set as the load balancing algorithm, and that host pool's max session limit is greater than or equal to 999999. Depth first load balancing uses the max session limit to determine the maximum number of users that can have concurrent sessions on a single session host. If the max session limit is too high, all user sessions will be directed to the same session host, and this will cause performance and reliability issues. Therefore, when setting a host pool to have depth first load balancing, you must set an appropriate max session limit according to the configuration of your deployment and capacity of your VMs.
-To learn more about load balancing in Windows Virtual Desktop, see [Configure the Windows Virtual Desktop load-balancing method](/azure/virtual-desktop/troubleshoot-set-up-overview).
+To learn more about load balancing in Windows Virtual Desktop, see [Configure the Windows Virtual Desktop load-balancing method](../virtual-desktop/troubleshoot-set-up-overview.md).
## How to access performance recommendations in Advisor
@@ -194,4 +194,4 @@ To learn more about Advisor recommendations, see:
* [Advisor reliability recommendations](advisor-high-availability-recommendations.md) * [Advisor security recommendations](advisor-security-recommendations.md) * [Advisor operational excellence recommendations](advisor-operational-excellence-recommendations.md)
-* [Advisor REST API](/rest/api/advisor/)
+* [Advisor REST API](/rest/api/advisor/)
\ No newline at end of file
advisor https://docs.microsoft.com/en-us/azure/advisor/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/advisor/security-baseline.md
@@ -142,7 +142,7 @@ Note that some Azure services support local users and roles which are not manage
- [Create an access review of Azure resource roles in Privileged Identity Management (PIM)](../active-directory/privileged-identity-management/pim-resource-roles-start-access-review.md) -- [How to use Azure AD identity and access reviews](/azure/active-directory/governance/access-reviews-overview)
+- [How to use Azure AD identity and access reviews](../active-directory/governance/access-reviews-overview.md)
**Azure Security Center monitoring**: Not applicable
@@ -158,7 +158,7 @@ Centrally manage the secured workstations to enforce secured configuration inclu
- [Understand privileged access workstations](https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/) -- [Deploy a privileged access workstation](../active-directory/devices/howto-azure-managed-workstation.md)
+- [Deploy a privileged access workstation](/security/compass/privileged-access-deployment)
**Azure Security Center monitoring**: Not applicable
@@ -218,7 +218,7 @@ Use Azure Conditional Access to limit a user's ability to interact with Azure Re
## Logging and Threat Detection
-*For more information, see the [Azure Security Benchmark: Logging and Threat Detection](/azure/security/benchmarks/security-controls-v2-logging-threat-detection).*
+*For more information, see the [Azure Security Benchmark: Logging and Threat Detection](../security/benchmarks/security-controls-v2-logging-threat-detection.md).*
### LT-4: Enable logging for Azure resources
@@ -370,7 +370,7 @@ Use workflow automation features in Azure Security Center and Azure Sentinel to
## Posture and Vulnerability Management
-*For more information, see the [Azure Security Benchmark: Posture and Vulnerability Management](/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management).*
+*For more information, see the [Azure Security Benchmark: Posture and Vulnerability Management](../security/benchmarks/security-controls-v2-posture-vulnerability-management.md).*
### PV-8: Conduct regular attack simulation
@@ -420,9 +420,9 @@ For more information, see the following references:
- [Cloud Adoption Framework - Azure data security and encryption best practices](../security/fundamentals/data-encryption-best-practices.md?bc=%2fazure%2fcloud-adoption-framework%2f_bread%2ftoc.json&toc=%2fazure%2fcloud-adoption-framework%2ftoc.json) -- [Azure Security Benchmark - Asset management](/azure/security/benchmarks/security-controls-v2-asset-management)
+- [Azure Security Benchmark - Asset management](../security/benchmarks/security-controls-v2-asset-management.md)
-- [Azure Security Benchmark - Data Protection](/azure/security/benchmarks/security-controls-v2-data-protection)
+- [Azure Security Benchmark - Data Protection](../security/benchmarks/security-controls-v2-data-protection.md)
**Azure Security Center monitoring**: Not applicable
@@ -450,7 +450,7 @@ Ensure that the segmentation strategy is implemented consistently across control
**Guidance**: Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc. -- [Azure Security Benchmark - Posture and vulnerability management](/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management)
+- [Azure Security Benchmark - Posture and vulnerability management](../security/benchmarks/security-controls-v2-posture-vulnerability-management.md)
**Azure Security Center monitoring**: Not applicable
@@ -491,7 +491,7 @@ This strategy should include documented guidance, policy, and standards for the
For more information, see the following references: - [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy) -- [Azure Security Benchmark - Network Security](/azure/security/benchmarks/security-controls-v2-network-security)
+- [Azure Security Benchmark - Network Security](../security/benchmarks/security-controls-v2-network-security.md)
- [Azure network security overview](../security/fundamentals/network-overview.md)
@@ -519,9 +519,9 @@ This strategy should include documented guidance, policy, and standards for the
Review the referenced links for more information. -- [Azure Security Benchmark - Identity management](/azure/security/benchmarks/security-controls-v2-identity-management)
+- [Azure Security Benchmark - Identity management](../security/benchmarks/security-controls-v2-identity-management.md)
-- [Azure Security Benchmark - Privileged access](/azure/security/benchmarks/security-controls-v2-privileged-access)
+- [Azure Security Benchmark - Privileged access](../security/benchmarks/security-controls-v2-privileged-access.md)
- [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy)
@@ -553,9 +553,9 @@ This strategy should include documented guidance, policy, and standards for the
For more information, see the following references: -- [Azure Security Benchmark - Logging and threat detection](/azure/security/benchmarks/security-controls-v2-logging-threat-detection)
+- [Azure Security Benchmark - Logging and threat detection](../security/benchmarks/security-controls-v2-logging-threat-detection.md)
-- [Azure Security Benchmark - Incident response](/azure/security/benchmarks/security-controls-v2-incident-response)
+- [Azure Security Benchmark - Incident response](../security/benchmarks/security-controls-v2-incident-response.md)
- [Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud](/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud)
aks https://docs.microsoft.com/en-us/azure/aks/azure-disk-csi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-disk-csi.md
@@ -98,7 +98,7 @@ storageclass.storage.k8s.io/azuredisk-csi-waitforfirstconsumer created
## Volume snapshots
-The Azure disk CSI driver supports creating [snapshots of persistent volumes](https://kubernetes-csi.github.io/docs/snapshot-restore-feature.html). As part of this capability, the driver can perform either *full* or [*incremental* snapshots](../virtual-machines/windows/disks-incremental-snapshots.md) depending on the value set in the `incremental` parameter (by default, it's true).
+The Azure disk CSI driver supports creating [snapshots of persistent volumes](https://kubernetes-csi.github.io/docs/snapshot-restore-feature.html). As part of this capability, the driver can perform either *full* or [*incremental* snapshots](../virtual-machines/disks-incremental-snapshots.md) depending on the value set in the `incremental` parameter (by default, it's true).
For details on all the parameters, see [volume snapshot class parameters](https://github.com/kubernetes-sigs/azuredisk-csi-driver/blob/master/docs/driver-parameters.md#volumesnapshotclass).
aks https://docs.microsoft.com/en-us/azure/aks/azure-disk-customer-managed-keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-disk-customer-managed-keys.md
@@ -151,4 +151,4 @@ Review [best practices for AKS cluster security][best-practices-security]
[customer-managed-keys-windows]: ../virtual-machines/disk-encryption.md#customer-managed-keys [customer-managed-keys-linux]: ../virtual-machines/disk-encryption.md#customer-managed-keys [key-vault-generate]: ../key-vault/general/manage-with-cli2.md
-[supported-regions]: ../virtual-machines/windows/disk-encryption.md#supported-regions
+[supported-regions]: ../virtual-machines/disk-encryption.md#supported-regions
\ No newline at end of file
aks https://docs.microsoft.com/en-us/azure/aks/custom-node-configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/custom-node-configuration.md
@@ -127,7 +127,7 @@ The settings below can be used to tune the operation of the virtual memory (VM)
| `transparentHugePageDefrag` | `always`, `defer`, `defer+madvise`, `madvise`, `never` | `madvise` | This value controls whether the kernel should make aggressive use of memory compaction to make more `hugepages` available. | > [!IMPORTANT]
-> For ease of search and readability the OS settings are displayed in this document by their name but should be added to the configuration json file or AKS API using [camelCase capitalization convention](https://docs.microsoft.com/dotnet/standard/design-guidelines/capitalization-conventions).
+> For ease of search and readability the OS settings are displayed in this document by their name but should be added to the configuration json file or AKS API using [camelCase capitalization convention](/dotnet/standard/design-guidelines/capitalization-conventions).
Create a `kubeletconfig.json` file with the following contents:
aks https://docs.microsoft.com/en-us/azure/aks/ingress-internal-ip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-internal-ip.md
@@ -64,7 +64,8 @@ helm install nginx-ingress ingress-nginx/ingress-nginx \
-f internal-ingress.yaml \ --set controller.replicaCount=2 \ --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
- --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
+ --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux
``` When the Kubernetes load balancer service is created for the NGINX ingress controller, your internal IP address is assigned. To get the public IP address, use the `kubectl get service` command.
aks https://docs.microsoft.com/en-us/azure/aks/ingress-own-tls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-own-tls.md
@@ -51,7 +51,8 @@ helm install nginx-ingress ingress-nginx/ingress-nginx \
--namespace ingress-basic \ --set controller.replicaCount=2 \ --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
- --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
+ --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux
``` During the installation, an Azure public IP address is created for the ingress controller. This public IP address is static for the life-span of the ingress controller. If you delete the ingress controller, the public IP address assignment is lost. If you then create an additional ingress controller, a new public IP address is assigned. If you wish to retain the use of the public IP address, you can instead [create an ingress controller with a static public IP address][aks-ingress-static-tls].
aks https://docs.microsoft.com/en-us/azure/aks/ingress-static-ip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-static-ip.md
@@ -83,6 +83,7 @@ helm install nginx-ingress ingress-nginx/ingress-nginx \
--set controller.replicaCount=2 \ --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \ --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux \
--set controller.service.loadBalancerIP="STATIC_IP" \ --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"="DNS_LABEL" ```
aks https://docs.microsoft.com/en-us/azure/aks/ingress-tls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-tls.md
@@ -58,7 +58,8 @@ helm install nginx-ingress ingress-nginx/ingress-nginx \
--namespace ingress-basic \ --set controller.replicaCount=2 \ --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
- --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
+ --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux \
+ --set controller.admissionWebhooks.patch.nodeSelector."beta\.kubernetes\.io/os"=linux
``` During the installation, an Azure public IP address is created for the ingress controller. This public IP address is static for the life-span of the ingress controller. If you delete the ingress controller, the public IP address assignment is lost. If you then create an additional ingress controller, a new public IP address is assigned. If you wish to retain the use of the public IP address, you can instead [create an ingress controller with a static public IP address][aks-ingress-static-tls].
@@ -123,13 +124,13 @@ helm repo add jetstack https://charts.jetstack.io
helm repo update # Install the cert-manager Helm chart
-helm install \
- cert-manager \
+helm install cert-manager jetstack/cert-manager \
--namespace ingress-basic \ --version v0.16.1 \ --set installCRDs=true \
- --set nodeSelector."beta\.kubernetes\.io/os"=linux \
- jetstack/cert-manager
+ --set nodeSelector."kubernetes\.io/os"=linux \
+ --set webhook.nodeSelector."kubernetes\.io/os"=linux \
+ --set cainjector.nodeSelector."kubernetes\.io/os"=linux
``` For more information on cert-manager configuration, see the [cert-manager project][cert-manager].
aks https://docs.microsoft.com/en-us/azure/aks/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure Kubernetes Service description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
ms.topic: reference ms.custom: subject-policy-reference ---
aks https://docs.microsoft.com/en-us/azure/aks/private-clusters https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/private-clusters.md
@@ -117,18 +117,18 @@ As mentioned, virtual network peering is one way to access your private cluster.
3. In scenarios where the VNet containing your cluster has custom DNS settings (4), cluster deployment fails unless the private DNS zone is linked to the VNet that contains the custom DNS resolvers (5). This link can be created manually after the private zone is created during cluster provisioning or via automation upon detection of creation of the zone using event-based deployment mechanisms (for example, Azure Event Grid and Azure Functions). > [!NOTE]
-> If you are using [Bring Your Own Route Table with kubenet](https://docs.microsoft.com/azure/aks/configure-kubenet#bring-your-own-subnet-and-route-table-with-kubenet) and Bring Your Own DNS with Private Cluster, the cluster creation will fail. You will need to associate the [RouteTable](https://docs.microsoft.com/azure/aks/configure-kubenet#bring-your-own-subnet-and-route-table-with-kubenet) in the node resource group to the subnet after the cluster creation failed, in order to make the creation successful.
+> If you are using [Bring Your Own Route Table with kubenet](./configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet) and Bring Your Own DNS with Private Cluster, the cluster creation will fail. You will need to associate the [RouteTable](./configure-kubenet.md#bring-your-own-subnet-and-route-table-with-kubenet) in the node resource group to the subnet after the cluster creation failed, in order to make the creation successful.
## Limitations * IP authorized ranges can't be applied to the private api server endpoint, they only apply to the public API server * [Azure Private Link service limitations][private-link-service] apply to private clusters.
-* No support for Azure DevOps Microsoft-hosted Agents with private clusters. Consider to use [Self-hosted Agents](https://docs.microsoft.com/azure/devops/pipelines/agents/agents?view=azure-devops&tabs=browser&preserve-view=true).
+* No support for Azure DevOps Microsoft-hosted Agents with private clusters. Consider to use [Self-hosted Agents](/azure/devops/pipelines/agents/agents?preserve-view=true&tabs=browser&view=azure-devops).
* For customers that need to enable Azure Container Registry to work with private AKS, the Container Registry virtual network must be peered with the agent cluster virtual network. * No support for converting existing AKS clusters into private clusters * Deleting or modifying the private endpoint in the customer subnet will cause the cluster to stop functioning. * Azure Monitor for containers Live Data isn't currently supported. * After customers have updated the A record on their own DNS servers, those Pods would still resolve apiserver FQDN to the older IP after migration until they're restarted. Customers need to restart hostNetwork Pods and default-DNSPolicy Pods after control plane migration.
-* In the case of maintenance on the control plane, your [AKS IP](https://docs.microsoft.com/azure/aks/limit-egress-traffic#:~:text=By%20default%2C%20AKS%20clusters%20have%20unrestricted%20outbound%20%28egress%29,be%20accessible%20to%20maintain%20healthy%20cluster%20maintenance%20tasks.) might change. In this case you must update the A record pointing to the API server private IP on your custom DNS server and restart any custom pods or deployments using hostNetwork.
+* In the case of maintenance on the control plane, your [AKS IP](./limit-egress-traffic.md) might change. In this case you must update the A record pointing to the API server private IP on your custom DNS server and restart any custom pods or deployments using hostNetwork.
<!-- LINKS - internal --> [az-provider-register]: /cli/azure/provider?view=azure-cli-latest#az-provider-register
aks https://docs.microsoft.com/en-us/azure/aks/reduce-latency-ppg https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/reduce-latency-ppg.md
@@ -12,7 +12,7 @@ ms.date: 10/19/2020
> [!Note] > When using proximity placement groups on AKS, colocation only applies to the agent nodes. Node to node and the corresponding hosted pod to pod latency is improved. The colocation does not affect the placement of a cluster's control plane.
-When deploying your application in Azure, spreading Virtual Machine (VM) instances across regions or availability zones creates network latency, which may impact the overall performance of your application. A proximity placement group is a logical grouping used to make sure Azure compute resources are physically located close to each other. Some applications like gaming, engineering simulations, and high-frequency trading (HFT) require low latency and tasks that complete quickly. For high-performance computing (HPC) scenarios such as these, consider using [proximity placement groups](../virtual-machines/linux/co-location.md#proximity-placement-groups) (PPG) for your cluster's node pools.
+When deploying your application in Azure, spreading Virtual Machine (VM) instances across regions or availability zones creates network latency, which may impact the overall performance of your application. A proximity placement group is a logical grouping used to make sure Azure compute resources are physically located close to each other. Some applications like gaming, engineering simulations, and high-frequency trading (HFT) require low latency and tasks that complete quickly. For high-performance computing (HPC) scenarios such as these, consider using [proximity placement groups](../virtual-machines/co-location.md#proximity-placement-groups) (PPG) for your cluster's node pools.
## Before you begin
@@ -128,10 +128,10 @@ az group delete --name myResourceGroup --yes --no-wait
[nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool [az-extension-add]: /cli/azure/extension#az-extension-add [az-extension-update]: /cli/azure/extension#az-extension-update
-[proximity-placement-groups]: ../virtual-machines/linux/co-location.md#proximity-placement-groups
+[proximity-placement-groups]: ../virtual-machines/co-location.md#proximity-placement-groups
[az-aks-create]: /cli/azure/aks#az-aks-create [system-pool]: ./use-system-pools.md [az-aks-nodepool-add]: /cli/azure/aks/nodepool?view=azure-cli-latest#az-aks-nodepool-add [az-aks-create]: /cli/azure/aks#az-aks-create [az-group-create]: /cli/azure/group#az-group-create
-[az-group-delete]: /cli/azure/group#az-group-delete
+[az-group-delete]: /cli/azure/group#az-group-delete
\ No newline at end of file
aks https://docs.microsoft.com/en-us/azure/aks/supported-kubernetes-versions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/supported-kubernetes-versions.md
@@ -104,7 +104,7 @@ For new **minor** versions of Kubernetes
1. AKS publishes a pre-announcement with the planned date of a new version release and respective old version deprecation on the [AKS Release notes](https://aka.ms/aks/releasenotes) at least 30 days prior to removal. 2. AKS publishes a [service health notification](../service-health/service-health-overview.md) available to all users with AKS and portal access, and sends an email to the subscription administrators with the planned version removal dates. ````
-To find out who is your subscription administrators or to change it, please refer to [manage Azure subscriptions](https://docs.microsoft.com/azure/cost-management-billing/manage/add-change-subscription-administrator#assign-a-subscription-administrator).
+To find out who is your subscription administrators or to change it, please refer to [manage Azure subscriptions](../cost-management-billing/manage/add-change-subscription-administrator.md#assign-a-subscription-administrator).
```` 3. Users have **30 days** from version removal to upgrade to a supported minor version release to continue receiving support.
@@ -196,4 +196,4 @@ For information on how to upgrade your cluster, see [Upgrade an Azure Kubernetes
<!-- LINKS - Internal --> [aks-upgrade]: upgrade-cluster.md [az-aks-get-versions]: /cli/azure/aks#az-aks-get-versions
-[preview-terms]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
+[preview-terms]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
\ No newline at end of file
api-management https://docs.microsoft.com/en-us/azure/api-management/import-function-app-as-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/import-function-app-as-api.md
@@ -35,7 +35,7 @@ You will learn how to:
## Prerequisites * Complete the quickstart [Create an Azure API Management instance](get-started-create-service-instance.md).
-* Make sure you have an Azure Functions app in your subscription. For more information, see [Create an Azure Function App](../azure-functions/functions-create-first-azure-function.md#create-a-function-app). It has to contain Functions with HTTP trigger and authorization level setting set to *Anonymous* or *Function*.
+* Make sure you have an Azure Functions app in your subscription. For more information, see [Create an Azure Function App](../azure-functions/functions-get-started.md). It has to contain Functions with HTTP trigger and authorization level setting set to *Anonymous* or *Function*.
[!INCLUDE [api-management-navigate-to-instance.md](../../includes/api-management-navigate-to-instance.md)]
api-management https://docs.microsoft.com/en-us/azure/api-management/plan-manage-costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/plan-manage-costs.md
@@ -104,7 +104,7 @@ As you add or remove units, capacity and cost scale proportionally. For example,
- Learn [how to optimize your cloud investment with Azure Cost Management](../cost-management-billing/costs/cost-mgt-best-practices.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). - Learn more about managing costs with [cost analysis](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).-- Learn about how to [prevent unexpected costs](../cost-management-billing/manage/getting-started.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).-- Take the [Cost Management](https://docs.microsoft.com/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.
+- Learn about how to [prevent unexpected costs](../cost-management-billing/cost-management-billing-overview.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
+- Take the [Cost Management](/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.
- Learn about API Management [capacity](api-management-capacity.md). - See steps to scale and upgrade API Management using the [Azure portal](upgrade-and-scale.md), and learn about [autoscaling](api-management-howto-autoscale.md).\ No newline at end of file
api-management https://docs.microsoft.com/en-us/azure/api-management/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure API Management description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
author: georgewallace ms.author: gwallace ms.service: api-management
app-service https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-connect-msi.md
@@ -125,7 +125,7 @@ In *Web.config*, working from the top of the file and make the following changes
- Find the connection string called `MyDbConnection` and replace its `connectionString` value with `"server=tcp:<server-name>.database.windows.net;database=<db-name>;UID=AnyString;Authentication=Active Directory Interactive"`. Replace _\<server-name>_ and _\<db-name>_ with your server name and database name. > [!NOTE]
-> The SqlAuthenticationProvider you just registered is based on top of the AppAuthentication library you installed earlier. By default, it uses a system-assigned identity. To leverage a user-assigned identity, you will need to provide an additional configuration. Please see [connection string support](../key-vault/general/service-to-service-authentication.md#connection-string-support) for the AppAuthentication library.
+> The SqlAuthenticationProvider you just registered is based on top of the AppAuthentication library you installed earlier. By default, it uses a system-assigned identity. To leverage a user-assigned identity, you will need to provide an additional configuration. Please see [connection string support](/dotnet/api/overview/azure/service-to-service-authentication#connection-string-support) for the AppAuthentication library.
That's every thing you need to connect to SQL Database. When debugging in Visual Studio, your code uses the Azure AD user you configured in [Set up Visual Studio](#set-up-visual-studio). You'll set up SQL Database later to allow connection from the managed identity of your App Service app.
@@ -273,4 +273,4 @@ What you learned:
Advance to the next tutorial to learn how to map a custom DNS name to your web app. > [!div class="nextstepaction"]
-> [Map an existing custom DNS name to Azure App Service](app-service-web-tutorial-custom-domain.md)
+> [Map an existing custom DNS name to Azure App Service](app-service-web-tutorial-custom-domain.md)
\ No newline at end of file
app-service https://docs.microsoft.com/en-us/azure/app-service/configure-connect-to-azure-storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-connect-to-azure-storage.md
@@ -34,7 +34,7 @@ This guide shows how to attach Azure Storage to a Linux container App Service. B
- [An existing Windows Container app in Azure App Service](quickstart-custom-container.md) - [Create Azure file share](../storage/files/storage-how-to-use-files-cli.md)-- [Upload files to Azure File share](../storage/files/storage-files-deployment-guide.md)
+- [Upload files to Azure File share](../storage/files/storage-how-to-create-file-share.md)
::: zone-end
@@ -124,4 +124,4 @@ az webapp config storage-account list --resource-group <resource-group> --name <
- [Configure a custom container](configure-custom-container.md?pivots=platform-linux).
-::: zone-end
+::: zone-end
\ No newline at end of file
app-service https://docs.microsoft.com/en-us/azure/app-service/deploy-container-github-action https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-container-github-action.md
@@ -46,7 +46,7 @@ A publish profile is an app-level credential. Set up your publish profile as a G
1. On the **Overview** page, select **Get Publish profile**. > [!NOTE]
- > As of October 2020, Linux web apps will need the app setting `WEBSITE_WEBDEPLOY_USE_SCM` set to `true` **before downloading the file**. This requirement will be removed in the future. See [Configure an App Service app in the Azure portal](/azure/app-service/configure-common), to learn how to configure common web app settings.
+ > As of October 2020, Linux web apps will need the app setting `WEBSITE_WEBDEPLOY_USE_SCM` set to `true` **before downloading the file**. This requirement will be removed in the future. See [Configure an App Service app in the Azure portal](./configure-common.md), to learn how to configure common web app settings.
1. Save the downloaded file. You'll use the contents of the file to create a GitHub secret.
@@ -273,4 +273,4 @@ You can find our set of Actions grouped into different repositories on GitHub, e
- [K8s deploy](https://github.com/Azure/k8s-deploy) -- [Starter Workflows](https://github.com/actions/starter-workflows)
+- [Starter Workflows](https://github.com/actions/starter-workflows)
\ No newline at end of file
app-service https://docs.microsoft.com/en-us/azure/app-service/environment/networking https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/environment/networking.md
@@ -47,7 +47,7 @@ Unlike the ASEv2, with ASEv3 you can set Network Security Groups (NSGs) and Rout
## DNS
-The apps in your ASE will use the DNS that your VNet is configured with. Follow the instructions in [Using an App Service Environment](https://docs.microsoft.com/azure/app-service/environment/using#dns-configuration) to configure your DNS server to point to your ASE. If you want some apps to use a different DNS server than what your VNet is configured with, you can manually set it on a per app basis with the app settings WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER. The app setting WEBSITE_DNS_ALT_SERVER configures the secondary DNS server. The secondary DNS server is only used when there is no response from the primary DNS server.
+The apps in your ASE will use the DNS that your VNet is configured with. Follow the instructions in [Using an App Service Environment](./using.md#dns-configuration) to configure your DNS server to point to your ASE. If you want some apps to use a different DNS server than what your VNet is configured with, you can manually set it on a per app basis with the app settings WEBSITE_DNS_SERVER and WEBSITE_DNS_ALT_SERVER. The app setting WEBSITE_DNS_ALT_SERVER configures the secondary DNS server. The secondary DNS server is only used when there is no response from the primary DNS server.
## Preview limitation
@@ -63,5 +63,4 @@ There are a few networking features that aren't available with ASEv3. The thing
ΓÇó Ability to use BYOS to a service endpoint or private endpoint secured storage account ΓÇó Use of Network Watcher or NSG Flow on outbound traffic
-
-
+
\ No newline at end of file
app-service https://docs.microsoft.com/en-us/azure/app-service/overview-manage-costs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-manage-costs.md
@@ -11,9 +11,9 @@ ms.date: 01/01/2021
# Plan and manage costs for Azure App Service <!-- Check out the following published examples:-- [https://docs.microsoft.com/azure/cosmos-db/plan-manage-costs](https://docs.microsoft.com/azure/cosmos-db/plan-manage-costs)-- [https://docs.microsoft.com/azure/storage/common/storage-plan-manage-costs](https://docs.microsoft.com/azure/storage/common/storage-plan-manage-costs)-- [https://docs.microsoft.com/azure/machine-learning/concept-plan-manage-cost](https://docs.microsoft.com/azure/machine-learning/concept-plan-manage-cost)
+- [https://docs.microsoft.com/azure/cosmos-db/plan-manage-costs](../cosmos-db/plan-manage-costs.md)
+- [https://docs.microsoft.com/azure/storage/common/storage-plan-manage-costs](../storage/common/storage-plan-manage-costs.md)
+- [https://docs.microsoft.com/azure/machine-learning/concept-plan-manage-cost](../machine-learning/concept-plan-manage-cost.md)
--> <!-- Note for Azure service writer: Links to Cost Management articles are full URLS with the ?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn campaign suffix. Leave those URLs intact. They're used to measure traffic to Cost Management articles.
@@ -21,7 +21,7 @@ ms.date: 01/01/2021
<!-- Note for Azure service writer: Modify the following for your service. -->
-This article describes how you plan for and manage costs for Azure App Service. First, you use the Azure pricing calculator to help plan for App Service costs before you add any resources for the service to estimate costs. Next, as you add Azure resources, review the estimated costs. After you've started using App Service resources, use [Cost Management](https://docs.microsoft.com/azure/cost-management-billing/?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) features to set budgets and monitor costs. You can also review forecasted costs and identify spending trends to identify areas where you might want to act. Costs for Azure App Service are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan for and manage costs for App Service, you're billed for all Azure services and resources used in your Azure subscription, including the third-party services.
+This article describes how you plan for and manage costs for Azure App Service. First, you use the Azure pricing calculator to help plan for App Service costs before you add any resources for the service to estimate costs. Next, as you add Azure resources, review the estimated costs. After you've started using App Service resources, use [Cost Management](../cost-management-billing/index.yml?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) features to set budgets and monitor costs. You can also review forecasted costs and identify spending trends to identify areas where you might want to act. Costs for Azure App Service are only a portion of the monthly costs in your Azure bill. Although this article explains how to plan for and manage costs for App Service, you're billed for all Azure services and resources used in your Azure subscription, including the third-party services.
## Relevant costs for App Service
@@ -32,10 +32,10 @@ App Service runs on Azure infrastructure that accrues cost. It's important to un
Depending on which feature you use in App Service, the following cost-accruing resources may be created: - **App Service plan** Required to host an App Service app.-- **Isolated tier** A [Virtual Network](/azure/virtual-network/) is required for an App Service environment.-- **Backup** A [Storage account](/azure/storage/) is required to make backups.-- **Diagnostic logs** You can select [Storage account](/azure/storage/) as the logging option, or integrate with [Azure Log Analytics](../azure-monitor/log-query/log-analytics-tutorial.md).-- **App Service certificates** Certificates you purchase in Azure must be maintained in [Azure Key Vault](/azure/key-vault/).
+- **Isolated tier** A [Virtual Network](../virtual-network/index.yml) is required for an App Service environment.
+- **Backup** A [Storage account](../storage/index.yml) is required to make backups.
+- **Diagnostic logs** You can select [Storage account](../storage/index.yml) as the logging option, or integrate with [Azure Log Analytics](../azure-monitor/log-query/log-analytics-tutorial.md).
+- **App Service certificates** Certificates you purchase in Azure must be maintained in [Azure Key Vault](../key-vault/index.yml).
Other cost resources for App Service are (see [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/) for details):
@@ -151,7 +151,7 @@ In the preceding example, you see the current cost for the service. Costs by Azu
<!-- Note to Azure service writer: Modify the following as needed for your service. -->
-You can create [budgets](../cost-management/tutorial-acm-create-budgets.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to manage costs and create [alerts](../cost-management/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy.
+You can create [budgets](../cost-management-billing/costs/tutorial-acm-create-budgets.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) to manage costs and create [alerts](../cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) that automatically notify stakeholders of spending anomalies and overspending risks. Alerts are based on spending compared to budget and cost thresholds. Budgets and alerts are created for Azure subscriptions and resource groups, so they're useful as part of an overall cost monitoring strategy.
Budgets can be created with filters for specific resources or services in Azure if you want more granularity present in your monitoring. Filters help ensure that you don't accidentally create new resources that cost you extra money. For more information about the filter options available when you create a budget, see [Group and filter options](../cost-management-billing/costs/group-filter.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
@@ -164,8 +164,8 @@ You can also [export your cost data](../cost-management-billing/costs/tutorial-e
- Learn more on how pricing works with Azure Storage. See [App Service pricing](https://azure.microsoft.com/pricing/details/app-service/). - Learn [how to optimize your cloud investment with Azure Cost Management](../cost-management-billing/costs/cost-mgt-best-practices.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn). - Learn more about managing costs with [cost analysis](../cost-management-billing/costs/quick-acm-cost-analysis.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).-- Learn about how to [prevent unexpected costs](../cost-management-billing/manage/getting-started.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).-- Take the [Cost Management](https://docs.microsoft.com/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.
+- Learn about how to [prevent unexpected costs](../cost-management-billing/cost-management-billing-overview.md?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn).
+- Take the [Cost Management](/learn/paths/control-spending-manage-bills?WT.mc_id=costmanagementcontent_docsacmhorizontal_-inproduct-learn) guided learning course.
<!-- Insert links to other articles that might help users save and manage costs for you service here.
app-service https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-managed-identity.md
@@ -523,4 +523,4 @@ Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupNam
- [Access Azure Storage securely using a managed identity](scenario-secure-app-access-storage.md) - [Call Microsoft Graph securely using a managed identity](scenario-secure-app-access-microsoft-graph-as-app.md)
-[Microsoft.Azure.Services.AppAuthentication reference]: ../key-vault/general/service-to-service-authentication.md
+[Microsoft.Azure.Services.AppAuthentication reference]: /dotnet/api/overview/azure/service-to-service-authentication
\ No newline at end of file
app-service https://docs.microsoft.com/en-us/azure/app-service/overview-security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-security.md
@@ -80,8 +80,8 @@ To isolate your resource connectivity completely from the shared networks in Azu
You can securely access on-premises resources, such as databases, in three ways: - [Hybrid connections](app-service-hybrid-connections.md) - Establishes a point-to-point connection to your remote resource through a TCP tunnel. The TCP tunnel is established using TLS 1.2 with shared access signature (SAS) keys.-- [Virtual Network integration](web-sites-integrate-with-vnet.md) with site-to-site VPN - As described in [Resources inside an Azure Virtual Network](#resources-inside-an-azure-virtual-network), but the Virtual Network can be connected to your on-premises network through a [site-to-site VPN](../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md). In this network topology, your app can connect to on-premises resources like other resources in the Virtual Network.-- [App Service environment](environment/intro.md) with site-to-site VPN - As described in [Resources inside an Azure Virtual Network](#resources-inside-an-azure-virtual-network), but the Virtual Network can be connected to your on-premises network through a [site-to-site VPN](../vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal.md). In this network topology, your app can connect to on-premises resources like other resources in the Virtual Network.
+- [Virtual Network integration](web-sites-integrate-with-vnet.md) with site-to-site VPN - As described in [Resources inside an Azure Virtual Network](#resources-inside-an-azure-virtual-network), but the Virtual Network can be connected to your on-premises network through a [site-to-site VPN](../vpn-gateway/tutorial-site-to-site-portal.md). In this network topology, your app can connect to on-premises resources like other resources in the Virtual Network.
+- [App Service environment](environment/intro.md) with site-to-site VPN - As described in [Resources inside an Azure Virtual Network](#resources-inside-an-azure-virtual-network), but the Virtual Network can be connected to your on-premises network through a [site-to-site VPN](../vpn-gateway/tutorial-site-to-site-portal.md). In this network topology, your app can connect to on-premises resources like other resources in the Virtual Network.
## Application secrets
app-service https://docs.microsoft.com/en-us/azure/app-service/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure App Service description: Lists Azure Policy built-in policy definitions for Azure App Service. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
ms.topic: reference ms.custom: subject-policy-reference ---
app-service https://docs.microsoft.com/en-us/azure/app-service/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-baseline.md
@@ -70,7 +70,7 @@ Use Azure Firewall to send traffic and centrally create, enforce, and log applic
- [Understand Network Security provided by Azure Security Center](../security-center/security-center-network-recommendations.md) -- [How to Enable Monitoring and Protection of App Service](/azure/security-center/defender-for-app-service-introduction)
+- [How to Enable Monitoring and Protection of App Service](../security-center/defender-for-app-service-introduction.md)
**Azure Security Center monitoring**: Yes
@@ -167,7 +167,7 @@ Review the referenced links for additional information.
- [How to configure end-to-end TLS by using Application Gateway with the portal](../application-gateway/end-to-end-ssl-portal.md) -- [Secure the ASE as described in Locking down an App Service](/azure/app-service/environment/firewall-integration)
+- [Secure the ASE as described in Locking down an App Service](./environment/firewall-integration.md)
**Azure Security Center monitoring**: Yes
@@ -204,7 +204,7 @@ Review the referenced links for additional information.
- [How to configure end-to-end TLS by using Application Gateway with the portal](../application-gateway/end-to-end-ssl-portal.md) -- [Secure the ASE as described in Locking down an App Service](/azure/app-service/environment/firewall-integration)
+- [Secure the ASE as described in Locking down an App Service](./environment/firewall-integration.md)
**Azure Security Center monitoring**: Not applicable
@@ -220,7 +220,7 @@ Apply any of the built-in Azure Policy definitions related to tagging effects, s
- [How to create and use tags](../azure-resource-manager/management/tag-resources.md) -- [Azure App Service Access Restrictions](/azure/app-service/app-service-ip-restrictions)
+- [Azure App Service Access Restrictions](./app-service-ip-restrictions.md)
**Azure Security Center monitoring**: Not applicable
app-service https://docs.microsoft.com/en-us/azure/app-service/webjobs-sdk-how-to https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/webjobs-sdk-how-to.md
@@ -791,7 +791,7 @@ public static void RemoveItem([QueueTrigger("remove-item")] string message)
### Viewing lease blobs
-The WebJobs SDK uses [Azure blob leases](../storage/common/storage-concurrency.md#pessimistic-concurrency-for-blobs) under the covers to implement distributed locking. The lease blobs used by Singleton can be found in the `azure-webjobs-host` container in the `AzureWebJobsStorage` storage account under the path "locks". For example, the lease blob path for the first `ProcessImage` example shown earlier might be `locks/061851c758f04938a4426aa9ab3869c0/WebJobs.Functions.ProcessImage`. All paths include the JobHost ID, in this case 061851c758f04938a4426aa9ab3869c0.
+The WebJobs SDK uses [Azure blob leases](../storage/blobs/concurrency-manage.md#pessimistic-concurrency-for-blobs) under the covers to implement distributed locking. The lease blobs used by Singleton can be found in the `azure-webjobs-host` container in the `AzureWebJobsStorage` storage account under the path "locks". For example, the lease blob path for the first `ProcessImage` example shown earlier might be `locks/061851c758f04938a4426aa9ab3869c0/WebJobs.Functions.ProcessImage`. All paths include the JobHost ID, in this case 061851c758f04938a4426aa9ab3869c0.
## Async functions
@@ -1004,4 +1004,4 @@ This article has provided code snippets that show how to handle common scenarios
[`ConfigureServices`]: /dotnet/api/microsoft.extensions.hosting.hostinghostbuilderextensions.configureservices [`ITelemetryInitializer`]: /dotnet/api/microsoft.applicationinsights.extensibility.itelemetryinitializer [`TelemetryConfiguration`]: /dotnet/api/microsoft.applicationinsights.extensibility.telemetryconfiguration
-[`JobHostConfiguration`]: https://github.com/Azure/azure-webjobs-sdk/blob/v2.x/src/Microsoft.Azure.WebJobs.Host/JobHostConfiguration.cs
+[`JobHostConfiguration`]: https://github.com/Azure/azure-webjobs-sdk/blob/v2.x/src/Microsoft.Azure.WebJobs.Host/JobHostConfiguration.cs
\ No newline at end of file
attestation https://docs.microsoft.com/en-us/azure/attestation/policy-signer-examples https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/policy-signer-examples.md
@@ -13,7 +13,7 @@ ms.author: mbaldwin
# Examples of an attestation policy signer certificate Policy signer certificates associated with an attestation provider will be used by Microsoft Azure Attestation to validate signed policies.
-Learn more of [benefits of policy signing](/azure/attestation/basic-concepts/#benefits-of-policy-signing)
+Learn more of [benefits of policy signing](./basic-concepts.md#benefits-of-policy-signing)
**Policy signer certificate file format to be used in create provider flow**
@@ -33,4 +33,4 @@ EQ0NBaFNnQXdJQkFnSUlmek9mOVIzcTBJc3dEUVlKS29aSWh2Y05BUUVMQlFBd0Z6RVZNQk1HQTFVRUF
## Next steps - [How to author and sign an attestation policy](author-sign-policy.md)-- [Set up Azure Attestation using PowerShell](quickstart-powershell.md)
+- [Set up Azure Attestation using PowerShell](quickstart-powershell.md)
\ No newline at end of file
attestation https://docs.microsoft.com/en-us/azure/attestation/private-endpoint-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/private-endpoint-powershell.md
@@ -18,8 +18,8 @@ In this quickstart, you'll create a private endpoint for Azure Attestation and d
## Prerequisites
-* Learn about [Azure Private Link](/azure/private-link/private-link-overview)
-* [Set up Azure Attestation with Azure PowerShell](/azure/attestation/quickstart-powershell)
+* Learn about [Azure Private Link](../private-link/private-link-overview.md)
+* [Set up Azure Attestation with Azure PowerShell](./quickstart-powershell.md)
## Create a resource group
@@ -202,5 +202,4 @@ In this section, you'll use the virtual machine you created in the previous step
Address: 168.63.129.16 Non-authoritative answer: Name: myattestationprovider.eastus.test.attest.azure.net
- ```
-
+ ```
\ No newline at end of file
attestation https://docs.microsoft.com/en-us/azure/attestation/quickstart-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/attestation/quickstart-portal.md
@@ -54,7 +54,7 @@ Follow the below steps to manage an attestation provider using Azure portal.
d. **Location**: choose a location
- e. **Policy signer certificates file**: To configure the attestation provider with policy signing certs, upload certs file. See examples [here](/azure/attestation/policy-signer-examples)
+ e. **Policy signer certificates file**: To configure the attestation provider with policy signing certs, upload certs file. See examples [here](./policy-signer-examples.md)
6. After providing the required inputs, click **Review+Create** 7. Fix validation issues if any and click **Create**.
@@ -95,7 +95,7 @@ a. Verify the certificates count and certs downloaded.
3. Select the attestation provider and navigate to overview page 4. Click **Policy signer certificates** in left-side resource menu or in the bottom pane 5. Click **Add** in the top menu (The button will be disabled for the attestation providers created without policy signing requirement)
-6. Upload policy signer certificate file and click **Add**. See examples [here](/azure/attestation/policy-signer-examples)
+6. Upload policy signer certificate file and click **Add**. See examples [here](./policy-signer-examples.md)
### Delete policy signer certificate
@@ -104,7 +104,7 @@ a. Verify the certificates count and certs downloaded.
3. Select the attestation provider and navigate to overview page 4. Click **Policy signer certificates** in left-side resource menu or in the bottom pane 5. Click **Delete** in the top menu (The button will be disabled for the attestation providers created without policy signing requirement)
-6. Upload policy signer certificate file and click **Delete**. See examples [here](/azure/attestation/policy-signer-examples)
+6. Upload policy signer certificate file and click **Delete**. See examples [here](./policy-signer-examples.md)
## Attestation policy
@@ -129,7 +129,7 @@ a. Verify the certificates count and certs downloaded.
5. Click **Configure** in the top menu 6. When the attestation provider is created without policy signing requirement, user can upload a policy in **JWT** or **Text** format 7. Select **Policy Format** as **JWT**
-8. Upload policy file with policy content in an **unsigned/signed JWT** format and click **Save**. See examples [here](/azure/attestation/policy-examples)
+8. Upload policy file with policy content in an **unsigned/signed JWT** format and click **Save**. See examples [here](./policy-examples.md)
For file upload option, policy preview will be shown in text format and policy preview is not editable.
@@ -144,7 +144,7 @@ a. Verify the certificates count and certs downloaded.
5. Click **Configure** in the top menu 6. When the attestation provider is created without policy signing requirement, user can upload a policy in **JWT** or **Text** format 7. Select **Policy Format** as **Text**
-8. Upload policy file with content in **Text** format or enter policy content in text area and click **Save**. See examples [here](/azure/attestation/policy-examples)
+8. Upload policy file with content in **Text** format or enter policy content in text area and click **Save**. See examples [here](./policy-examples.md)
For file upload option, policy preview will be shown in text format and policy preview is not editable.
@@ -160,20 +160,9 @@ a. Verify the certificates count and certs downloaded.
4. Click **Policy** in left-side resource menu or in the bottom pane 5. Click **Configure** in the top menu 6. When the attestation provider is created with policy signing requirement, user can upload a policy only in **signed JWT format**
-7. Upload policy file is **signed JWT format** and click **Save**. See examples [here](/azure/attestation/policy-examples)
+7. Upload policy file is **signed JWT format** and click **Save**. See examples [here](./policy-examples.md)
For file upload option, policy preview will be shown in text format and policy preview is not editable. 8. Click **Refresh** to view the configured policy
-
----------
automanage https://docs.microsoft.com/en-us/azure/automanage/automanage-virtual-machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-virtual-machines.md
@@ -38,17 +38,17 @@ There are several prerequisites to consider before trying to enable Azure Automa
- Windows Server VMs only - VMs must be running-- VMs must be in a supported region
+- VMs must be in a supported region (see paragraph below)
- User must have correct permissions (see paragraph below) - Automanage does not support Sandbox subscriptions at this time
-You must have the **Contributor** role on the resource group containing your VMs to enable Automanage on VMs using an existing Automanage Account. If you are enabling Automanage with a new Automanage Account, you need the following permissions on your subscription: **Owner** role or **Contributor** along with **User Access Administrator** roles.
+It is also important to note that Automanage only supports Windows VMs located in the following regions: West Europe, East US, West US 2, Canada Central, West Central US, Japan East.
+
+You must have the **Contributor** role on the resource group containing your VMs to enable Automanage on VMs using an existing Automanage Account. If you are enabling Automanage with a new Automanage Account, you need the following permissions on your subscription: **Owner** role or **Contributor** along with **User Access Administrator** roles.
> [!NOTE] > If you want to use Automanage on a VM that is connected to a workspace in a different subscription, you must have the permissions described above on each subscription.
-It is also important to note that Automanage only supports Windows VMs located in the following regions: West Europe, East US, West US 2, Canada Central, West Central US, Japan East.
- ## Participating services :::image type="content" source="media\automanage-virtual-machines\intelligently-onboard-services.png" alt-text="Intelligently onboard services.":::
@@ -97,12 +97,20 @@ You can adjust the settings of a default configuration profile through preferenc
## Automanage Account
-The Automanage Account is the security context or the identity under which the automated operations occur. Typically, the Automanage Account option is unnecessary for you to select, but if there was a delegation scenario where you wanted to divide the automated management (perhaps between two system administrators), this option allows you to define an Azure identity for each of those administrators.
+The Automanage Account is the security context or the identity under which the automated operations occur. Typically, the Automanage Account option is unnecessary for you to select, but if there was a delegation scenario where you wanted to divide the automated management of your resources (perhaps between two system administrators), this option allows you to define an Azure identity for each of those administrators.
In the Azure portal experience, when you are enabling Automanage on your VMs, there is an Advanced dropdown on the **Enable Azure VM best practice** blade that allows you to assign or manually create the Automanage Account.
+The Automanage Account will be granted both **Contributor** and **Resource Policy Contributor** roles to the subscription(s) containing the machine(s) you onboard to Automanage. You may use the same Automanage Account on machines across multiple subscriptions, which will grant that Automanage Account **Contributor** and **Resource Policy Contributor** permissions on all subscriptions.
+
+If your VM is connected to a Log Analytics workspace in another subscription, the Automanage Account will be granted both **Contributor** and **Resource Policy Contributor** in that other subscription as well.
+
+If you are enabling Automanage with a new Automanage Account, you need the following permissions on your subscription: **Owner** role or **Contributor** along with **User Access Administrator** roles.
+
+If you are enabling Automanage with an existing Automanage Account, you need to have the **Contributor** role on the resource group containing your VMs.
+ > [!NOTE]
-> You need to have the **Contributor** role on the resource group containing your VMs to enable Automanage on VMs using an existing Automanage Account. If you are enabling Automanage with a new Automanage Account, you need the following permissions on your subscription: **Owner** role or **Contributor** along with **User Access Administrator** roles.
+> When you disable Automanage Best Practices, the Automanage Account's permissions on any associated subscriptions will remain. Manually remove the permissions by going to the subscription's IAM page or delete the Automanage Account. The Automanage Account cannot be deleted if it is still managing any machines.
## Status of VMs
@@ -117,6 +125,7 @@ The **Status** column can display the following states:
- *In-progress* - the VM was just enabled and is being configured - *Configured* - the VM is configured and no drift is detected - *Failed* - the VM has drifted and we were unable to remediate
+- *Pending* - the VM is currently not running, and Automanage will attempt to onboard or remediate the VM when it is next running
If you see the **Status** as *Failed*, you can troubleshoot the deployment through the Resource Group your VM is located in. Go to **Resource groups**, select your resource group, click on **Deployments** and see the *Failed* status there along with error details.
@@ -141,7 +150,6 @@ Read carefully through the messaging in the resulting pop-up before agreeing to
First and foremost, we will not off-board the virtual machine from any of the services that we onboarded it to and configured. So any charges incurred by those services will continue to remain billable. You will need to off-board if necessary. Any Automanage behavior will stop immediately. For example, we will no longer monitor the VM for drift. - ## Next steps In this article, you learned that Automanage for virtual machines provides a means for which you can eliminate the need for you to know of, onboard to, and configure best practices Azure services. In addition, if a machine you onboarded to Automanage for virtual machines drifts from the configuration profiles set up, we will automatically bring it back into compliance.
automanage https://docs.microsoft.com/en-us/azure/automanage/common-errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/common-errors.md new file mode 100644
@@ -0,0 +1,44 @@
+---
+title: Troubleshoot common Azure Automanage onboarding errors
+description: Common Automanage onboarding errors and how to troubleshoot them
+author: asinn826
+ms.service: virtual-machines
+ms.subservice: automanage
+ms.workload: infrastructure
+ms.topic: conceptual
+ms.date: 01/14/2021
+ms.author: alsin
+---
+
+# Troubleshoot common Automanage onboarding errors
+Automanage may fail to onboard a machine onto the service. This document explains how to troubleshoot deployment failures, shares some common reasons why deployments may fail, and describes potential next steps on mitigation.
+
+## Troubleshooting deployment failures
+Onboarding a machine to Automanage will result in an Azure Resource Manager deployment being created. If onboarding fails, it may be helpful to consult the deployment for further details as to why it failed. There are links to the deployments in the failure detail flyout, pictured below.
+
+:::image type="content" source="media\automanage-common-errors\failure-flyout.png" alt-text="Automanage failure detail flyout.":::
+
+### Check the deployments for the resource group containing the failed VM
+The failure flyout will contain a link to the deployments within the resource group that contains the machine that failed onboarding and a prefix name you can use to filter deployments with. Clicking the link will take you to the deployments blade, where you can then filter deployments to see Automanage deployments to your machine. If you're deploying across multiple regions, ensure that you click on the deployment in the correct region.
+
+### Check the deployments for the subscription containing the failed VM
+If you don't see any failures in the resource group deployment, then your next step would be to look at the deployments in your subscription containing the VM that failed onboarding. Click the **Deployments for subscription** link in the failure flyout and filter deployments using the **Automanage-DefaultResourceGroup** filter. Use the resource group name from the failure blade to filter deployments. The deployment name will be suffixed with a region name. If you're deploying across multiple regions, ensure that you click on the deployment in the correct region.
+
+### Check deployments in a subscription linked to a Log Analytics workspace
+If you don't see any failed deployments in the resource group or subscription containing your failed VM, and if your failed VM is connected to a Log Analytics workspace in a different subscription, then go to the subscription linked to your Log Analytics workspace and check for failed deployments.
+
+## Common deployment errors
+
+Error | Mitigation
+:-----|:-------------|
+Automanage account insufficient permissions error | This may happen if you have recently moved a subscription containing a new Automanage Account into a new tenant. Steps to resolve this are located [here](./repair-automanage-account.md).
+Workspace region not matching region mapping requirements | Automanage was unable to onboard your machine but the Log Analytics workspace that the machine is currently linked to is not mapped to a supported Automation region. Ensure that your existing Log Analytics workspace and Automation account are located in a [supported region mapping](https://docs.microsoft.com/azure/automation/how-to/region-mappings).
+"The assignment has failed; there is no additional information available" | Please open a case with Microsoft Azure support.
+
+## Next steps
+
+* [Learn more about Azure Automanage](./automanage-virtual-machines.md)
+
+> [!div class="nextstepaction"]
+> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+
automanage https://docs.microsoft.com/en-us/azure/automanage/faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/faq.md
@@ -23,7 +23,6 @@ If your Azure issue is not addressed in this article, visit the Azure forums on
The following are prerequisites for enabling Azure Automanage: - Windows Server VMs only-- VMs must be running - VMs must be in a supported region - User must have correct permissions - Non-scale set VMs only
automation https://docs.microsoft.com/en-us/azure/automation/how-to/region-mappings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/how-to/region-mappings.md
@@ -1,7 +1,7 @@
--- title: Supported regions for linked Log Analytics workspace description: This article describes the supported region mappings between an Automation account and a Log Analytics workspace as it relates to certain features of Azure Automation.
-ms.date: 12/15/2020
+ms.date: 01/21/2021
services: automation ms.topic: conceptual ms.custom: references_regions
@@ -27,13 +27,17 @@ The following table shows the supported mappings:
|**US**|| |EastUS<sup>1</sup>|EastUS2| |EastUS2<sup>2</sup>|EastUS|
+|WestUS|WestUS|
|WestUS2|WestUS2|
+|CentralUS|CentralUS|
|SouthCentralUS|SouthCentralUS| |WestCentralUS|WestCentralUS| |**Canada**|| |CanadaCentral|CanadaCentral| |**Asia Pacific**||
+|AustraliaEast|AustraliaEast|
|AustraliaSoutheast|AustraliaSoutheast|
+|EastAsia|EastAsia|
|SoutheastAsia|SoutheastAsia| |CentralIndia|CentralIndia| |ChinaEast2<sup>3</sup>|ChinaEast2|
automation https://docs.microsoft.com/en-us/azure/automation/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure Automation description: Lists Azure Policy built-in policy definitions for Azure Automation. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
ms.topic: reference ms.custom: subject-policy-reference ---
automation https://docs.microsoft.com/en-us/azure/automation/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/security-baseline.md
@@ -554,7 +554,7 @@ Follow Azure Security Center recommendations for encryption at rest and encrypti
* [Understand encryption in transit with Azure](../security/fundamentals/encryption-overview.md#encryption-of-data-in-transit)
-* [Azure Automation TLS 1.2 enforcement](/azure/active-directory/hybrid/reference-connect-tls-enforcement)
+* [Azure Automation TLS 1.2 enforcement](../active-directory/hybrid/reference-connect-tls-enforcement.md)
**Azure Security Center monitoring**: Yes
@@ -936,7 +936,7 @@ When using the Hybrid Runbook Worker feature, there are several options for main
For most scenarios, the Microsoft base VM templates combined with the Azure Automation State Configuration can assist in meeting and maintaining the security requirements.
-* [Information on how to download the VM template](../virtual-machines/windows/download-template.md)
+* [Information on how to download the VM template](/previous-versions/azure/virtual-machines/windows/download-template)
* [Information on creating ARM templates](../virtual-machines/windows/ps-template.md)
availability-zones https://docs.microsoft.com/en-us/azure/availability-zones/az-region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
@@ -32,7 +32,7 @@ Azure services supporting Availability Zones fall into three categories: **zonal
- **Non-regional services** ΓÇô Services that do not have dependency on a specific Azure region, making them resilient to zone-wide outages as well as region-wide outages.
-To achieve comprehensive business continuity on Azure, build your application architecture using the combination of Availability Zones with Azure region pairs. You can synchronously replicate your applications and data using Availability Zones within an Azure region for high-availability and asynchronously replicate across Azure regions for disaster recovery protection. To learn more, read [building solutions for high availability using Availability Zones](https://docs.microsoft.com/azure/architecture/high-availability/building-solutions-for-high-availability).
+To achieve comprehensive business continuity on Azure, build your application architecture using the combination of Availability Zones with Azure region pairs. You can synchronously replicate your applications and data using Availability Zones within an Azure region for high-availability and asynchronously replicate across Azure regions for disaster recovery protection. To learn more, read [building solutions for high availability using Availability Zones](/azure/architecture/high-availability/building-solutions-for-high-availability).
### Azure Services supporting Availability Zones
@@ -200,8 +200,8 @@ There is no additional cost for virtual machines deployed in an Availability Zon
- [Create a virtual machine](../virtual-machines/windows/create-portal-availability-zone.md) - [Add a Managed Disk using PowerShell](../virtual-machines/windows/attach-disk-ps.md#add-an-empty-data-disk-to-a-virtual-machine) - [Create a zone redundant virtual machine scale set](../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md)-- [Load balance VMs across zones using a Standard Load Balancer with a zone-redundant frontend](https://docs.microsoft.com/azure/load-balancer/quickstart-load-balancer-standard-public-cli?tabs=option-1-create-load-balancer-standard)-- [Load balance VMs within a zone using a Standard Load Balancer with a zonal frontend](https://docs.microsoft.com/azure/load-balancer/quickstart-load-balancer-standard-public-cli?tabs=option-1-create-load-balancer-standard)
+- [Load balance VMs across zones using a Standard Load Balancer with a zone-redundant frontend](../load-balancer/quickstart-load-balancer-standard-public-cli.md?tabs=option-1-create-load-balancer-standard)
+- [Load balance VMs within a zone using a Standard Load Balancer with a zonal frontend](../load-balancer/quickstart-load-balancer-standard-public-cli.md?tabs=option-1-create-load-balancer-standard)
- [Zone-redundant storage](../storage/common/storage-redundancy.md) - [SQL Database general purpose tier](../azure-sql/database/high-availability-sla.md#general-purpose-service-tier-zone-redundant-availability-preview) - [Event Hubs geo-disaster recovery](../event-hubs/event-hubs-geo-dr.md#availability-zones)
@@ -209,11 +209,11 @@ There is no additional cost for virtual machines deployed in an Availability Zon
- [Create a zone-redundant virtual network gateway](../vpn-gateway/create-zone-redundant-vnet-gateway.md) - [Add zone redundant region for Azure Cosmos DB](../cosmos-db/high-availability.md#availability-zone-support) - [Getting Started Azure Cache for Redis Availability Zones](https://gist.github.com/JonCole/92c669ea482bbb7996f6428fb6c3eb97#file-redisazgettingstarted-md)-- [Create an Azure Active Directory Domain Services instance](https://docs.microsoft.com/azure/active-directory-domain-services/tutorial-create-instance)
+- [Create an Azure Active Directory Domain Services instance](../active-directory-domain-services/tutorial-create-instance.md)
- [Create an Azure Kubernetes Service (AKS) cluster that uses Availability Zones](../aks/availability-zones.md) ## Next steps > [!div class="nextstepaction"]
-> [Regions and Availability Zones in Azure](az-overview.md)
+> [Regions and Availability Zones in Azure](az-overview.md)
\ No newline at end of file
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/howto-best-practices https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/howto-best-practices.md
@@ -88,7 +88,7 @@ App Configuration is regional service. For applications with different configura
## Client Applications in App Configuration
-Excessive requests to App Configuration can result in throttling or overage charges. Applications take advantage of the caching and intelligent refreshing currently available to optimize the number of requests they send. This process can be mirrored in high volume client applications by avoiding direct connections to the configuration store. Instead, client applications connect to a custom service, and this service communicates with the configuration store. This proxy solution can ensure the client applications do not approach the throttling limit on the configuration store. For more information on throttling, see [the FAQ](https://docs.microsoft.com/azure/azure-app-configuration/faq#are-there-any-limits-on-the-number-of-requests-made-to-app-configuration).
+Excessive requests to App Configuration can result in throttling or overage charges. Applications take advantage of the caching and intelligent refreshing currently available to optimize the number of requests they send. This process can be mirrored in high volume client applications by avoiding direct connections to the configuration store. Instead, client applications connect to a custom service, and this service communicates with the configuration store. This proxy solution can ensure the client applications do not approach the throttling limit on the configuration store. For more information on throttling, see [the FAQ](./faq.md#are-there-any-limits-on-the-number-of-requests-made-to-app-configuration).
## Next steps
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure App Configuration description: Lists Azure Policy built-in policy definitions for Azure App Configuration. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
ms.topic: reference author: AlexandraKemperMS ms.author: alkemper
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/pull-key-value-devops-pipeline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/pull-key-value-devops-pipeline.md
@@ -42,7 +42,7 @@ Now that your service connection is created, find the name of the service princi
Assign the proper App Configuration role to the service connection being used within the task so that the task can access the App Configuration store.
-1. Navigate to your target App Configuration store. For a walkthrough of setting up an App Configuration store, see [Create an App Configuration store](/azure/azure-app-configuration/quickstart-dotnet-core-app#create-an-app-configuration-store) in one of the Azure App Configuration quickstarts.
+1. Navigate to your target App Configuration store. For a walkthrough of setting up an App Configuration store, see [Create an App Configuration store](./quickstart-dotnet-core-app.md#create-an-app-configuration-store) in one of the Azure App Configuration quickstarts.
1. On the left, select **Access control (IAM)**. 1. At the top, select **+ Add** and pick **Add role assignment**. 1. Under **Role**, select **App Configuration Data Reader**. This role allows the task to read from the App Configuration store.
@@ -110,4 +110,4 @@ If an unexpected error occurs, debug logs can be enabled by setting the pipeline
**How do I compose my configuration from multiple keys and labels?**
-There are times when configuration may need to be composed from multiple labels, for example, default and dev. Multiple App Configuration tasks may be used in one pipeline to implement this scenario. The key-values fetched by a task in a later step will supersede any values from previous steps. In the aforementioned example, a task can be used to select key-values with the default label while a second task can select key-values with the dev label. The keys with the dev label will override the same keys with the default label.
+There are times when configuration may need to be composed from multiple labels, for example, default and dev. Multiple App Configuration tasks may be used in one pipeline to implement this scenario. The key-values fetched by a task in a later step will supersede any values from previous steps. In the aforementioned example, a task can be used to select key-values with the default label while a second task can select key-values with the dev label. The keys with the dev label will override the same keys with the default label.
\ No newline at end of file
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/quickstart-azure-functions-csharp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/quickstart-azure-functions-csharp.md
@@ -40,7 +40,7 @@ In this quickstart, you incorporate the Azure App Configuration service into an
[!INCLUDE [Create a project using the Azure Functions template](../../includes/functions-vstools-create.md)] ## Connect to an App Configuration store
-This project will use [dependency injection in .NET Azure Functions](/azure/azure-functions/functions-dotnet-dependency-injection) and add Azure App Configuration as an extra configuration source.
+This project will use [dependency injection in .NET Azure Functions](../azure-functions/functions-dotnet-dependency-injection.md) and add Azure App Configuration as an extra configuration source.
1. Right-click your project, and select **Manage NuGet Packages**. On the **Browse** tab, search for and add following NuGet packages to your project. - [Microsoft.Extensions.Configuration.AzureAppConfiguration](https://www.nuget.org/packages/Microsoft.Extensions.Configuration.AzureAppConfiguration/) version 4.1.0 or later
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/quickstart-feature-flag-azure-functions-csharp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/quickstart-feature-flag-azure-functions-csharp.md
@@ -43,7 +43,7 @@ The .NET Feature Management libraries extend the framework with feature flag sup
## Connect to an App Configuration store
-This project will use [dependency injection in .NET Azure Functions](/azure/azure-functions/functions-dotnet-dependency-injection). It adds Azure App Configuration as an extra configuration source where your feature flags are stored.
+This project will use [dependency injection in .NET Azure Functions](../azure-functions/functions-dotnet-dependency-injection.md). It adds Azure App Configuration as an extra configuration source where your feature flags are stored.
1. Right-click your project, and select **Manage NuGet Packages**. On the **Browse** tab, search for and add following NuGet packages to your project. - [Microsoft.Extensions.Configuration.AzureAppConfiguration](https://www.nuget.org/packages/Microsoft.Extensions.Configuration.AzureAppConfiguration/) version 4.1.0 or later
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/security-baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/security-baseline.md
@@ -326,7 +326,7 @@ Note: Managed identities are suggested where possible for authenticating to App
- [Create an access review of Azure resource roles in Privileged Identity Management(PIM)](../active-directory/privileged-identity-management/pim-resource-roles-start-access-review.md) -- [How to use Azure AD identity and access reviews](/azure/active-directory/governance/access-reviews-overview)
+- [How to use Azure AD identity and access reviews](../active-directory/governance/access-reviews-overview.md)
- [Authorize access to Azure App Configuration using Azure AD](concept-enable-rbac.md)
@@ -364,7 +364,7 @@ You should ensure that the credentials (such as password, certificate, or smart
- [Understand privileged access workstations](https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/) -- [Deploy a privileged access workstation](../active-directory/devices/howto-azure-managed-workstation.md)
+- [Deploy a privileged access workstation](/security/compass/privileged-access-deployment)
**Azure Security Center monitoring**: Not applicable
@@ -476,7 +476,7 @@ Azure provides data at rest encryption by default. For highly sensitive data, yo
## Asset Management
-*For more information, see the [Azure Security Benchmark: Asset Management](/azure/security/benchmarks/security-controls-v2-asset-management).*
+*For more information, see the [Azure Security Benchmark: Asset Management](../security/benchmarks/security-controls-v2-asset-management.md).*
### AM-1: Ensure security team has visibility into risks for assets
@@ -552,7 +552,7 @@ Remove Azure resources when they are no longer needed. Ensure administrators reg
## Logging and Threat Detection
-*For more information, see the [Azure Security Benchmark: Logging and Threat Detection](/azure/security/benchmarks/security-controls-v2-logging-threat-detection).*
+*For more information, see the [Azure Security Benchmark: Logging and Threat Detection](../security/benchmarks/security-controls-v2-logging-threat-detection.md).*
### LT-2: Enable threat detection for Azure identity and access management
@@ -746,7 +746,7 @@ Use workflow automation features in Azure Security Center and Azure Sentinel to
## Posture and Vulnerability Management
-*For more information, see the [Azure Security Benchmark: Posture and Vulnerability Management](/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management).*
+*For more information, see the [Azure Security Benchmark: Posture and Vulnerability Management](../security/benchmarks/security-controls-v2-posture-vulnerability-management.md).*
### PV-1: Establish secure configurations for Azure services
@@ -846,9 +846,9 @@ For more information, see the following references:
- [Cloud Adoption Framework - Azure data security and encryption best practices](../security/fundamentals/data-encryption-best-practices.md?bc=%2fazure%2fcloud-adoption-framework%2f_bread%2ftoc.json&toc=%2fazure%2fcloud-adoption-framework%2ftoc.json) -- [Azure Security Benchmark - Asset management](/azure/security/benchmarks/security-controls-v2-asset-management)
+- [Azure Security Benchmark - Asset management](../security/benchmarks/security-controls-v2-asset-management.md)
-- [Azure Security Benchmark - Data Protection](/azure/security/benchmarks/security-controls-v2-data-protection)
+- [Azure Security Benchmark - Data Protection](../security/benchmarks/security-controls-v2-data-protection.md)
**Azure Security Center monitoring**: Not applicable
@@ -876,7 +876,7 @@ Ensure that the segmentation strategy is implemented consistently across control
**Guidance**: Continuously measure and mitigate risks to your individual assets and the environment they are hosted in. Prioritize high value assets and highly-exposed attack surfaces, such as published applications, network ingress and egress points, user and administrator endpoints, etc. -- [Azure Security Benchmark - Posture and vulnerability management](/azure/security/benchmarks/security-controls-v2-posture-vulnerability-management)
+- [Azure Security Benchmark - Posture and vulnerability management](../security/benchmarks/security-controls-v2-posture-vulnerability-management.md)
**Azure Security Center monitoring**: Not applicable
@@ -917,7 +917,7 @@ This strategy should include documented guidance, policy, and standards for the
For more information, see the following references: - [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy) -- [Azure Security Benchmark - Network Security](/azure/security/benchmarks/security-controls-v2-network-security)
+- [Azure Security Benchmark - Network Security](../security/benchmarks/security-controls-v2-network-security.md)
- [Azure network security overview](../security/fundamentals/network-overview.md)
@@ -945,9 +945,9 @@ This strategy should include documented guidance, policy, and standards for the
For more information, see the following references: -- [Azure Security Benchmark - Identity management](/azure/security/benchmarks/security-controls-v2-identity-management)
+- [Azure Security Benchmark - Identity management](../security/benchmarks/security-controls-v2-identity-management.md)
-- [Azure Security Benchmark - Privileged access](/azure/security/benchmarks/security-controls-v2-privileged-access)
+- [Azure Security Benchmark - Privileged access](../security/benchmarks/security-controls-v2-privileged-access.md)
- [Azure Security Best Practice 11 - Architecture. Single unified security strategy](/azure/cloud-adoption-framework/security/security-top-10#11-architecture-establish-a-single-unified-security-strategy)
@@ -979,9 +979,9 @@ This strategy should include documented guidance, policy, and standards for the
For more information, see the following references: -- [Azure Security Benchmark - Logging and threat detection](/azure/security/benchmarks/security-controls-v2-logging-threat-detection)
+- [Azure Security Benchmark - Logging and threat detection](../security/benchmarks/security-controls-v2-logging-threat-detection.md)
-- [Azure Security Benchmark - Incident response](/azure/security/benchmarks/security-controls-v2-incident-response)
+- [Azure Security Benchmark - Incident response](../security/benchmarks/security-controls-v2-incident-response.md)
- [Azure Security Best Practice 4 - Process. Update Incident Response Processes for Cloud](/azure/cloud-adoption-framework/security/security-top-10#4-process-update-incident-response-ir-processes-for-cloud)
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/use-feature-flags-dotnet-core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/use-feature-flags-dotnet-core.md
@@ -103,7 +103,7 @@ The easiest way to connect your ASP.NET Core application to App Configuration is
.UseStartup<Startup>(); ```
-2. Open *Startup.cs* and update the `Configure` method to add the built-in middleware called `UseAzureAppConfiguration`. This middleware allows the feature flag values to be refreshed at a recurring interval while the ASP.NET Core web app continues to receive requests.
+2. Open *Startup.cs* and update the `Configure` and `ConfigureServices` method to add the built-in middleware called `UseAzureAppConfiguration`. This middleware allows the feature flag values to be refreshed at a recurring interval while the ASP.NET Core web app continues to receive requests.
```csharp public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
@@ -113,6 +113,13 @@ The easiest way to connect your ASP.NET Core application to App Configuration is
} ```
+ ```csharp
+ public void ConfigureServices(IServiceCollection services)
+ {
+ services.AddAzureAppConfiguration();
+ }
+ ```
+
Feature flag values are expected to change over time. By default, the feature flag values are cached for a period of 30 seconds, so a refresh operation triggered when the middleware receives a request would not update the value until the cached value expires. The following code shows how to change the cache expiration time or polling interval to 5 minutes in the `options.UseFeatureFlags()` call. ```csharp
@@ -301,4 +308,4 @@ In this tutorial, you learned how to implement feature flags in your ASP.NET Cor
* [ASP.NET Core feature flag sample code](./quickstart-feature-flag-aspnet-core.md) * [Microsoft.FeatureManagement documentation](/dotnet/api/microsoft.featuremanagement)
-* [Manage feature flags](./manage-feature-flags.md)
\ No newline at end of file
+* [Manage feature flags](./manage-feature-flags.md)
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/create-data-controller-azure-data-studio https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller-azure-data-studio.md
@@ -34,29 +34,29 @@ Follow these steps to create an Azure Arc data controller using the Deployment w
5. Use the default kubeconfig file or select another one. Click **Next**. 6. Choose a Kubernetes cluster context. Click **Next**. 7. Choose a deployment configuration profile depending on your target Kubernetes cluster. **Click Next**.
-8. Choose the desired subscription and resource group.
-9. Select an Azure location.
+8. If you are using Azure Red Hat OpenShift or Red Hat OpenShift container platform, apply security context constraints. Follow the instructions at [Apply a security context constraint for Azure Arc enabled data services on OpenShift](how-to-apply-security-context-constraint.md).
+
+ >[!IMPORTANT]
+ >On Azure Red Hat OpenShift or Red Hat OpenShift container platform, you must apply the security context constraint before you create the data controller.
+
+1. Choose the desired subscription and resource group.
+1. Select an Azure location.
- > [!NOTE]
- > The Azure location selected here is the location in Azure where the *metadata* about the data controller and the database instances that it manages will be stored. The data controller and database instances will be actually crewted in your Kubernetes cluster wherever that may be.
+ The Azure location selected here is the location in Azure where the *metadata* about the data controller and the database instances that it manages will be stored. The data controller and database instances will be actually crewted in your Kubernetes cluster wherever that may be.
10. Select the appropriate Connectivity Mode. Learn more on [Connectivity modes](https://docs.microsoft.com/azure/azure-arc/data/connectivity). **Click Next**.
- > [!NOTE]
- > If you select direct connectivity mode Service Principal credentials are required as described in [Create service principal](upload-metrics-and-logs-to-azure-monitor.md#create-service-principal).
-11. Enter a name for the data controller and for the namespace that the data controller will be created in.
+ If you select direct connectivity mode Service Principal credentials are required as described in [Create service principal](upload-metrics-and-logs-to-azure-monitor.md#create-service-principal).
-> [!NOTE]
-> If the namespace already exists it will be used if the namespace does not already contain other Kubernetes objects - pods, etc. If the namespace does not exist, an attempt to create the namespace will be made. Creating a namespace in a Kubernetes cluster requires Kubernetes cluster administrator privileges. If you don't have Kubernetes cluster administrator privileges, ask your Kubernetes cluster administrator to perform the first few steps in the [Create a data controller using Kubernetes-native tools](./create-data-controller-using-kubernetes-native-tools.md) article which are required to be performed by a Kubernetes administrator before you complete this wizard.
+11. Enter a name for the data controller and for the namespace that the data controller will be created in.
-> [!NOTE]
-> Note: the data controller and namespace name will be used to create a custom resource in the Kubernetes cluster so they must conform to [Kubernetes naming conventions](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+ The data controller and namespace name will be used to create a custom resource in the Kubernetes cluster so they must conform to [Kubernetes naming conventions](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names).
+
+ If the namespace already exists it will be used if the namespace does not already contain other Kubernetes objects - pods, etc. If the namespace does not exist, an attempt to create the namespace will be made. Creating a namespace in a Kubernetes cluster requires Kubernetes cluster administrator privileges. If you don't have Kubernetes cluster administrator privileges, ask your Kubernetes cluster administrator to perform the first few steps in the [Create a data controller using Kubernetes-native tools](./create-data-controller-using-kubernetes-native-tools.md) article which are required to be performed by a Kubernetes administrator before you complete this wizard.
-12. Select the storage class where the data controller will be deployed.
-13. Enter a username and password and confirm the password for the data controller administrator user account. **Click Next**.
-> [!NOTE]
-> The password must be at least 8 characters long.
+12. Select the storage class where the data controller will be deployed.
+13. Enter a username and password and confirm the password for the data controller administrator user account. Click **Next**.
14. Review the deployment configuration. 15. Click the **Deploy** to deploy the desired configuration or the **Script to Notebook** to review the deployment instructions or make any changes necessary such as storage class names or service types. Click **Run All** at the top of the notebook.
@@ -87,4 +87,4 @@ kubectl describe po/<pod name> --namespace arc
## Troubleshooting creation problems
-If you encounter any troubles with creation, please see the [troubleshooting guide](troubleshoot-guide.md).
+If you encounter any troubles with creation, please see the [troubleshooting guide](troubleshoot-guide.md).
\ No newline at end of file
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/create-data-controller-resource-in-azure-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller-resource-in-azure-portal.md
@@ -35,7 +35,7 @@ Follow the steps below to create an Azure Arc data controller using the Azure po
6. Click on the **Data controller details** button. 7. Choose a subscription, resource group and Azure location just like you would for any other resource that you would create in the Azure portal. In this case the Azure location that you select will be where the metadata about the resource will be stored. The resource itself will be created on whatever infrastructure you choose. It doesn't need to be on Azure infrastructure. 8. Enter a name for your data controller.
-9. Select the connectivity mode for the data controller. Learn more about [Connectivity modes and requirements](https://docs.microsoft.com/azure/azure-arc/data/connectivity).
+9. Select the connectivity mode for the data controller. Learn more about [Connectivity modes and requirements](./connectivity.md).
> [!NOTE] > If you select **direct** connectivity mode, ensure the Service Principal credentials are set via environment variables as described in [Create service principal](upload-metrics-and-logs-to-azure-monitor.md#create-service-principal).
@@ -72,4 +72,4 @@ kubectl describe po/<pod name> --namespace arc
## Troubleshooting creation problems
-If you encounter any troubles with creation, please see the [troubleshooting guide](troubleshoot-guide.md).
+If you encounter any troubles with creation, please see the [troubleshooting guide](troubleshoot-guide.md).
\ No newline at end of file
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/create-data-controller-using-azdata https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/create-data-controller-using-azdata.md
@@ -54,7 +54,7 @@ kubectl config current-context
### Connectivity modes
-As described in [Connectivity modes and requirements](https://docs.microsoft.com/azure/azure-arc/data/connectivity), Azure Arc data controller can be deployed either with either `direct` or `indirect` connectivity mode. With `direct` connectivity mode, usage data is automatically and continuously sent to Azure. In this articles, the examples specify `direct` connectivity mode as follows:
+As described in [Connectivity modes and requirements](./connectivity.md), Azure Arc data controller can be deployed either with either `direct` or `indirect` connectivity mode. With `direct` connectivity mode, usage data is automatically and continuously sent to Azure. In this articles, the examples specify `direct` connectivity mode as follows:
```console --connectivity-mode direct
@@ -261,35 +261,11 @@ Once you have run the command, continue on to [Monitoring the creation status](#
### Create on Azure Red Hat OpenShift (ARO)
-#### Apply the SCC
+Azure Red Hat OpenShift requires a security context constraint.
-Before you create the data controller on Azure Red Hat OpenShift, you will need to apply specific security context constraints (SCC). For the preview release, these relax the security constraints. Future releases will provide updated SCC.
-
-1. Download the custom security context constraint (SCC). Use one of the following:
- - [GitHub](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/yaml/arc-data-scc.yaml)
- - ([Raw](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/arc-data-scc.yaml))
- - `curl`
- The following command downloads arc-data-scc.yaml:
-
- ```console
- curl https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/arc-data-scc.yaml -o arc-data-scc.yaml
- ```
-
-1. Create SCC.
-
- ```console
- oc create -f arc-data-scc.yaml
- ```
-
-1. Apply the SCC to the service account.
-
- > [!NOTE]
- > Use the same namespace here and in the `azdata arc dc create` command below. Example is `arc`.
-
- ```console
- oc adm policy add-scc-to-user arc-data-scc --serviceaccount default --namespace arc
- ```
+#### Apply the security context
+[!INCLUDE [apply-security-context-constraint](includes/apply-security-context-constraint.md)]
#### Create custom deployment profile
@@ -320,34 +296,11 @@ Once you have run the command, continue on to [Monitoring the creation status](#
> [!NOTE] > If you are using Red Hat OpenShift Container Platform on Azure, it is recommended to use the latest available version.
-#### Apply the SCC
+Before you create the data controller on Red Hat OCP, you will need to apply specific security context constraints.
-Before you create the data controller on Red Hat OCP, you will need to apply specific security context constraints (SCC). For the preview release, these relax the security constraints. Future releases will provide updated SCC.
+#### Apply the security context constraint
-1. Download the custom security context constraint (SCC). Use one of the following:
- - [GitHub](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/yaml/arc-data-scc.yaml)
- - ([Raw](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/arc-data-scc.yaml))
- - `curl`
- The following command downloads arc-data-scc.yaml:
-
- ```console
- curl https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/arc-data-scc.yaml -o arc-data-scc.yaml
- ```
-
-1. Create SCC.
-
- ```console
- oc create -f arc-data-scc.yaml
- ```
-
-1. Apply the SCC to the service account.
-
- > [!NOTE]
- > Use the same namespace here and in the `azdata arc dc create` command below. Example is `arc`.
-
- ```console
- oc adm policy add-scc-to-user arc-data-scc --serviceaccount default --namespace arc
- ```
+[!INCLUDE [apply-security-context-constraint](includes/apply-security-context-constraint.md)]
#### Determine storage class
@@ -529,4 +482,4 @@ kubectl describe po/<pod name> --namespace arc
## Troubleshooting creation problems
-If you encounter any troubles with creation, see the [troubleshooting guide](troubleshoot-guide.md).
+If you encounter any troubles with creation, see the [troubleshooting guide](troubleshoot-guide.md).
\ No newline at end of file
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/how-to-apply-security-context-constraint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/how-to-apply-security-context-constraint.md new file mode 100644
@@ -0,0 +1,31 @@
+---
+title: How to apply security context constraint
+description: Apply a security context constraint for Azure Red Hat OpenShift or Red Hat OpenShift Container Platform
+services: azure-arc
+ms.service: azure-arc
+ms.subservice: azure-arc-data
+author: dnethi
+ms.author: dinethi
+ms.reviewer: mikeray
+ms.date: 01/15/2021
+ms.topic: how-to
+---
+
+# Apply a security context constraint for Azure Arc enabled data services on OpenShift
+
+This article describes how to apply a security context constraint for Azure Arc enabled data services.
+
+## Applicability
+
+It applies to deployments on Azure Red Hat OpenShift or Red Hat OpenShift Container platform.
+
+## Apply security context constraint
+
+[!INCLUDE [apply-security-context-constraint](includes/apply-security-context-constraint.md)]
+
+## Next steps
+
+- [Create the Azure Arc data controller](create-data-controller.md)
+- [Create data controller in Azure Data Studio](create-data-controller-azure-data-studio.md)
+- [Create Azure Arc data controller using the [!INCLUDE [azure-data-cli-azdata](../../../includes/azure-data-cli-azdata.md)]](create-data-controller-using-azdata.md)
+
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/data/includes/apply-security-context-constraint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/data/includes/apply-security-context-constraint.md new file mode 100644
@@ -0,0 +1,35 @@
+---
+author: MikeRayMSFT
+ms.service: azure-arc
+ms.subservice: azure-arc-data
+ms.topic: include
+ms.date: 01/15/2021
+ms.author: mikeray
+---
+
+This section explains how to apply a security context constraint (SCC). For the preview release, these relax the security constraints.
+
+1. Download the custom security context constraint (SCC). Use one of the following:
+ - [GitHub](https://github.com/microsoft/azure_arc/tree/main/arc_data_services/deploy/yaml/arc-data-scc.yaml)
+ - ([Raw](https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/arc-data-scc.yaml))
+ - `curl`
+ The following command downloads arc-data-scc.yaml:
+
+ ```console
+ curl https://raw.githubusercontent.com/microsoft/azure_arc/main/arc_data_services/deploy/yaml/arc-data-scc.yaml -o arc-data-scc.yaml
+ ```
+
+1. Create SCC.
+
+ ```console
+ oc create -f arc-data-scc.yaml
+ ```
+
+1. Apply the SCC to the service account.
+
+ > [!NOTE]
+ > Use the same namespace here and in the `azdata arc dc create` command below. Example is `arc`.
+
+ ```console
+ oc adm policy add-scc-to-user arc-data-scc --serviceaccount default --namespace arc
+ ```
\ No newline at end of file
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure Arc enabled Kubernetes description: Lists Azure Policy built-in policy definitions for Azure Arc enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
ms.service: azure-arc #ms.subservice: azure-arc-kubernetes coming soon author: mlearned
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/use-gitops-connected-cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/use-gitops-connected-cluster.md
@@ -134,7 +134,7 @@ Command group 'k8sconfiguration' is in preview. It may be changed/removed in a f
> [!NOTE] > HTTPS Helm release private auth is supported only with Helm operator chart version >= 1.2.0. Version 1.2.0 is used by default. > HTTPS Helm release private auth is not supported currently for Azure Kubernetes Services managed clusters.
-> If you need Flux to access the Git repo through your proxy, then you will need to update the Azure Arc agents with the proxy settings. [More information](https://docs.microsoft.com/azure/azure-arc/kubernetes/connect-cluster#connect-using-an-outbound-proxy-server)
+> If you need Flux to access the Git repo through your proxy, then you will need to update the Azure Arc agents with the proxy settings. [More information](./connect-cluster.md#connect-using-an-outbound-proxy-server)
#### Additional Parameters
@@ -360,4 +360,4 @@ Command group 'k8sconfiguration' is in preview. It may be changed/removed in a f
## Next steps - [Use Helm with source control configuration](./use-gitops-with-helm.md)-- [Use Azure Policy to govern cluster configuration](./use-azure-policy.md)
+- [Use Azure Policy to govern cluster configuration](./use-azure-policy.md)
\ No newline at end of file
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/manage-vm-extensions-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/manage-vm-extensions-portal.md
@@ -1,7 +1,7 @@
--- title: Enable VM extension from Azure portal description: This article describes how to deploy virtual machine extensions to Azure Arc enabled servers running in hybrid cloud environments from the Azure portal.
-ms.date: 11/06/2020
+ms.date: 01/22/2020
ms.topic: conceptual ---
@@ -35,6 +35,18 @@ VM extensions can be applied your Arc for server managed machine through the Azu
>[!NOTE] >While multiple extensions can be batched together and processed, they are installed serially. Once the first extension installation is complete, installation of the next extension is attempted.
+## List extensions installed
+
+You can get a list of the VM extensions on your Arc enabled server from the Azure portal. Perform the following steps to see them.
+
+1. From your browser, go to the [Azure portal](https://portal.azure.com).
+
+2. In the portal, browse to **Servers - Azure Arc** and select your hybrid machine from the list.
+
+3. Choose **Extensions**, and the list of installed extensions is returned.
+
+ ![List VM extension deployed to selected machine](./media/manage-vm-extensions/list-vm-extensions.png)
+ ## Uninstall extension You can remove one or more extensions from an Arc enabled server from the Azure portal. Perform the following steps to remove an extension.
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure Arc enabled servers description: Lists Azure Policy built-in policy definitions for Azure Arc enabled servers (preview). These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
ms.topic: reference ms.custom: subject-policy-reference ---
azure-australia https://docs.microsoft.com/en-us/azure/azure-australia/gateway-secure-remote-administration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-australia/gateway-secure-remote-administration.md
@@ -123,7 +123,7 @@ The privileged workstation is a hardened machine that can be used to perform adm
|Resources|Link| |---|---|
-|Privileged Access Workstations Architecture Overview|[https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/](/windows-server/identity/securing-privileged-access/privileged-access-workstations)|
+|Privileged Access Workstations Architecture Overview|[https://4sysops.com/archives/understand-the-microsoft-privileged-access-workstation-paw-security-model/](/security/compass/privileged-access-deployment)|
|Securing Privileged Access Reference Material|[https://docs.microsoft.com/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material](/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material)| ### Mobile device
azure-cache-for-redis https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/policy-reference.md
@@ -1,7 +1,7 @@
--- title: Built-in policy definitions for Azure Cache for Redis description: Lists Azure Policy built-in policy definitions for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 01/08/2021
+ms.date: 01/21/2021
ms.topic: reference author: yegu-ms ms.author: yegu
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-app-settings.md
@@ -224,12 +224,14 @@ The value for this key is supplied in the format `<DESTINATION>:<VERBOSITY>`, wh
## WEBSITE\_CONTENTAZUREFILECONNECTIONSTRING
-For Consumption & Premium plans only. Connection string for storage account where the function app code and configuration are stored. See [Create a function app](functions-infrastructure-as-code.md#create-a-function-app).
+Connection string for storage account where the function app code and configuration are stored in event-driven scaling plans running on Windows. For more information, see [Create a function app](functions-infrastructure-as-code.md#windows).
|Key|Sample value| |---|------------| |WEBSITE_CONTENTAZUREFILECONNECTIONSTRING|DefaultEndpointsProtocol=https;AccountName=[name];AccountKey=[key]|
+Only used when deploying to a Consumption or Premium plans running on Windows. Not supported for Linux. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).
+ ## WEBSITE\_CONTENTOVERVNET For Premium plans only. A value of `1` enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network. To learn more, see [Restrict your storage account to a virtual network](functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network-preview).
@@ -240,12 +242,16 @@ For Premium plans only. A value of `1` enables your function app to scale when y
## WEBSITE\_CONTENTSHARE
-For Consumption & Premium plans only. The file path to the function app code and configuration. Used with WEBSITE_CONTENTAZUREFILECONNECTIONSTRING. Default is a unique string that begins with the function app name. See [Create a function app](functions-infrastructure-as-code.md#create-a-function-app).
+The file path to the function app code and configuration in an event-driven scaling plan on Windows. Used with WEBSITE_CONTENTAZUREFILECONNECTIONSTRING. Default is a unique string that begins with the function app name. See [Create a function app](functions-infrastructure-as-code.md#windows).
|Key|Sample value| |---|------------| |WEBSITE_CONTENTSHARE|functionapp091999e2|
+Only used by function apps on a Consumption or Premium plans running on Windows. Not supported for Linux. Changing or removing this setting may cause your function app to not start. To learn more, see [this troubleshooting article](functions-recover-storage-account.md#storage-account-application-settings-were-deleted).
+
+When using a Azure Resource Manager to create a function app during deployment, don't include WEBSITE_CONTENTSHARE in the template. This application setting is generated during deployment. To learn more, see [Automate resource deployment for your function app](functions-infrastructure-as-code.md#windows).
+ ## WEBSITE\_MAX\_DYNAMIC\_APPLICATION\_SCALE\_OUT The maximum number of instances that the function app can scale out to. Default is no limit.
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-bindings-http-webhook-trigger https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-bindings-http-webhook-trigger.md
@@ -745,6 +745,10 @@ The following configuration shows how the `{id}` parameter is passed to the bind
} ```
+When you use route parameters, an `invoke_URL_template` is automatically created for your function. Your clients can use the URL template to understand the parameters they need to pass in the URL when calling your function using its URL. Navigate to one of your HTTP-triggered functions in the [Azure portal](https://portal.azure.com) and select **Get function URL**.
+
+You can programmatically access the `invoke_URL_template` by using the Azure Resource Manager APIs for [List Functions](https://docs.microsoft.com/rest/api/appservice/webapps/listfunctions) or [Get Function](https://docs.microsoft.com/rest/api/appservice/webapps/getfunction).
+ ## Working with client identities If your function app is using [App Service Authentication / Authorization](../app-service/overview-authentication-authorization.md), you can view information about authenticated clients from your code. This information is available as [request headers injected by the platform](../app-service/app-service-authentication-how-to.md#access-user-claims).
@@ -842,11 +846,17 @@ The authenticated user is available via [HTTP Headers](../app-service/app-servic
## Obtaining keys
-Keys are stored as part of your function app in Azure and are encrypted at rest. To view your keys, create new ones, or roll keys to new values, navigate to one of your HTTP-triggered functions in the [Azure portal](https://portal.azure.com) and select **Manage**.
+Keys are stored as part of your function app in Azure and are encrypted at rest. To view your keys, create new ones, or roll keys to new values, navigate to one of your HTTP-triggered functions in the [Azure portal](https://portal.azure.com) and select **Function Keys**.
+
+You can also manage host keys. Navigate to the function app in the [Azure portal](https://portal.azure.com) and select **App keys**.
+
+You can obtain function and host keys programmatically by using the Azure Resource Manager APIs. There are APIs to [List Function Keys](/rest/api/appservice/webapps/listfunctionkeys) and [List Host Keys](/rest/api/appservice/webapps/listhostkeys), and when using deployment slots the equivalent APIs are [List Function Keys Slot](/rest/api/appservice/webapps/listfunctionkeysslot) and [List Host Keys Slot](/rest/api/appservice/webapps/listhostkeysslot).
+
+You can also create new function and host keys programmatically by using the [Create Or Update Function Secret](/rest/api/appservice/webapps/createorupdatefunctionsecret), [Create Or Update Function Secret Slot](/rest/api/appservice/webapps/createorupdatefunctionsecretslot), [Create Or Update Host Secret](/rest/api/appservice/webapps/createorupdatehostsecret) and [Create Or Update Host Secret Slot](/rest/api/appservice/webapps/createorupdatehostsecretslot) APIs.
-![Manage function keys in the portal.](./media/functions-bindings-http-webhook/manage-function-keys.png)
+Function and host keys can be deleted programmatically by using the [Delete Function Secret](/rest/api/appservice/webapps/deletefunctionsecret), [Delete Function Secret Slot](/rest/api/appservice/webapps/deletefunctionsecretslot), [Delete Host Secret](/rest/api/appservice/webapps/deletehostsecret), and [Delete Host Secret Slot](/rest/api/appservice/webapps/deletehostsecretslot) APIs.
-You may obtain function keys programmatically by using [Key management APIs](https://github.com/Azure/azure-functions-host/wiki/Key-management-API).
+You can also use the [legacy key management APIs to obtain function keys](https://github.com/Azure/azure-functions-host/wiki/Key-management-API), but using the Azure Resource Manager APIs is recommended instead.
## API key authorization
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-infrastructure-as-code https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-infrastructure-as-code.md
@@ -208,9 +208,11 @@ If you do explicitly define your Consumption plan, you will need to set the `ser
### Create a function app
+The settings required by a function app running in Consumption plan defer between Windows and Linux.
+ #### Windows
-On Windows, a Consumption plan requires two additional settings in the site configuration: `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`. These properties configure the storage account and file path where the function app code and configuration are stored.
+On Windows, a Consumption plan requires an additional setting in the site configuration: [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](functions-app-settings.md#website_contentazurefileconnectionstring). This property configures the storage account where the function app code and configuration are stored.
```json {
@@ -233,10 +235,6 @@ On Windows, a Consumption plan requires two additional settings in the site conf
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]" },
- {
- "name": "WEBSITE_CONTENTSHARE",
- "value": "[toLower(variables('functionAppName'))]"
- },
{ "name": "FUNCTIONS_WORKER_RUNTIME", "value": "node"
@@ -255,9 +253,12 @@ On Windows, a Consumption plan requires two additional settings in the site conf
} ```
+> [!IMPORTANT]
+> Don't set the [`WEBSITE_CONTENTSHARE`](functions-app-settings.md#website_contentshare) setting as it's generated for you when the site is first created.
+ #### Linux
-On Linux, the function app must have its `kind` set to `functionapp,linux`, and it must have the `reserved` property set to `true`:
+On Linux, the function app must have its `kind` set to `functionapp,linux`, and it must have the `reserved` property set to `true`.
```json {
@@ -295,8 +296,9 @@ On Linux, the function app must have its `kind` set to `functionapp,linux`, and
} ```
-<a name="premium"></a>
+The [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](functions-app-settings.md#website_contentazurefileconnectionstring) and [`WEBSITE_CONTENTSHARE`](functions-app-settings.md#website_contentshare) settings aren't supported on Linux.
+<a name="premium"></a>
## Deploy on Premium plan The Premium plan offers the same scaling as the Consumption plan but includes dedicated resources and additional capabilities. To learn more, see [Azure Functions Premium Plan](./functions-premium-plan.md).
@@ -328,7 +330,7 @@ A Premium plan is a special type of "serverfarm" resource. You can specify it by
### Create a function app
-A function app on a Premium plan must have the `serverFarmId` property set to the resource ID of the plan created earlier. In addition, a Premium plan requires two additional settings in the site configuration: `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`. These properties configure the storage account and file path where the function app code and configuration are stored.
+A function app on a Premium plan must have the `serverFarmId` property set to the resource ID of the plan created earlier. In addition, a Premium plan requires an additional setting in the site configuration: [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](functions-app-settings.md#website_contentazurefileconnectionstring). This property configures the storage account where the function app code and configuration are stored.
```json {
@@ -353,10 +355,6 @@ A function app on a Premium plan must have the `serverFarmId` property set to th
"name": "WEBSITE_CONTENTAZUREFILECONNECTIONSTRING", "value": "[concat('DefaultEndpointsProtocol=https;AccountName=', variables('storageAccountName'), ';AccountKey=', listKeys(variables('storageAccountid'),'2019-06-01').keys[0].value)]" },
- {
- "name": "WEBSITE_CONTENTSHARE",
- "value": "[toLower(variables('functionAppName'))]"
- },
{ "name": "FUNCTIONS_WORKER_RUNTIME", "value": "node"
@@ -374,6 +372,8 @@ A function app on a Premium plan must have the `serverFarmId` property set to th
} } ```
+> [!IMPORTANT]
+> Don't set the [`WEBSITE_CONTENTSHARE`](functions-app-settings.md#website_contentshare) setting as it's generated for you when the site is first created.
<a name="app-service-plan"></a>
@@ -693,4 +693,4 @@ Learn more about how to develop and configure Azure Functions.
<!-- LINKS --> [Function app on Consumption plan]: https://github.com/Azure/azure-quickstart-templates/blob/master/101-function-app-create-dynamic/azuredeploy.json
-[Function app on Azure App Service plan]: https://github.com/Azure/azure-quickstart-templates/blob/master/101-function-app-create-dedicated/azuredeploy.json
\ No newline at end of file
+[Function app on Azure App Service plan]: https://github.com/Azure/azure-quickstart-templates/blob/master/101-function-app-create-dedicated/azuredeploy.json
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-reference-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-reference-python.md
@@ -364,7 +364,7 @@ Azure Functions supports the following Python versions:
| Functions version | Python<sup>*</sup> versions | | ----- | ----- |
-| 3.x | 3.8<br/>3.7<br/>3.6 |
+| 3.x | 3.9 (Preview) <br/> 3.8<br/>3.7<br/>3.6 |
| 2.x | 3.7<br/>3.6 | <sup>*</sup>Official CPython distributions
@@ -586,6 +586,7 @@ To view the full details of the list of these libraries, please visit the links
* [Python 3.6 Standard Library](https://docs.python.org/3.6/library/) * [Python 3.7 Standard Library](https://docs.python.org/3.7/library/) * [Python 3.8 Standard Library](https://docs.python.org/3.8/library/)
+* [Python 3.9 Standard Library](https://docs.python.org/3.9/library/)
### Azure Functions Python worker dependencies
@@ -613,7 +614,7 @@ For a list of preinstalled system libraries in Python worker Docker images, plea
| Functions runtime | Debian version | Python versions | |------------|------------|------------| | Version 2.x | Stretch | [Python 3.6](https://github.com/Azure/azure-functions-docker/blob/master/host/2.0/stretch/amd64/python/python36/python36.Dockerfile)<br/>[Python 3.7](https://github.com/Azure/azure-functions-docker/blob/master/host/2.0/stretch/amd64/python/python37/python37.Dockerfile) |
-| Version 3.x | Buster | [Python 3.6](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python36/python36.Dockerfile)<br/>[Python 3.7](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python37/python37.Dockerfile)<br />[Python 3.8](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python38/python38.Dockerfile) |
+| Version 3.x | Buster | [Python 3.6](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python36/python36.Dockerfile)<br/>[Python 3.7](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python37/python37.Dockerfile)<br />[Python 3.8](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python38/python38.Dockerfile)<br/> [Python 3.9](https://github.com/Azure/azure-functions-docker/blob/master/host/3.0/buster/amd64/python/python39/python39.Dockerfile)|
## Cross-origin resource sharing
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/ip-addresses https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/ip-addresses.md
@@ -23,8 +23,7 @@ Each function app has a single inbound IP address. To find that IP address:
1. Sign in to the [Azure portal](https://portal.azure.com). 2. Navigate to the function app.
-3. Select **Platform features**.
-4. Select **Properties**, and the inbound IP address appears under **Virtual IP address**.
+3. Under **Settings**, select **Properties**. The inbound IP address appears under **Virtual IP address**.
## <a name="find-outbound-ip-addresses"></a>Function app outbound IP addresses
azure-government https://docs.microsoft.com/en-us/azure/azure-government/compare-azure-government-global-azure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/compare-azure-government-global-azure.md
@@ -115,7 +115,7 @@ Commonly used services in bot applications that are not currently available in A
- Application Insights - Speech Service
-For more information, see [How do I create a bot that uses US Government data center](/azure/bot-service/bot-service-resources-faq-ecosystem?view=azure-bot-service-4.0#how-do-i-create-a-bot-that-uses-the-us-government-data-center).
+For more information, see [How do I create a bot that uses US Government data center](/azure/bot-service/bot-service-resources-faq-ecosystem?view=azure-bot-service-4.0&preserve-view=true#how-do-i-create-a-bot-that-uses-the-us-government-data-center).
### [Azure Machine Learning](../machine-learning/overview-what-is-azure-ml.md) For feature variations and limitations, see [Azure Machine Learning sovereign cloud parity](../machine-learning/reference-machine-learning-cloud-parity.md).
@@ -494,7 +494,7 @@ The endpoint suffix to use in these overloads is *core.usgovcloudapi.net*.
When you're deploying the StorSi