Updates from: 05/26/2021 03:16:11
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Add Password Reset Policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/add-password-reset-policy.md
Previously updated : 05/11/2021 Last updated : 05/24/2021
zone_pivot_groups: b2c-policy-type
The [sign-up and sign-in journey](add-sign-up-and-sign-in-policy.md) allows users to reset their own password using the **Forgot your password?** link. The password reset flow involves the following steps:
-1. From the sign-up and sign-in page, the user clicks the **Forgot your password?** link. Azure AD B2C initiates the password reset flow.
-2. The user provides and verifies their email address with a Timed One Time Passcode.
+1. From the sign-up and sign-in page, the user clicks the **Forgot your password?** link. Azure AD B2C initiates the password reset flow.
+2. The user provides their email address and selects **Send verification code**. Azure AD B2C will then send the user a verification code.
+
+* The user needs to open the mail box and copy the verification code. The user then enters the verification code in Azure AD B2C password reset page, and selects **Verify code**.
+
+> [!NOTE]
+> After the email is verified, the user can still select **Change e-mail**, type the other email, and repeat the email verification from the beginning.
3. The user can then enter a new password. ![Password reset flow](./media/add-password-reset-policy/password-reset-flow.png)
active-directory-b2c Billing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/billing.md
Previously updated : 02/01/2021 Last updated : 05/24/2021
To take advantage of MAU billing, your Azure AD B2C tenant must be linked to an
MAU billing went into effect for Azure AD B2C tenants on **November 1, 2019**. Any Azure AD B2C tenants that you created and linked to a subscription on or after that date have been billed on a per-MAU basis. If you have an Azure AD B2C tenant that hasn't been linked to a subscription, you'll need to do so now. If you have an existing Azure AD B2C tenant that was linked to a subscription before November 1, 2019, we recommend you upgrade to the monthly active users (MAU) billing model, or you can stay on the per-authentication billing model. Your Azure AD B2C tenant must also be linked to the appropriate Azure pricing tier based on the features you want to use. Premium features require Azure AD B2C [Premium P1 or P2 pricing](https://azure.microsoft.com/pricing/details/active-directory-b2c/). You might need to upgrade your pricing tier as you use new features. For example, Conditional Access, you’ll need to select the Azure AD B2C Premium P2 pricing tier for your tenant.-
+> [!NOTE]
+> Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
## Link an Azure AD B2C tenant to a subscription Usage charges for Azure Active Directory B2C (Azure AD B2C) are billed to an Azure subscription. You need to explicitly link an Azure AD B2C tenant to an Azure subscription by creating an Azure AD B2C *resource* within the target Azure subscription. Several Azure AD B2C resources can be created in a single Azure subscription, along with other Azure resources like virtual machines, Storage accounts, and Logic Apps. You can see all of the resources within a subscription by going to the Azure Active Directory (Azure AD) tenant that the subscription is associated with.
active-directory-b2c Custom Policy Developer Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/custom-policy-developer-notes.md
Previously updated : 05/04/2021 Last updated : 05/18/2021
Azure Active Directory B2C [user flows and custom policies](user-flow-overview.m
| [Self-Service password reset](add-password-reset-policy.md) | GA| GA| | | [Force password reset](force-password-reset.md) | Preview | NA | | | [Phone sign-up and sign-in](phone-authentication-user-flows.md) | GA | GA | |
+| [Conditional Access and Identity Protection](conditional-access-user-flow.md) | GA | GA | Not available for SAML applications |
## OAuth 2.0 application authorization flows
active-directory-b2c Tutorial Create User Flows https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/tutorial-create-user-flows.md
As mentioned in [Prerequisites](#prerequisites), Facebook is *not* required for
1. Under **Custom policies**, select **B2C_1A_signup_signin**. 1. Select **Run now** and select Facebook to sign in with Facebook and test the custom policy. + ::: zone-end+ ## Next steps In this article, you learned how to:
Next, learn how to use Azure AD B2C to sign in and sign up users in an applicati
> [!div class="nextstepaction"] > [Tutorial: Enable authentication in a web application using Azure AD B2C >](tutorial-web-app-dotnet.md)+
+You can also learn more in the [Azure AD B2C Architecture Deep Dive Series](https://www.youtube.com/playlist?list=PLOPotgzC07IKXXCTZcrpuLWbVe3y51kfm).
active-directory-domain-services Powershell Create Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-domain-services/powershell-create-instance.md
Previously updated : 03/10/2021 Last updated : 05/19/2021
$replicaSetParams = @{
Location = $AzureLocation SubnetId = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices" }
-$replicaSet = New-AzADDomainServiceReplicaSetObject @replicaSetParams
+$replicaSet = New-AzADDomainServiceReplicaSet @replicaSetParams
$domainServiceParams = @{ Name = $ManagedDomainName
$replicaSetParams = @{
Location = $AzureLocation SubnetId = "/subscriptions/$AzureSubscriptionId/resourceGroups/$ResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/DomainServices" }
-$replicaSet = New-AzADDomainServiceReplicaSetObject @replicaSetParams
+$replicaSet = New-AzADDomainServiceReplicaSet @replicaSetParams
$domainServiceParams = @{ Name = $ManagedDomainName
active-directory Application Proxy Configure Custom Domain https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-proxy/application-proxy-configure-custom-domain.md
When you select a custom domain for an external URL, an information bar shows th
To configure an on-premises app to use a custom domain, you need a verified Azure Active Directory custom domain, a PFX certificate for the custom domain, and an on-premises app to configure.
+> [!IMPORTANT]
+> You are responsible for maintaining DNS records that redirect your custom domains to the *msappproxy.net* domain. If you choose to later delete your application or tenant, make sure to also delete associated DNS records for Application Proxy to prevent misuse of dangling DNS records.
+ ### Create and verify a custom domain To create and verify a custom domain:
When a certificate expires, you get a warning telling you to upload another cert
## Next steps * [Enable single sign-on](application-proxy-configure-single-sign-on-with-kcd.md) to your published apps with Azure AD authentication.
-* [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) for your published cloud apps.
+* [Conditional Access](../conditional-access/concept-conditional-access-cloud-apps.md) for your published cloud apps.
active-directory Howto Authentication Passwordless Security Key https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-passwordless-security-key.md
If you'd like to share feedback or encounter issues with this feature, share via
Administrator provisioning and de-provisioning of security keys is not available.
-### Cached logon on Hybrid Azure AD joined devices
-
-Cached logon with FIDO2 keys fails on hybrid Azure AD joined devices on Windows 10, version 20H2. As a result, users will not be able to login when line of sight to the on-premises domain controller is unavailable. This is currently under investigation.
### UPN changes
active-directory Tutorial Enable Sspr Writeback https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/tutorial-enable-sspr-writeback.md
Previously updated : 07/13/2020 Last updated : 05/19/2021
To set up the appropriate permissions for password writeback to occur, complete
When you update permissions, it might take up to an hour or more for these permissions to replicate to all the objects in your directory.
-Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for *Minimum password age* must be set to 0. This setting can be found under **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies** within `gpedit.msc`.
+Password policies in the on-premises AD DS environment may prevent password resets from being correctly processed. For password writeback to work most efficiently, the group policy for *Minimum password age* must be set to 0. This setting can be found under **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies** within `gpmc.msc`.
If you update the group policy, wait for the updated policy to replicate, or use the `gpupdate /force` command.
active-directory Concept Conditional Access Cloud Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-cloud-apps.md
Previously updated : 05/13/2021 Last updated : 05/20/2021
User actions are tasks that can be performed by a user. Currently, Conditional A
Authentication context can be used to further secure data and actions in applications. These applications can be your own custom applications, custom line of business (LOB) applications, applications like SharePoint, or applications protected by Microsoft Cloud App Security (MCAS).
-For example, an organization may keep different files in SharePoint like the lunch menu or their secret BBQ sauce recipe. Everyone may have access to the lunch menu, but users who have access to the secret BBQ sauce recipe may need to access from a managed device and agree to specific terms of use.
+For example, an organization may keep files in SharePoint sites like the lunch menu or their secret BBQ sauce recipe. Everyone may have access to the lunch menu site, but users who have access to the secret BBQ sauce recipe site may need to access from a managed device and agree to specific terms of use.
### Configure authentication contexts
active-directory Accounts Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/accounts-overview.md
String issuer = account.getClaims().get("iss"); // The tenant specific authority
``` > [!TIP]
-> To see a list of claims available from the account object, refer to [claims in an id_token](./id-tokens.md#claims-in-an-id_token)
+> To see a list of claims available from the account object, refer to [claims in an id_token](./id-tokens.md#claims-in-an-id-token)
> [!TIP] > To include additional claims in your id_token, refer to the optional claims documentation in [How to: Provide optional claims to your Azure AD app](./active-directory-optional-claims.md)
active-directory Apple Sso Plugin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/apple-sso-plugin.md
The profile settings that enable the SSO plug-in are automatically applied to th
### Manual configuration for other MDM services
-If you don't use Intune for MDM, use the following parameters to configure the Microsoft Enterprise SSO plug-in for Apple devices.
+If you don't use Intune for MDM, you can configure an Extensible Single Sign On profile payload for Apple devices. Use the following parameters to configure the Microsoft Enterprise SSO plug-in and its configuration options.
iOS settings:
The end user sees the familiar experience and doesn't have to sign in again in e
## Next steps
-Learn about [Shared device mode for iOS devices](msal-ios-shared-devices.md).
+Learn about [Shared device mode for iOS devices](msal-ios-shared-devices.md).
active-directory Claims Challenge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/claims-challenge.md
GET https://login.microsoftonline.com/14c2f153-90a7-4689-9db7-9543bf084dad/oauth
&response_mode=form_post &login_hint=kalyan%ccontoso.onmicrosoft.com &domain_hint=organizations
-claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22urn%3Amicrosoft%3Areq1%22%7D%7D%7D
+claims=%7B%22access_token%22%3A%7B%22acrs%22%3A%7B%22essential%22%3Atrue%2C%22value%22%3A%22c1%22%7D%7D%7D
``` The claims challenge should be passed as a part of all calls to Azure AD's [/authorize](v2-oauth2-auth-code-flow.md#request-an-authorization-code) endpoint until a token is successfully retrieved, after which it is no longer needed.
active-directory Developer Guide Conditional Access Authentication Context https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/developer-guide-conditional-access-authentication-context.md
Use the Azure AD Conditional access engineΓÇÖs new auth context feature to trigg
## Problem statement
-IT administrators and regulators often struggle between balancing prompting their users with extra factors of authentication too frequently and achieving adequate security and policy adherence for applications and services where applications contain sensitive data or operations. Users being prompted too often and worse too many times make up for degraded user experiences while not doing so can potentially degrade the security posture.
+The IT administrators and regulators often struggle between balancing prompting their users with additional factors of authentication too frequently and achieving adequate security and policy adherence for applications and services where parts of them contain sensitive data and operations. It can be a choice between a strong policy that impacts users' productivity when they access most data and actions or a policy that is not strong enough for sensitive resources.
So, what if apps were able to mix both, where they can function with a relatively lesser security and less frequent prompts for most users and operations and yet conditionally stepping up the security requirement when the users accessed more sensitive parts? ## Common scenarios
-For example, users can browse and work on a certain web application with standard authentication, but access to a certain portion of the app containing highly sensitive documents should be possible only for users who have performed more methods of authentication, like MFA (2FA) and also satisfy other policies like accessing the document from within a known IP range.
+For example, while users may sign in to SharePoint using multi-factor authentication, accessing site collection in SharePoint containing sensitive documents can require a compliant device and only be accessible from trusted IP ranges.
## Steps
The following are the prerequisites and the steps if you want to use Conditional
### Prerequisites
-First, your app should be integrated with the Microsoft Identity Platform using the use OpenID Connect/ OAuth 2.0 protocols for authentication and authorization. We recommend you use [Microsoft identity platform authentication libraries](reference-v2-libraries.md) to integrate and secure your application with Azure Active Directory. [Microsoft identity platform documentation](index.yml) is a good place to start learning how to integrate your apps with the Microsoft Identity Platform. Conditional Access auth context feature support is built on top of protocol extensions provided by the industry standard OpenID Connect. Developers use a Conditional Access auth context reference value with the claims request parameter to give apps a way to trigger and satisfy policy.
+**First**, your app should be integrated with the Microsoft Identity Platform using the use [OpenID Connect](v2-protocols-oidc.md)/ [OAuth 2.0](v2-oauth2-auth-code-flow.md) protocols for authentication and authorization. We recommend you use [Microsoft identity platform authentication libraries](reference-v2-libraries.md) to integrate and secure your application with Azure Active Directory. [Microsoft identity platform documentation](index.yml) is a good place to start learning how to integrate your apps with the Microsoft Identity Platform. Conditional Access Auth Context feature support is built on top of protocol extensions provided by the industry standard[OpenID Connect](v2-protocols-oidc.md) protocol. Developers use a [Conditional Access Auth Context reference](/graph/api/resources/authenticationcontextclassreference) **value** with the [Claims Request](claims-challenge.md) parameter to give apps a way to trigger and satisfy policy.
-Second, [Conditional Access](../conditional-access/overview.md) requires Azure AD Premium P1 licensing. More information about licensing can be found on the [Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/).
+**Second**, [Conditional Access](../conditional-access/overview.md) requires Azure AD Premium P1 licensing. More information about licensing can be found on the [Azure AD pricing page](https://azure.microsoft.com/pricing/details/active-directory/).
-Third, today it is only available to applications that sign-in users. Applications that authenticate as themselves are not supported. Use the [Authentication flows and application scenarios guide](authentication-flows-app-scenarios.md) to learn about the supported authentication app types and flows in the Microsoft Identity Platform.
+**Third**, today it is only available to applications that sign-in users. Applications that authenticate as themselves are not supported. Use the [Authentication flows and application scenarios guide](authentication-flows-app-scenarios.md) to learn about the supported authentication app types and flows in the Microsoft Identity Platform.
### Integration steps Once your application is integrated using the supported authentication protocols and registered in an Azure AD tenant that has the Conditional Access feature available for use, you can kick start the process to integrating this feature in your applications that sign-in users.
-First, declare and make the authentication contexts available in your tenant. For more information, see [Configure authentication contexts](../conditional-access/concept-conditional-access-cloud-apps.md#configure-authentication-contexts)
+**First**, declare and make the authentication contexts available in your tenant. For more information, see [Configure authentication contexts](../conditional-access/concept-conditional-access-cloud-apps.md#configure-authentication-contexts)
-Values C1-C25 are available for use as auth context IDs in a tenant. Examples of auth context may be:
+Values **C1-C25** are available for use as **Auth Context IDs** in a tenant. Examples of auth context may be:
-- C1 - Require strong authentication-- C2 ΓÇô Require compliant devices-- C3 ΓÇô Require trusted locations
+- **C1** - Require strong authentication
+- **C2** ΓÇô Require compliant devices
+- **C3** ΓÇô Require trusted locations
-Create or modify your Conditional Access policies to use the Conditional Access auth contexts. Examples policies could be:
+Create or modify your Conditional Access policies to use the Conditional Access Auth Contexts. Examples policies could be:
-- All users signing-into this web application should have successfully completed 2FA for auth context ID C1.-- All users signing into this web application should have successfully completed 2FA and also access the web app from a certain IP address range for auth context ID C3.
+- All users signing-into this web application should have successfully completed 2FA for auth context ID **C1**.
+- All users signing into this web application should have successfully completed 2FA and also access the web app from a certain IP address range for auth context ID **C3**.
> [!NOTE]
-> The Conditional Access auth context values are declared and maintained separately from applications. It is not advisable for applications to take hard dependency on auth context ids. The Conditional Access policies will are usually crafted by IT administrators as they have a better understanding of the resources available to apply policies on. For example, for an Azure AD tenant, IT admins would have the knowledge of how many of the tenantΓÇÖs users are equipped to use 2FA for MFA and thus can ensure that Conditional Access policies that require 2FA are scoped to these equipped users.
+> The Conditional Access auth context values are declared and maintained separately from applications. It is not advisable for applications to take hard dependency on auth context ids. The Conditional Access policies are usually crafted by IT administrators as they have a better understanding of the resources available to apply policies on. For example, for an Azure AD tenant, IT admins would have the knowledge of how many of the tenantΓÇÖs users are equipped to use 2FA for MFA and thus can ensure that Conditional Access policies that require 2FA are scoped to these equipped users.
> Similarly, if the application is used in multiple tenants, the auth context ids in use could be different and, in some cases, not available at all.
-Second: The developers of an application planning to use Conditional Access auth context are advised to first provide the application admins or IT admins a means to map potential sensitive actions to auth context IDs. The steps roughly being:
+**Second**: The developers of an application planning to use Conditional Access auth context are advised to first provide the application admins or IT admins a means to map potential sensitive actions to auth context IDs. The steps roughly being:
1. Identity actions in the code that can be made available to map against auth context Ids. 1. Build a screen in the admin portal of the app (or an equivalent functionality) that IT admins can use to map sensitive actions against an available auth context ID.
-1. See the code sample, [Use the Conditional Access auth context to perform step-up authentication](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md) for an example on how it is done.
+1. See the code sample, [Use the Conditional Access Auth Context to perform step-up authentication](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md) for an example on how it is done.
These steps are the changes that you need to carry in your code base. The steps broadly comprise of -- Query MS Graph to list all the available auth contexts [conditionalaccess resource type](/graph/api/resources/conditionalaccessroot?view=graph-rest-beta&preserve-view=true).-- Allow IT admins to select sensitive/ high-privileged operations and assign them against the available auth contexts. -- Save this mapping information in your database, per tenant, unless your application is going to ever be used in a single tenant.
+- Query MS Graph to [list all the available Auth Contexts](/graph/api/conditionalaccessroot-list-authenticationcontextclassreferences).
+- Allow IT admins to select sensitive/ high-privileged operations and assign them against the available Auth Contexts using CA policies.
+- Save this mapping information in your database/local store.
:::image type="content" source="media/developer-guide-conditional-access-authentication-context/configure-conditional-access-authentication-context.png" alt-text="Setup flow for creating an authentication context":::
-Third: Your application, and for this example, weΓÇÖd assume itΓÇÖs a web API, then needs to evaluate calls against the saved mapping and accordingly raise claim challenges for its client apps. To prepare for this action, the following steps are to be taken:
+**Third**: Your application, and for this example, weΓÇÖd assume itΓÇÖs a web API, then needs to evaluate calls against the saved mapping and accordingly raise claim challenges for its client apps. To prepare for this action, the following steps are to be taken:
-1. Request the Authentication Context Class Reference (acrs) as an optional claim in its [Access token](access-tokens.md) by requesting it in the [Web APIs app manifest](reference-app-manifest.md).
+1. In a sensitive and protected by auth context operation, evaluate the values in the **acrs** claim against the Auth Context ID mappings saved earlier and raise a [Claims Challenge](claims-challenge.md) as provided in the code snippet below.
- ```json
- "optionalClaims":
- {
- "accessToken": [
- {
- "additionalProperties": [],
- "essential": false,
- "name": "acrs",
- "source": null
- }
- ],
- "idToken": [],
- "saml2Token": []
- }
- ```
-
-1. In a sensitive and protected by auth context operation, evaluate the values in the acrs claim against the auth context ID mapping saved earlier and raise a claims challenge as provided in the code snippet below.
1. The following diagram shows the interaction between the user, client app, and the web API. :::image type="content" source="media/developer-guide-conditional-access-authentication-context/authentication-context-application-flow.png" alt-text="Diagram showing the interaction of user, web app, API, and Azure AD":::
- The code snippet that follows is from the code sample, [Use the Conditional Access auth context to perform step-up authentication](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md). The first method, EnsureUserHasElevatedScope() in the API checks if the action being called,
+ The code snippet that follows is from the code sample, [Use the Conditional Access auth context to perform step-up authentication](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md). The first method, `CheckForRequiredAuthContext()` in the API
- - Requires step-up authentication. It does so by checking its database for a saved mapping for this method
- - If this action indeed requires an elevated auth context, it checks the acrs claim for an existing, matching auth context ID.
- - If a matching auth context ID is not found, it raises a [claims challenge](claims-challenge.md#claims-challenge-header-format).
+ - Checks if the application's action being called requires step-up authentication. It does so by checking its database for a saved mapping for this method
+ - If this action indeed requires an elevated auth context, it checks the **acrs** claim for an existing, matching Auth Context ID.
+ - If a matching Auth Context ID is not found, it raises a [claims challenge](claims-challenge.md#claims-challenge-header-format).
```
- public void EnsureUserHasElevatedScope(string method)
+ public void CheckForRequiredAuthContext(string method)
{ string authType = _commonDBContext.AuthContext.FirstOrDefault(x => x.Operation == method && x.TenantId == _configuration["AzureAD:TenantId"])?.AuthContextId;
Third: Your application, and for this example, weΓÇÖd assume itΓÇÖs a web API, t
## Caveats and recommendations
-Do not hardcode auth context values in your app. Apps should read and apply auth context using MS Graph calls [Link to auth context APIs]. This practice is critical in [multi-tenant applications](howto-convert-app-to-be-multi-tenant.md). The auth context values will vary between Azure AD tenants and are not available in Azure AD free edition. For more information on how an app should query, set, and use auth context in their code, see the code sample, [Use the Conditional Access auth context to perform step-up authentication](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md).
+Do not hard-code Auth Context values in your app. Apps should read and apply auth context [using MS Graph calls](/graph/api/resources/authenticationcontextclassreference). This practice is critical for [multi-tenant applications](howto-convert-app-to-be-multi-tenant.md). The Auth Context values will vary between Azure AD tenants will not available in Azure AD free edition. For more information on how an app should query, set, and use auth context in their code, see the code sample, [Use the Conditional Access auth context to perform step-up authentication](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md) as how an app should query, set and use auth context in their code.
Do not use auth context where the app itself is going to be a target of Conditional Access policies. The feature works best when parts of the application require the user to meet a higher bar of authentication. ## Next steps
+- [Granular Conditional Access for sensitive data and actions (Blog)](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/granular-conditional-access-for-sensitive-data-and-actions/ba-p/1751775)
- [Zero trust with the Microsoft Identity platform](/security/zero-trust/identity-developer)
+- [Building Zero Trust ready apps with the Microsoft identity platform](/security/zero-trust/identity-developer)
- [Use the Conditional Access auth context to perform step-up authentication for high-privilege operations in a Web API](https://github.com/Azure-Samples/ms-identity-ca-auth-context/blob/main/README.md) - [Conditional Access authentication context](../conditional-access/concept-conditional-access-cloud-apps.md#authentication-context-preview)
+- [authenticationContextClassReference resource type - MS Graph](/graph/api/conditionalaccessroot-list-authenticationcontextclassreferences)
- [Claims challenge, claims request, and client capabilities in the Microsoft Identity Platform](claims-challenge.md) - [Using authentication context with Microsoft Information Protection and SharePoint](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites#more-information-about-the-dependencies-for-the-authentication-context-option) - [Authentication flows and application scenarios](authentication-flows-app-scenarios.md)
active-directory Howto Add Branding In Azure Ad Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/howto-add-branding-in-azure-ad-apps.md
Title: App branding guidelines | Azure
+ Title: Sign in with Microsoft branding guidelines | Azure AD
description: Learn about application branding guidelines for Microsoft identity platform.
-# Branding guidelines for applications
+# Sign in with Microsoft: Branding guidelines for applications
When developing applications with the Microsoft identity platform, you'll need to direct your customers when they want to use their work or school account (managed in Azure AD), or their personal account for sign-up and sign-in to your application.
active-directory Id Tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/id-tokens.md
# Microsoft identity platform ID tokens
-`id_tokens` are sent to the client application as part of an [OpenID Connect](v2-protocols-oidc.md) (OIDC) flow. They can be sent alongside or instead of an access token, and are used by the client to authenticate the user.
+The ID token is the core extension that [OpenID Connect](v2-protocols-oidc.md) makes to OAuth 2.0. ID tokens are issued by the authorization server and contain claims that carry information about the user. They can be sent alongside or instead of an access token. Information in ID Tokens allows the client to verify that a user is who they claim to be. ID tokens are intended to be understood by third-party applications. ID tokens should not be used for authorization purposes. [Access tokens](access-tokens.md) are used for authorization. The claims provided by ID tokens can be used for UX inside your application, as [keys in a database](#using-claims-to-reliably-identify-a-user-subject-and-object-id), and providing access to the client application.
-## Using the id_token
+## Prerequisites
-ID Tokens should be used to validate that a user is who they claim to be and get additional useful information about them - it shouldn't be used for authorization in place of an [access token](access-tokens.md). The claims it provides can be used for UX inside your application, as [keys in a database](#using-claims-to-reliably-identify-a-user-subject-and-object-id), and providing access to the client application.
+The following article will be beneficial before going through this article:
-## Claims in an id_token
+* [OAuth 2.0 and OpenID Connect protocols](active-directory-v2-protocols.md) on the Microsoft identity platform
-`id_tokens` are [JWTs](https://tools.ietf.org/html/rfc7519) (JSON Web Tokens), meaning they consist of a header, payload, and signature portion. You can use the header and signature to verify the authenticity of the token, while the payload contains the information about the user requested by your client. Except where noted, all JWT claims listed here appear in both v1.0 and v2.0 tokens.
-### v1.0
+## Claims in an ID token
+
+ID tokens are [JSON web tokens (JWT)](https://jwt.io/introduction/). These ID tokens consist of a header, payload, and signature. The header and signature are used to verify the authenticity of the token, while the payload contains the information about the user requested by your client. The v1.0 and v2.0 ID tokens have differences in the information they carry. The version is based on the endpoint from where it was requested. While existing applications likely use the Azure AD endpoint (v1.0), new applications should use the "Microsoft identity platform" endpoint(v2.0).
+
+* v1.0: Azure AD endpoint: `https://login.microsoftonline.com/common/oauth2/authorize`
+* v2.0: Microsoft identity Platform endpoint: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
+
+### Sample v1.0 ID token
``` eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyIsImtpZCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyJ9.eyJhdWQiOiJiMTRhNzUwNS05NmU5LTQ5MjctOTFlOC0wNjAxZDBmYzljYWEiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkvIiwiaWF0IjoxNTM2Mjc1MTI0LCJuYmYiOjE1MzYyNzUxMjQsImV4cCI6MTUzNjI3OTAyNCwiYWlvIjoiQVhRQWkvOElBQUFBcXhzdUIrUjREMnJGUXFPRVRPNFlkWGJMRDlrWjh4ZlhhZGVBTTBRMk5rTlQ1aXpmZzN1d2JXU1hodVNTajZVVDVoeTJENldxQXBCNWpLQTZaZ1o5ay9TVTI3dVY5Y2V0WGZMT3RwTnR0Z2s1RGNCdGsrTExzdHovSmcrZ1lSbXY5YlVVNFhscGhUYzZDODZKbWoxRkN3PT0iLCJhbXIiOlsicnNhIl0sImVtYWlsIjoiYWJlbGlAbWljcm9zb2Z0LmNvbSIsImZhbWlseV9uYW1lIjoiTGluY29sbiIsImdpdmVuX25hbWUiOiJBYmUiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaXBhZGRyIjoiMTMxLjEwNy4yMjIuMjIiLCJuYW1lIjoiYWJlbGkiLCJub25jZSI6IjEyMzUyMyIsIm9pZCI6IjA1ODMzYjZiLWFhMWQtNDJkNC05ZWMwLTFiMmJiOTE5NDQzOCIsInJoIjoiSSIsInN1YiI6IjVfSjlyU3NzOC1qdnRfSWN1NnVlUk5MOHhYYjhMRjRGc2dfS29vQzJSSlEiLCJ0aWQiOiJmYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkiLCJ1bmlxdWVfbmFtZSI6IkFiZUxpQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJMeGVfNDZHcVRrT3BHU2ZUbG40RUFBIiwidmVyIjoiMS4wIn0=.UJQrCA6qn2bXq57qzGX_-D3HcPHqBMOKDPx4su1yKRLNErVD8xkxJLNLVRdASHqEcpyDctbdHccu6DPpkq5f0ibcaQFhejQNcABidJCTz0Bb2AbdUCTqAzdt9pdgQvMBnVH1xk3SCM6d4BbT4BkLLj10ZLasX7vRknaSjE_C5DI7Fg4WrZPwOhII1dB0HEZ_qpNaYXEiy-o94UJ94zCr07GgrqMsfYQqFR7kn-mn68AjvLcgwSfZvyR_yIK75S_K37vC3QryQ7cNoafDe9upql_6pB2ybMVlgWPs_DmbJ8g0om-sPlwyn74Cc1tW3ze-Xptw_2uVdPgWyqfuWAfq6Q
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlH
View this v1.0 sample token in [jwt.ms](https://jwt.ms/#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyIsImtpZCI6IjdfWnVmMXR2a3dMeFlhSFMzcTZsVWpVWUlHdyJ9.eyJhdWQiOiJiMTRhNzUwNS05NmU5LTQ5MjctOTFlOC0wNjAxZDBmYzljYWEiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9mYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkvIiwiaWF0IjoxNTM2Mjc1MTI0LCJuYmYiOjE1MzYyNzUxMjQsImV4cCI6MTUzNjI3OTAyNCwiYWlvIjoiQVhRQWkvOElBQUFBcXhzdUIrUjREMnJGUXFPRVRPNFlkWGJMRDlrWjh4ZlhhZGVBTTBRMk5rTlQ1aXpmZzN1d2JXU1hodVNTajZVVDVoeTJENldxQXBCNWpLQTZaZ1o5ay9TVTI3dVY5Y2V0WGZMT3RwTnR0Z2s1RGNCdGsrTExzdHovSmcrZ1lSbXY5YlVVNFhscGhUYzZDODZKbWoxRkN3PT0iLCJhbXIiOlsicnNhIl0sImVtYWlsIjoiYWJlbGlAbWljcm9zb2Z0LmNvbSIsImZhbWlseV9uYW1lIjoiTGluY29sbiIsImdpdmVuX25hbWUiOiJBYmUiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC83MmY5ODhiZi04NmYxLTQxYWYtOTFhYi0yZDdjZDAxMWRiNDcvIiwiaXBhZGRyIjoiMTMxLjEwNy4yMjIuMjIiLCJuYW1lIjoiYWJlbGkiLCJub25jZSI6IjEyMzUyMyIsIm9pZCI6IjA1ODMzYjZiLWFhMWQtNDJkNC05ZWMwLTFiMmJiOTE5NDQzOCIsInJoIjoiSSIsInN1YiI6IjVfSjlyU3NzOC1qdnRfSWN1NnVlUk5MOHhYYjhMRjRGc2dfS29vQzJSSlEiLCJ0aWQiOiJmYTE1ZDY5Mi1lOWM3LTQ0NjAtYTc0My0yOWYyOTU2ZmQ0MjkiLCJ1bmlxdWVfbmFtZSI6IkFiZUxpQG1pY3Jvc29mdC5jb20iLCJ1dGkiOiJMeGVfNDZHcVRrT3BHU2ZUbG40RUFBIiwidmVyIjoiMS4wIn0=.UJQrCA6qn2bXq57qzGX_-D3HcPHqBMOKDPx4su1yKRLNErVD8xkxJLNLVRdASHqEcpyDctbdHccu6DPpkq5f0ibcaQFhejQNcABidJCTz0Bb2AbdUCTqAzdt9pdgQvMBnVH1xk3SCM6d4BbT4BkLLj10ZLasX7vRknaSjE_C5DI7Fg4WrZPwOhII1dB0HEZ_qpNaYXEiy-o94UJ94zCr07GgrqMsfYQqFR7kn-mn68AjvLcgwSfZvyR_yIK75S_K37vC3QryQ7cNoafDe9upql_6pB2ybMVlgWPs_DmbJ8g0om-sPlwyn74Cc1tW3ze-Xptw_2uVdPgWyqfuWAfq6Q).
-### v2.0
+### Sample v2.0 ID token
``` eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01x
View this v2.0 sample token in [jwt.ms](https://jwt.ms/#id_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw).
+All JWT claims listed below appear in both v1.0 and v2.0 tokens unless stated otherwise.
+ ### Header claims
+The table below shows header claims present in ID tokens.
+ |Claim | Format | Description | |--|--|-| |`typ` | String - always "JWT" | Indicates that the token is a JWT token.|
View this v2.0 sample token in [jwt.ms](https://jwt.ms/#id_token=eyJ0eXAiOiJKV1Q
### Payload claims
-This list shows the JWT claims that are in most id_tokens by default (except where noted). However, your app can use [optional claims](active-directory-optional-claims.md) to request additional JWT claims in the id_token. These can range from the `groups` claim to information about the user's name.
+The table below shows the claims that are in most ID tokens by default (except where noted). However, your app can use [optional claims](active-directory-optional-claims.md) to request more claims in the ID token. Optional claims can range from the `groups` claim to information about the user's name.
|Claim | Format | Description | |--|--|-|
-|`aud` | String, an App ID URI | Identifies the intended recipient of the token. In `id_tokens`, the audience is your app's Application ID, assigned to your app in the Azure portal. Your app should validate this value, and reject the token if the value does not match. |
-|`iss` | String, an STS URI | Identifies the security token service (STS) that constructs and returns the token, and the Azure AD tenant in which the user was authenticated. If the token was issued by the v2.0 endpoint, the URI will end in `/v2.0`. The GUID that indicates that the user is a consumer user from a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. Your app should use the GUID portion of the claim to restrict the set of tenants that can sign in to the app, if applicable. |
+|`aud` | String, an App ID GUID | Identifies the intended recipient of the token. In `id_tokens`, the audience is your app's Application ID, assigned to your app in the Azure portal. This value should be validated. The token should be rejected if it fails to match your app's Application ID. |
+|`iss` | String, an issuer URI | Identifies the issuer, or "authorization server" that constructs and returns the token. It also identifies the Azure AD tenant for which the user was authenticated. If the token was issued by the v2.0 endpoint, the URI will end in `/v2.0`. The GUID that indicates that the user is a consumer user from a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. Your app should use the GUID portion of the claim to restrict the set of tenants that can sign in to the app, if applicable. |
|`iat` | int, a UNIX timestamp | "Issued At" indicates when the authentication for this token occurred. | |`idp`|String, usually an STS URI | Records the identity provider that authenticated the subject of the token. This value is identical to the value of the Issuer claim unless the user account not in the same tenant as the issuer - guests, for instance. If the claim isn't present, it means that the value of `iss` can be used instead. For personal accounts being used in an organizational context (for instance, a personal account invited to an Azure AD tenant), the `idp` claim may be 'live.com' or an STS URI containing the Microsoft account tenant `9188040d-6c67-4c5b-b112-36a304b66dad`. | |`nbf` | int, a UNIX timestamp | The "nbf" (not before) claim identifies the time before which the JWT MUST NOT be accepted for processing.|
-|`exp` | int, a UNIX timestamp | The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. It's important to note that a resource may reject the token before this time as well - if, for example, a change in authentication is required or a token revocation has been detected. |
-| `c_hash`| String |The code hash is included in ID tokens only when the ID token is issued with an OAuth 2.0 authorization code. It can be used to validate the authenticity of an authorization code. For details about performing this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html). |
-|`at_hash`| String |The access token hash is included in ID tokens only when the ID token is issued from the `/authorize` endpoint with an OAuth 2.0 access token. It can be used to validate the authenticity of an access token. For details about performing this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). This is not returned on ID tokens from the `/token` endpoint. |
+|`exp` | int, a UNIX timestamp | The "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. It's important to note that in certain circumstances, a resource may reject the token before this time. Fo example, if a change in authentication is required or a token revocation has been detected. |
+| `c_hash`| String |The code hash is included in ID tokens only when the ID token is issued with an OAuth 2.0 authorization code. It can be used to validate the authenticity of an authorization code. To understand how to do this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). |
+|`at_hash`| String |The access token hash is included in ID tokens only when the ID token is issued from the `/authorize` endpoint with an OAuth 2.0 access token. It can be used to validate the authenticity of an access token. To understand how to do this validation, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken). This is not returned on ID tokens from the `/token` endpoint. |
|`aio` | Opaque String | An internal claim used by Azure AD to record data for token reuse. Should be ignored.|
-|`preferred_username` | String | The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since it is mutable, this value must not be used to make authorization decisions. The `profile` scope is required to receive this claim.|
+|`preferred_username` | String | The primary username that represents the user. It could be an email address, phone number, or a generic username without a specified format. Its value is mutable and might change over time. Since this value can be changed, it must not be used to make authorization decisions. The `profile` scope is required to receive this claim.|
|`email` | String | The `email` claim is present by default for guest accounts that have an email address. Your app can request the email claim for managed users (those from the same tenant as the resource) using the `email` [optional claim](active-directory-optional-claims.md). On the v2.0 endpoint, your app can also request the `email` OpenID Connect scope - you don't need to request both the optional claim and the scope to get the claim. The email claim only supports addressable mail from the user's profile information. |
-|`name` | String | The `name` claim provides a human-readable value that identifies the subject of the token. The value isn't guaranteed to be unique, it is mutable, and it's designed to be used only for display purposes. The `profile` scope is required to receive this claim. |
+|`name` | String | The `name` claim provides a human-readable value that identifies the subject of the token. The value isn't guaranteed to be unique, it can be changed, and it's designed to be used only for display purposes. The `profile` scope is required to receive this claim. |
|`nonce`| String | The nonce matches the parameter included in the original /authorize request to the IDP. If it does not match, your application should reject the token. | |`oid` | String, a GUID | The immutable identifier for an object in the Microsoft identity system, in this case, a user account. This ID uniquely identifies the user across applications - two different applications signing in the same user will receive the same value in the `oid` claim. The Microsoft Graph will return this ID as the `id` property for a given user account. Because the `oid` allows multiple apps to correlate users, the `profile` scope is required to receive this claim. Note that if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they're considered different accounts, even though the user logs into each account with the same credentials. The `oid` claim is a GUID and cannot be reused. | |`roles`| Array of strings | The set of roles that were assigned to the user who is logging in. | |`rh` | Opaque String |An internal claim used by Azure to revalidate tokens. Should be ignored. | |`sub` | String | The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. The subject is a pairwise identifier - it is unique to a particular application ID. If a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be wanted depending on your architecture and privacy requirements. | |`tid` | String, a GUID | A GUID that represents the Azure AD tenant that the user is from. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user belongs to. For personal accounts, the value is `9188040d-6c67-4c5b-b112-36a304b66dad`. The `profile` scope is required to receive this claim. |
-|`unique_name` | String | Provides a human readable value that identifies the subject of the token. This value is unique at any given point in time, but as emails and other identifiers can be reused, this value can reappear on other accounts, and should therefore be used only for display purposes. Only issued in v1.0 `id_tokens`. |
+|`unique_name` | String | Provides a human readable value that identifies the subject of the token. This value is unique at any given point in time, but as emails and other identifiers can be reused, this value can reappear on other accounts. As such, the value should be used only for display purposes. Only issued in v1.0 `id_tokens`. |
|`uti` | Opaque String | An internal claim used by Azure to revalidate tokens. Should be ignored. | |`ver` | String, either 1.0 or 2.0 | Indicates the version of the id_token. | |`hasgroups`|Boolean|If present, always true, denoting the user is in at least one group. Used in place of the groups claim for JWTs in implicit grant flows if the full groups claim would extend the URI fragment beyond the URL length limits (currently 6 or more groups). Indicates that the client should use the Microsoft Graph API to determine the user's groups (`https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects`).|
-|`groups:src1`|JSON object | For token requests that are not length limited (see `hasgroups` above) but still too large for the token, a link to the full groups list for the user will be included. For JWTs as a distributed claim, for SAML as a new claim in place of the `groups` claim. <br><br>**Example JWT Value**: <br> `"groups":"src1"` <br> `"_claim_sources`: `"src1" : { "endpoint" : "https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects" }`<br><br> For more info, see [Groups overage claim](#groups-overage-claim).|
-
-> [!NOTE]
-> The v1.0 and v2.0 id_token have differences in the amount of information they will carry as seen from the examples above. The version is based on the endpoint from where it was requested. While existing applications likely use the Azure AD endpoint, new applications should use the "Microsoft identity platform".
->
-> - v1.0: Azure AD endpoints: `https://login.microsoftonline.com/common/oauth2/authorize`
-> - v2.0: Microsoft identity Platform endpoints: `https://login.microsoftonline.com/common/oauth2/v2.0/authorize`
+|`groups:src1`|JSON object | For token requests that are not limited in length (see `hasgroups` above) but still too large for the token, a link to the full groups list for the user will be included. For JWTs as a distributed claim, for SAML as a new claim in place of the `groups` claim. <br><br>**Example JWT Value**: <br> `"groups":"src1"` <br> `"_claim_sources`: `"src1" : { "endpoint" : "https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects" }`<br><br> For more info, see [Groups overage claim](#groups-overage-claim).|
### Using claims to reliably identify a user (Subject and Object ID)
-When identifying a user (say, looking them up in a database, or deciding what permissions they have), it's critical to use information that will remain constant and unique across time. Legacy applications sometimes use fields like the email address, a phone number, or the UPN. All of these can change over time, and can also be reused over time - when an employee changes their name, or an employee is given an email address that matches that of a previous, no longer present employee). Thus, it is **critical** that your application not use human-readable data to identify a user - human readable generally means someone will read it, and want to change it. Instead, use the claims provided by the OIDC standard, or the extension claims provided by Microsoft - the `sub` and `oid` claims.
+When identifying a user (say, looking them up in a database, or deciding what permissions they have), it's critical to use information that will remain constant and unique across time. Legacy applications sometimes use fields like the email address, a phone number, or the UPN. All of these can change over time, and can also be reused over time . For example, when an employee changes their name, or an employee is given an email address that matches that of a previous, no longer present employee. Therefore, it is **critical** that your application not use human-readable data to identify a user - human readable generally means someone will read it, and want to change it. Instead, use the claims provided by the OIDC standard, or the extension claims provided by Microsoft - the `sub` and `oid` claims.
-To correctly store information per-user, use `sub` or `oid` alone (which as GUIDs are unique), with `tid` used for routing or sharding if needed. If you need to share data across services, `oid`+`tid` is best as all apps get the same `oid` and `tid` claims for a given user. The `sub` claim in the Microsoft identity platform is "pair-wise" - it is unique based on a combination of the token recipient, tenant, and user. Thus, two apps that request ID tokens for a given user will receive different `sub` claims, but the same `oid` claims for that user.
+To correctly store information per-user, use `sub` or `oid` alone (which as GUIDs are unique), with `tid` used for routing or sharding if needed. If you need to share data across services, `oid`+`tid` is best as all apps get the same `oid` and `tid` claims for a given user. The `sub` claim in the Microsoft identity platform is "pair-wise" - it is unique based on a combination of the token recipient, tenant, and user. Therefore, two apps that request ID tokens for a given user will receive different `sub` claims, but the same `oid` claims for that user.
>[!NOTE] > Do not use the `idp` claim to store information about a user in an attempt to correlate users across tenants. It will not function, as the `oid` and `sub` claims for a user change across tenants, by design, to ensure that applications cannot track users across tenants.
To ensure that the token size doesn't exceed HTTP header size limits, Azure AD l
## ID token lifetime
-By default, an ID token is valid for 1 hour - after 1 hour, the client must acquire a new ID token.
+By default, an ID token is valid for one hour - after one hour, the client must acquire a new ID token.
-You can adjust the lifetime of an ID token to control how often the client application expires the application session, and how often it requires the user to re-authenticate (either silently or interactively). For more information, read [Configurable token lifetimes](active-directory-configurable-token-lifetimes.md).
+You can adjust the lifetime of an ID token to control how often the client application expires the application session, and how often it requires the user to re-authenticate either silently or interactively. For more information, read [Configurable token lifetimes](active-directory-configurable-token-lifetimes.md).
-## Validating an id_token
+## Validating an ID token
-Validating an `id_token` is similar to the first step of [validating an access token](access-tokens.md#validating-tokens) - your client can validate that the correct issuer has sent back the token and that it hasn't been tampered with. Because `id_tokens` are always a JWT token, many libraries exist to validate these tokens - we recommend you use one of these rather than doing it yourself. Note that only confidential clients (those with a secret) should validate ID tokens. Public applications (code running entirely on a device or network you don't control - for instance, a user's browser or their home network) don't benefit from validating the ID token, as a malicious user can intercept and edit the keys used for validation of the token.
+Validating an ID token is similar to the first step of [validating an access token](access-tokens.md#validating-tokens). Your client can check whether the token has been tampered with. It can also validate the issuer to ensure that the correct issuer has sent back the token. Because ID tokens are always a JWT token, many libraries exist to validate these tokens - we recommend you use one of these rather than doing it yourself. Note that only confidential clients (those with a secret) should validate ID tokens. Public applications (code running entirely on a device or network you don't control such as a user's browser or their home network) don't benefit from validating the ID token. This is because a malicious user can intercept and edit the keys used for validation of the token.
-To manually validate the token, see the steps details in [validating an access token](access-tokens.md#validating-tokens). After validating the signature on the token, the following JWT claims should be validated in the id_token (these may also be done by your token validation library):
+To manually validate the token, see the steps details in [validating an access token](access-tokens.md#validating-tokens). The following JWT claims should be validated in the ID token After validating the signature on the token. These claims may also be validated by your token validation library:
* Timestamps: the `iat`, `nbf`, and `exp` timestamps should all fall before or after the current time, as appropriate. * Audience: the `aud` claim should match the app ID for your application.
To manually validate the token, see the steps details in [validating an access t
## Next steps * Learn about [access tokens](access-tokens.md)
-* Customize the JWT claims in your id_token using [optional claims](active-directory-optional-claims.md).
+* Customize the JWT claims in your ID token using [optional claims](active-directory-optional-claims.md).
active-directory Migrate Python Adal Msal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/migrate-python-adal-msal.md
This article highlights changes you need to make to migrate an app that uses the Azure Active Directory Authentication Library (ADAL) to use the Microsoft Authentication Library (MSAL).
+You can learn more about MSAL and get started with an [overview of the Microsoft Authentication Library](msal-overview.md).
+ ## Difference highlights ADAL works with the Azure Active Directory (Azure AD) v1.0 endpoint. The Microsoft Authentication Library (MSAL) works with the Microsoft identity platform--formerly known as the Azure Active Directory v2.0 endpoint. The Microsoft identity platform differs from Azure AD v1.0 in that it:
active-directory Tutorial V2 Angular https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/tutorial-v2-angular.md
npm install -g @angular/cli@8 # Install the Angular CLI
ng new my-application --routing=true --style=css # Generate a new Angular app cd my-application # Change to the app directory npm install @angular/material@8 @angular/cdk@8 # Install the Angular Material component library (optional, for UI)
-npm install msal @azure/msal-angular # Install MSAL and MSAL Angular in your application
+npm install msal @azure/msal-angular@1 # Install MSAL and MSAL Angular in your application
ng generate component page-name # To add a new page (such as a home or profile page) ```
active-directory V2 Oauth2 Auth Code Flow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-oauth2-auth-code-flow.md
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
``` > [!TIP]
-> Click the link below to execute this request! After signing in, your browser should be redirected to `https://localhost/myapp/` with a `code` in the address bar.
+> Click the link below to execute this request! After signing in, your browser should be redirected to `http://localhost/myapp/` with a `code` in the address bar.
> <a href="https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=6731de76-14a6-49ae-97bc-6eba6914391e&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read&state=12345" target="_blank">https://login.microsoftonline.com/common/oauth2/v2.0/authorize...</a> | Parameter | Required/optional | Description |
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
| `tenant` | required | The `{tenant}` value in the path of the request can be used to control who can sign into the application. The allowed values are `common`, `organizations`, `consumers`, and tenant identifiers. For more detail, see [protocol basics](active-directory-v2-protocols.md#endpoints). | | `client_id` | required | The **Application (client) ID** that the [Azure portal ΓÇô App registrations](https://go.microsoft.com/fwlink/?linkid=2083908) experience assigned to your app. | | `grant_type` | required | Must be `refresh_token` for this leg of the authorization code flow. |
-| `scope` | required | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). |
+| `scope` | optional | A space-separated list of scopes. The scopes requested in this leg must be equivalent to or a subset of the scopes requested in the original authorization_code request leg. If the scopes specified in this request span multiple resource server, then the Microsoft identity platform will return a token for the resource specified in the first scope. For a more detailed explanation of scopes, refer to [permissions, consent, and scopes](v2-permissions-and-consent.md). |
| `refresh_token` | required | The refresh_token that you acquired in the second leg of the flow. | | `client_secret` | required for web apps | The application secret that you created in the app registration portal for your app. It should not be used in a native app, because client_secrets can't be reliably stored on devices. It's required for web apps and web APIs, which have the ability to store the client_secret securely on the server side. This secret needs to be URL-Encoded. For more information, see the [URI Generic Syntax specification](https://tools.ietf.org/html/rfc3986#page-12). |
active-directory V2 Protocols Oidc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/v2-protocols-oidc.md
Just receiving an id_token isn't always sufficient to authenticate the user; you
Not all apps benefit from verifying the ID token - native apps and single page apps, for instance, rarely benefit from validating the ID token. Someone with physical access to the device (or browser) can bypass the validation in many ways - from editing the web traffic to the device to provide fake tokens and keys to simply debugging the application to skip the validation logic. On the other hand, web apps and APIs using an ID token to authorization must validate the ID token carefully since they are gating access to data.
-Once you've validated the signature of the id_token, there are a few claims you'll be required to verify. See the [`id_token` reference](id-tokens.md) for more information, including [Validating Tokens](id-tokens.md#validating-an-id_token) and [Important Information About Signing Key Rollover](active-directory-signing-key-rollover.md). We recommend making use of a library for parsing and validating tokens - there is at least one available for most languages and platforms.
+Once you've validated the signature of the id_token, there are a few claims you'll be required to verify. See the [`id_token` reference](id-tokens.md) for more information, including [Validating Tokens](id-tokens.md#validating-an-id-token) and [Important Information About Signing Key Rollover](active-directory-signing-key-rollover.md). We recommend making use of a library for parsing and validating tokens - there is at least one available for most languages and platforms.
You may also wish to validate additional claims depending on your scenario. Some common validations include:
error=access_denied&error_description=the+user+canceled+the+authentication
For a description of possible error codes and recommended client responses, see [Error codes for authorization endpoint errors](#error-codes-for-authorization-endpoint-errors).
-When you have an authorization code and an ID token, you can sign the user in and get access tokens on their behalf. To sign the user in, you must validate the ID token [exactly as described](id-tokens.md#validating-an-id_token). To get access tokens, follow the steps described in [OAuth code flow documentation](v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token).
+When you have an authorization code and an ID token, you can sign the user in and get access tokens on their behalf. To sign the user in, you must validate the ID token [exactly as described](id-tokens.md#validating-an-id-token). To get access tokens, follow the steps described in [OAuth code flow documentation](v2-oauth2-auth-code-flow.md#redeem-a-code-for-an-access-token).
### Calling the UserInfo endpoint
active-directory Delegate Invitations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/delegate-invitations.md
Previously updated : 03/02/2021 Last updated : 05/19/2021
By default, all users, including guests, can invite guest users.
![Guest invite settings](./media/delegate-invitations/guest-invite-settings.png)
- - **Admins and users in the guest inviter role can invite**: To allow admins and users in the "Guest Inviter" role to invite guests, set this policy to **Yes**.
-
- - **Members can invite**: To allow non-admin members of your directory to invite guests, set this policy to **Yes**.
-
- - **Guests can invite**: To allow guests to invite other guests, set this policy to **Yes**.
-
- > [!NOTE]
- > If **Members can invite** is set to **No** and **Admins and users in the guest inviter role can invite** is set to **Yes**, users in the **Guest Inviter** role will still be able to invite guests.
-
-6. Under **Email one-time passcode for guests**, choose the appropriate settings (for more information, see [Email one-time passcode authentication](one-time-passcode.md)):
-
- - **Automatically enable email one-time passcode for guests in October 2021**. (Default) If the email one-time passcode feature is not already enabled for your tenant, it will be automatically turned on in October 2021. No further action is necessary if you want the feature enabled at that time. If you've already enabled or disabled the feature, this option will be unavailable.
-
- - **Enable email one-time passcode for guests effective now**. Turns on the email one-time passcode feature for your tenant.
-
- - **Disable email one-time passcode for guests**. Turns off the email one-time passcode feature for your tenant, and prevents the feature from turning on in October 2021.
-
- > [!NOTE]
- > Instead of the options above, you'll see the following toggle if you've enabled or disabled this feature or if you've previously opted in to the preview:
- >
- >![Enable Email one-time passcode opted in](media/delegate-invitations/enable-email-otp-opted-in.png)
-
-7. Under **Enable guest self-service sign up via user flows**, select **Yes** if you want to be able to create user flows that let users sign up for apps. For more information about this setting, see [Add a self-service sign-up user flow to an app](self-service-sign-up-user-flow.md).
+
+ - **Anyone in the organization can invite guest users including guests and non-admins (most inclusive)**: To allow guests to invite other guests, select this radio button.
+ - **Member users and users assigned to specific admin roles can invite guest users including guests with member permissions**: To allow non-admin members and administrators assigned particular roles to invite guests, select this radio button.
+ - **Only users assigned to specific admin roles can invite guest users**: To only allow specific administrators to invite guests, select this radio button.
+ - **No one in the organization can invite guest users including admins (most restrictive)**: To restrict everyone within the organization from inviting guests, select this radio button.
+6. Under **Enable guest self-service sign up via user flows**, select **Yes** if you want to be able to create user flows that let users sign up for apps. For more information about this setting, see [Add a self-service sign-up user flow to an app](self-service-sign-up-user-flow.md).
![Self-service sign up via user flows setting](./media/delegate-invitations/self-service-sign-up-setting.png)
active-directory External Identities Pricing https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/external-identities-pricing.md
Previously updated : 05/05/2021 Last updated : 05/24/2021
An Azure AD tenant must be linked to an Azure subscription for proper billing an
7. In the Link a subscription pane, select a **Subscription** and a **Resource group**. Then select **Apply**. > [!NOTE]
- > If there are no subscriptions listed, you can [associate a subscription to your tenant](../fundamentals/active-directory-how-subscriptions-associated-directory.md). Or, you can add a new subscription by selecting the link **if you don't already have a subscription you may create one here**.
+ >
+ > * Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
+ >* If there are no subscriptions listed, you can [associate a subscription to your tenant](../fundamentals/active-directory-how-subscriptions-associated-directory.md). Or, you can add a new subscription by selecting the link **if you don't already have a subscription you may create one here**.
![Select a subscription and resource group](media/external-identities-pricing/link-subscription-resource.png)
active-directory Active Directory Whatis https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/fundamentals/active-directory-whatis.md
To better understand Azure AD and its documentation, we recommend reviewing the
|Identity| A thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates.| |Account| An identity that has data associated with it. You cannot have an account without an identity.| |Azure AD account| An identity created through Azure AD or another Microsoft cloud service, such as Microsoft 365. Identities are stored in Azure AD and accessible to your organization's cloud service subscriptions. This account is also sometimes called a Work or school account.|
-|Account Administrator|This classic subscription administrator role is conceptually the billing owner of a subscription. This role has access to the [Azure Account Center](https://account.azure.com/Subscriptions) and enables you to manage all subscriptions in an account. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|
+|Account Administrator|This classic subscription administrator role is conceptually the billing owner of a subscription. This role enables you to manage all subscriptions in an account. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).|
|Service Administrator|This classic subscription administrator role enables you to manage all Azure resources, including access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).| |Owner|This role helps you manage all Azure resources, including access. This role is built on a newer authorization system called Azure role-based access control (Azure RBAC) that provides fine-grained access management to Azure resources. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../../role-based-access-control/rbac-and-directory-admin-roles.md).| |Azure AD Global administrator|This administrator role is automatically assigned to whomever created the Azure AD tenant. Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users. For more information about the various administrator roles, see [Administrator role permissions in Azure Active Directory](../roles/permissions-reference.md).|
active-directory Entitlement Management Logs And Reporting https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-logs-and-reporting.md
na
ms.devlang: na Previously updated : 12/23/2020 Last updated : 5/19/2021
Use the following procedure to view events:
Each row includes the time, access package Id, the name of the operation, the object Id, UPN, and the display name of the user who started the operation. Additional details are included in JSON.
+1. If you would like to see if there have been changes to application role assignments for an application that were not due to access package assignments, such as by a global administrator directly assigning a user to an application roles, then you can select the workbook named *Application role assignment activity*.
+ ## Create custom Azure Monitor queries using the Azure portal You can create your own queries on Azure AD audit events, including entitlement management events.
active-directory Entitlement Management Request Approve https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/governance/entitlement-management-request-approve.md
After you open an access request pending approval, you can see details that will
1. Click **Submit** to submit your decision.
- If a policy is configured with multiple approvers, only one approver needs to make a decision about the pending approval. After an approver has submitted their decision to the access request, the request is completed and is no longer available for the other approvers to approve or deny the request. The other approvers can see the request decision and the decision maker in their My Access portal. At this time, only single-stage approval is supported.
+ If a policy is configured with multiple approvers in a stage, only one approver needs to make a decision about the pending approval. After an approver has submitted their decision to the access request, the request is completed and is no longer available for the other approvers to approve or deny the request. The other approvers can see the request decision and the decision maker in their My Access portal.
- If none of the configured approvers are able to approve or deny the access request, the request expires after the configured request duration. The user gets notified that their access request has expired and that they need to resubmit the access request.
+ If none of the configured approvers in a stage are able to approve or deny the access request, the request expires after the configured request duration. The user gets notified that their access request has expired and that they need to resubmit the access request.
## Next steps
active-directory How To Connect Health Agent Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/how-to-connect-health-agent-install.md
If the Azure AD Connect Health for Sync agent registration fails after you succe
Manually register the Azure AD Connect Health agent for Sync by using the following PowerShell command. The Azure AD Connect Health services will start after the agent has been successfully registered.
-`Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false`
+`Register-AzureADConnectHealthSyncAgent -AttributeFiltering $true -StagingMode $false`
The command takes following parameters:
active-directory Reference Connect Health Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-health-version-history.md
The Azure Active Directory team regularly updates Azure AD Connect Health with n
Azure AD Connect Health for Sync is integrated with Azure AD Connect installation. Read more about [Azure AD Connect release history](./reference-connect-version-history.md) For feature feedback, vote at [Connect Health User Voice channel](https://feedback.azure.com/forums/169401-azure-active-directory/filters/new?category_id=165591)
+## May 2021
+**Agent Update**
+- Azure AD Connect Health agent for AD FS (version 3.1.99.0)
+ - Fix for low unique user count value in AD FS application activity report
+ - Fix for sign-ins with empty or default GUID CorrelationId
+ ## March 2021 **Agent Update**
active-directory Reference Connect Version History https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/hybrid/reference-connect-version-history.md
This hotfix build fixes an issue in build 1.5.20.0 if you have cloned the **In f
### New features and improvements - We updated Password Hash Sync for Azure AD Domain Services to properly account for padding in Kerberos hashes. This will provide a performance improvement during password synchronization from Azure AD to Azure AD Domain Services. - We added support for reliable sessions between the authentication agent and service bus.-- This release enforces TLS 1.2 for communication between authentication agent and cloud services. - We added a DNS cache for websocket connections between authentication agent and cloud services. - We added the ability to target specific agent from cloud to test for agent connectivity.
We fixed a bug in the sync errors compression utility that was not handling surr
## Next steps
-Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
+Learn more about [Integrating your on-premises identities with Azure Active Directory](whatis-hybrid-identity.md).
active-directory Concept Identity Protection Risks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/identity-protection/concept-identity-protection-risks.md
These risks can be calculated in real-time or calculated offline using Microsoft
| New country | Offline | This detection is discovered by [Microsoft Cloud App Security (MCAS)](/cloud-app-security/anomaly-detection-policy#activity-from-infrequent-country). This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization. | | Activity from anonymous IP address | Offline | This detection is discovered by [Microsoft Cloud App Security (MCAS)](/cloud-app-security/anomaly-detection-policy#activity-from-anonymous-ip-addresses). This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. | | Suspicious inbox forwarding | Offline | This detection is discovered by [Microsoft Cloud App Security (MCAS)](/cloud-app-security/anomaly-detection-policy#suspicious-inbox-forwarding). This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. |
-| Azure AD threat intelligence | This risk detection type indicates sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. |
+| Azure AD threat intelligence | Offline | This risk detection type indicates sign-in activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources. |
### Other risk detections
Credentials are processed immediately after they have been found, normally in mu
## Next steps - [Policies available to mitigate risks](concept-identity-protection-policies.md)-- [Security overview](concept-identity-protection-security-overview.md)
+- [Security overview](concept-identity-protection-security-overview.md)
active-directory Managed Identity Best Practice Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/managed-identity-best-practice-recommendations.md
+
+ Title: Best practice recommendations for managed system identities
+description: Recommendations on when to use user-assigned versus system-assigned managed identities
+
+documentationcenter:
++
+editor:
++
+ms.devlang:
+
+
+ Last updated : 05/21/2021+++
+# Managed identity best practice recommendations
++
+## When to use system-assigned or user-assigned managed identities
+
+User-assigned managed identities are more efficient in a broader range of scenarios than system-assigned managed identities. See the table below for some scenarios and the recommendations for user-assigned or system-assigned.
+
+User-assigned identities can be used by multiple resources, and their life cycles are decoupled from the resourcesΓÇÖ life cycles with which theyΓÇÖre associated. [Read which resources support managed identities](https://aka.ms/managedidentitystatus).
+
+This life cycle allows you to separate your resource creation and identity administration responsibilities. User-assigned identities and their role assignments can be configured in advance of the resources that require them. Users who create the resources only require the access to assign a user-assigned identity, without the need to create new identities or role assignments.
+
+As system-assigned identities are created and deleted along with the resource, role assignments can't be created in advance. This sequence can cause failures while deploying infrastructure if the user creating the resource doesn't also have access to create role assignments.
+
+If your infrastructure requires that multiple resources require access to the same resources, a single user-assigned identity can be assigned to them. Administration overhead will be reduced, as there are fewer distinct identities and role assignments to manage.
+
+If you require that each resource has its own identity, or have resources that require a unique set of permissions and want the identity to be deleted as the resource is deleted, then you should use a system-assigned identity.
++
+| Scenario| Recommendation|Notes|
+||||
+| Rapid creation of resources (for example, ephemeral computing) with managed identities | User-assigned identity | If you attempt to create multiple managed identities in a short space of time ΓÇô for example, deploying multiple virtual machines each with their own system-assigned identity - you may exceed the rate limit for Azure Active Directory object creations, and the request will fail with a HTTP 429 error. <br/><br/>If resources are being created or deleted rapidly, you may also exceed the limit on the number of resources in Azure Active Directory if using system-assigned identities. While a deleted system-assigned identity is no longer accessible by any resource, it will count towards your limit until fully purged after 30 days.<br/><br/>Deploying the resources associated with a single user-assigned identity will require the creation of only one Service Principal in Azure Active Directory, avoiding the rate limit. Using a single identity that is created in advance will also reduce the risk of replication delays that could occur if multiple resources are created each with their own identity.<br/><br/>Read more about the [Azure subscription service limits](../../azure-resource-manager/management/azure-subscription-service-limits.md#managed-identity-limits). |
+| Replicated resources/applications | User-assigned identity | Resources that carry out the same task ΓÇô for example, duplicated web servers or identical functionality running in an app service and in an application on a virtual machine ΓÇô typically require the same permissions. <br/><br/>By using the same user-assigned identity, fewer role assignments are required which reduces the management overhead. The resources don't have to be of the same type.
+|Compliance| User-assigned identity | If your organization requires that all identity creation must go through an approval process, using a single user-assigned identity across multiple resources will require fewer approvals than system-assigned Identities, which are created as new resources are created. |
+Access required before a resource is deployed |User-assigned identity| Some resources may require access to certain Azure resources as part of their deployment.<br/><br/>In this case, a system-assigned identity may not be created in time so a pre-existing user-assigned identity should be used.|
+Audit Logging|System-assigned identity|If you need to log which specific resource carried out an action, rather than which identity, use a system-assigned identity.|
+Permissions Lifecycle Management|System-assigned identity|If you require that the permissions for a resource be removed along with the resource, use a system-assigned identity.
+
+**Using user-assigned identities to reduce administration**
+
+The diagrams demonstrate the difference between system-assigned and user-assigned identities, when used to allow several virtual machines to access two storage accounts.
+
+The diagram shows four virtual machines with system-assigned identities. Each virtual machine has the same role assignments that grants them access to two storage accounts.
++
+When a user-assigned identity is associated with the four virtual machines, only two role assignments are required, compared to eight with system-assigned identities. If the virtual machines' identity requires more role assignments, they'll be granted to all the resources associated with this identity.
++
+Security groups can also be used to reduce the number of role assignments that are required. This diagram shows four virtual machines with system-assigned identities, which have been added to a security group, with the role assignments added to the group instead of the system-assigned identities. While the result is similar, this configuration doesn't offer the same Resource Manager template capabilities as user-assigned identities.
++
+**Multiple Managed Identities**
+
+Resources that support managed identities can have both a system-assigned identity and one or more user-assigned identities.
+
+This model provides the flexibility to both use a shared user-assigned identity and apply granular permissions when needed.
+
+In the example below, ΓÇ£Virtual Machine 3ΓÇ¥ and ΓÇ£Virtual Machine 4ΓÇ¥ can access both storage accounts and key vaults, depending on which user-assigned identity they use while authenticating.
++
+In the example below, ΓÇ£Virtual Machine 4ΓÇ¥ has both a user-assigned identity, giving it access to both storage accounts and key vaults, depending on which identity is used while authenticating. The role assignments for the system-assigned identity are specific to that virtual machine.
++
+**Limits**
+
+View the limits for [managed identities](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-role-based-access-control-limits)
+and for [custom roles and role assignments](../../azure-resource-manager/management/azure-subscription-service-limits.md#azure-role-based-access-control-limits).
+
+**Maintenance**
+
+System-assigned identities are automatically deleted when the resource is deleted, while the lifecycle of a user-assigned identity is independent of any resources with which it's associated.
+
+You'll need to manually delete a user-assigned identity when it's no longer required, even if no resources are associated with it.
+
+Role assignments aren't automatically deleted when either system-assigned or user-assigned managed identities are deleted. These role assignments should be manually deleted so the limit of role assignments per subscription isn't exceeded.
+
+Role assignments that are associated with deleted managed identities
+will be displayed with ΓÇ£Identity not foundΓÇ¥ when viewed in the portal. [Read more](../../role-based-access-control/troubleshooting.md#role-assignments-with-identity-not-found).
+
active-directory Howto Use Azure Monitor Workbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/reports-monitoring/howto-use-azure-monitor-workbooks.md
Previously updated : 10/30/2019 Last updated : 5/19/2021
Do you want to:
- Do you need to understand the impact of Conditional Access policies in your tenant? -- Would you like the ability to review: sign-in log queries, the workbook
-reports how many users were granted or denied access, as well as how many users bypassed
+- Would you like the ability to review: sign-in log queries, with a workbook
+that reports how many users were granted or denied access, as well as how many users bypassed
Conditional Access policies when accessing resources? -- Interested in developing a deeper understanding of: the workbook details per
-condition so that the impact of a policy can be contextualized per condition,
+- Interested in developing a deeper understanding of conditional access, with a workbook details per
+condition so that the impact of a policy can be contextualized per condition,
including device platform, device state, client app, sign-in risk, location, and application? -- Gain deeper insights into sign-in log queries, the workbook
-reports how many users were granted or denied access, as well as how many users bypassed
-Conditional Access policies when accessing resources.
+- Archive and report on more than one year of historical application role and [access package assignment activity](../governance/entitlement-management-logs-and-reporting.md)?
-- To help you to address these questions, Azure Active Directory provides workbooks for monitoring. [Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md) combine text, analytics queries, metrics, and parameters into rich interactive reports.
+To help you to address these questions, Azure Active Directory provides workbooks for monitoring. [Azure Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md) combine text, analytics queries, metrics, and parameters into rich interactive reports.
To help you troubleshoot sign-ins, Azure Monitor gives you a breakdown by the fo
## Next steps
-[Create interactive reports by using Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md).
+* [Create interactive reports by using Monitor workbooks](../../azure-monitor/visualize/workbooks-overview.md).
+* [Create custom Azure Monitor queries using Azure PowerShell](../governance/entitlement-management-logs-and-reporting.md).
active-directory Airtable Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/airtable-tutorial.md
Previously updated : 12/16/2019 Last updated : 05/21/2021
In this tutorial, you'll learn how to integrate Airtable with Azure Active Direc
* Enable your users to be automatically signed-in to Airtable with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Airtable supports **SP and IDP** initiated SSO
-* Airtable supports **Just In Time** user provisioning
-* Once you configure Airtable you can enforce session control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Airtable supports **SP and IDP** initiated SSO.
+* Airtable supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Airtable from the gallery
+## Add Airtable from the gallery
To configure the integration of Airtable into Azure AD, you need to add Airtable from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Airtable** in the search box. 1. Select **Airtable** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Airtable
+## Configure and test Azure AD SSO for Airtable
Configure and test Azure AD SSO with Airtable using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Airtable.
-To configure and test Azure AD SSO with Airtable, complete the following building blocks:
+To configure and test Azure AD SSO with Airtable, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Airtable SSO](#configure-airtable-sso)** - to configure the single sign-on settings on application side.
- * **[Create Airtable test user](#create-airtable-test-user)** - to have a counterpart of B.Simon in Airtable that is linked to the Azure AD representation of user.
+ 1. **[Create Airtable test user](#create-airtable-test-user)** - to have a counterpart of B.Simon in Airtable that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Airtable** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Airtable** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set-up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
- ![Airtable Domain and URLs single sign-on information](common/preintegrated.png)
- 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://airtable.com/sso/login` 1. Click **Save**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Airtable**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, a user called B.Simon is created in Airtable. Airtable supports
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Airtable Sign on URL where you can initiate the login flow.
+
+* Go to Airtable Sign-on URL directly and initiate the login flow from there.
-When you click the Airtable tile in the Access Panel, you should be automatically signed in to the Airtable for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Airtable for which you set up the SSO.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Airtable tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Airtable for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)-- [Try Airtable with Azure AD](https://aad.portal.azure.com/)
+Once you configure Airtable you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Brightidea Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/brightidea-tutorial.md
Previously updated : 01/23/2019 Last updated : 05/19/2021 # Tutorial: Azure Active Directory integration with Brightidea
-In this tutorial, you learn how to integrate Brightidea with Azure Active Directory (Azure AD).
-Integrating Brightidea with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Brightidea with Azure Active Directory (Azure AD). When you integrate Brightidea with Azure AD, you can:
-* You can control in Azure AD who has access to Brightidea.
-* You can enable your users to be automatically signed-in to Brightidea (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Brightidea.
+* Enable your users to be automatically signed-in to Brightidea with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Brightidea, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Brightidea single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Brightidea single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
+* Brightidea supports **SP and IDP** initiated SSO.
+* Brightidea supports **Just In Time** user provisioning.
-* Brightidea supports **SP and IDP** initiated SSO
-* Brightidea supports **Just In Time** user provisioning
-
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Brightidea from the gallery
+## Add Brightidea from the gallery
To configure the integration of Brightidea into Azure AD, you need to add Brightidea from the gallery to your list of managed SaaS apps.
-**To add Brightidea from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Brightidea**, select **Brightidea** from result panel then click **Add** button to add the application.
-
- ![Brightidea in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Brightidea based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Brightidea needs to be established.
-
-To configure and test Azure AD single sign-on with Brightidea, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Brightidea** in the search box.
+1. Select **Brightidea** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Brightidea Single Sign-On](#configure-brightidea-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Brightidea test user](#create-brightidea-test-user)** - to have a counterpart of Britta Simon in Brightidea that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Brightidea
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Brightidea using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Brightidea.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Brightidea, perform the following steps:
-To configure Azure AD single sign-on with Brightidea, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Brightidea SSO](#configure-brightidea-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Brightidea test user](#create-brightidea-test-user)** - to have a counterpart of B.Simon in Brightidea that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Brightidea** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Brightidea** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
-
-4. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file** and wish to configure in **IDP** intiated mode perform the following steps:
+4. On the **Basic SAML Configuration** section, if you have **Service Provider metadata file** and wish to configure in **IDP** initiated mode perform the following steps:
a. Click **Upload metadata file**.
To configure Azure AD single sign-on with Brightidea, perform the following step
c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Brightidea section textbox:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- > [!Note]
- > If the **Identifier** and **Reply URL** values do not get auto polulated, then fill in the values manually according to your requirement.
+ > If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern: `https://<SUBDOMAIN>.brightidea.com`
To configure Azure AD single sign-on with Brightidea, perform the following step
6. On the **Set up Brightidea** section, copy the appropriate URL(s) as per your requirement.
- ![Copy configuration URLs](common/copy-configuration-urls.png)
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- a. Login URL
+### Assign the Azure AD test user
- b. Azure Ad Identifier
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Brightidea.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Brightidea**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Brightidea Single Sign-On
+## Configure Brightidea SSO
1. In a different web browser window, sign in to Brightidea using the administrator credentials. 2. To get to the SSO feature in your Brightidea system, navigate to **Enterprise Setup** -> **Authentication Tab**. There you will see two sub tabs: Auth Selection & SAML Profiles.
- ![Screenshot shows the Brightidea site with the Authentication tab selected.](./media/brightidea-tutorial/configure1.png)
+ ![Screenshot shows the Brightidea site with the Authentication tab selected.](./media/brightidea-tutorial/authentication.png)
3. Select **Auth Selection**. By default, it only shows two standard methods: Brightidea Login & Registration. When an SSO method added, it will show up in the list.
- ![Screenshot shows the Brightidea Authentication tab with Auth Selection selected.](./media/brightidea-tutorial/configure2.png)
+ ![Screenshot shows the Brightidea Authentication tab with Auth Selection selected.](./media/brightidea-tutorial/selection.png)
4. Select **SAML Profiles** and perform the following steps:
- ![Screenshot shows the Brightidea Authentication tab with SAML Profiles selected, which provides options to Download Metadata and Add New.](./media/brightidea-tutorial/configure3.png)
+ ![Screenshot shows the Brightidea Authentication tab with SAML Profiles selected, which provides options to Download Metadata and Add New.](./media/brightidea-tutorial/profile.png)
a. Click on the **Download Metadata** and upload at the **Basic SAML Configuration** section in the Azure portal. b. Click on the **Add New** button under the **Identity Provider Setting** and perform the following steps:
- ![Screenshot shows the Brightidea Identity Provider Setting where you enter information.](./media/brightidea-tutorial/configure4.png)
+ ![Screenshot shows the Brightidea Identity Provider Setting where you enter information.](./media/brightidea-tutorial/metadata.png)
* Enter the **SAML Profile Name** like e.g `Azure Ad SSO`
To configure Azure AD single sign-on with Brightidea, perform the following step
* In the **Screen Name** textbox, enter the value as `givenName`.
- * Click **Save Changes**.
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
+ * Click **Save Changes**.
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field, enter **BrittaSimon**.
-
- b. In the **User name** field, type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Brightidea.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Brightidea**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Brightidea**.
-
- ![The Brightidea link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog, select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Brightidea test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, a user called Britta Simon is created in Brightidea. Brightidea supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Brightidea, a new one is created after authentication.
-7. In the **Add Assignment** dialog, click the **Assign** button.
+## Test SSO
-### Create Brightidea test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, a user called Britta Simon is created in Brightidea. Brightidea supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Brightidea, a new one is created after authentication.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Brightidea Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Brightidea Sign-on URL directly and initiate the login flow from there.
-When you click the Brightidea tile in the Access Panel, you should be automatically signed in to the Brightidea for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Brightidea for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Brightidea tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Brightidea for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Brightidea you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Cch Tagetik Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cch-tagetik-tutorial.md
Previously updated : 05/15/2020 Last updated : 05/24/2021
In this tutorial, you'll learn how to integrate CCH Tagetik with Azure Active Di
* Enable your users to be automatically signed-in to CCH Tagetik with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* CCH Tagetik supports **SP and IDP** initiated SSO
-* CCH Tagetik supports **Just In Time** user provisioning
-* Once you configure CCH Tagetik you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* CCH Tagetik supports **SP and IDP** initiated SSO.
+* CCH Tagetik supports **Just In Time** user provisioning.
-## Adding CCH Tagetik from the gallery
+## Add CCH Tagetik from the gallery
To configure the integration of CCH Tagetik into Azure AD, you need to add CCH Tagetik from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **CCH Tagetik** in the search box. 1. Select **CCH Tagetik** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for CCH Tagetik
+## Configure and test Azure AD SSO for CCH Tagetik
Configure and test Azure AD SSO with CCH Tagetik using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in CCH Tagetik.
-To configure and test Azure AD SSO with CCH Tagetik, complete the following building blocks:
+To configure and test Azure AD SSO with CCH Tagetik, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with CCH Tagetik, complete the following buil
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **CCH Tagetik** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **CCH Tagetik** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode,perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<CUSTOMER_NAME>.saastagetik.com/prod/5/`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **CCH Tagetik**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure CCH Tagetik SSO
In this section, a user called Britta Simon is created in CCH Tagetik. CCH Taget
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the CCH Tagetik tile in the Access Panel, you should be automatically signed in to the CCH Tagetik for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to CCH Tagetik Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to CCH Tagetik Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the CCH Tagetik for which you set up the SSO.
-- [Try CCH Tagetik with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the CCH Tagetik tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the CCH Tagetik for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect CCH Tagetik with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure CCH Tagetik you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Cerby Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/cerby-tutorial.md
Previously updated : 04/13/2021 Last updated : 05/18/2021
Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Cerby Client support team](mailto:help@cerby.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. Your Cerby application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Name** is **user.userprincipalname** but Cerby expects this to be mapped with the user's givenname. For that you can use **user.givenname** attribute from the list or use the appropriate attribute value based on your organization configuration.
- ![The Certificate download link](common/certificatebase64.png)
+ ![image](common/default-attributes.png)
-1. On the **Set up Cerby** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+ ![The Certificate download link](common/copy-metadataurl.png)
- ![Copy configuration URLs](common/copy-configuration-urls.png)
### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure Cerby SSO
-To configure single sign-on on **Cerby** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Cerby support team](mailto:help@cerby.com). They set this setting to have the SAML SSO connection set properly on both sides.
+To configure single sign-on on Cerby side, you need to send the **App Federation Metadata Url** to [Cerby support team](mailto:help@cerby.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Cerby test user
active-directory Certify Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/certify-tutorial.md
Previously updated : 02/12/2019 Last updated : 05/20/2021 # Tutorial: Azure Active Directory integration with Certify
-In this tutorial, you learn how to integrate Certify with Azure Active Directory (Azure AD).
-Integrating Certify with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Certify with Azure Active Directory (Azure AD). When you integrate Certify with Azure AD, you can:
-* You can control in Azure AD who has access to Certify.
-* You can enable your users to be automatically signed-in to Certify (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Certify.
+* Enable your users to be automatically signed-in to Certify with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Certify, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Certify single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Certify single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Certify supports **IDP** initiated SSO
-* Certify supports **Just In Time** user provisioning
-
-## Adding Certify from the gallery
-
-To configure the integration of Certify into Azure AD, you need to add Certify from the gallery to your list of managed SaaS apps.
-
-**To add Certify from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
+* Certify supports **IDP** initiated SSO.
+* Certify supports **Just In Time** user provisioning.
-4. In the search box, type **Certify**, select **Certify** from result panel then click **Add** button to add the application.
-
- ![Certify in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Certify based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Certify needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with Certify, you need to complete the following building blocks:
+## Add Certify from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Certify Single Sign-On](#configure-certify-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Certify test user](#create-certify-test-user)** - to have a counterpart of Britta Simon in Certify that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Certify into Azure AD, you need to add Certify from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Certify** in the search box.
+1. Select **Certify** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Certify
-To configure Azure AD single sign-on with Certify, perform the following steps:
+Configure and test Azure AD SSO with Certify using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Certify.
-1. In the [Azure portal](https://portal.azure.com/), on the **Certify** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Certify, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Certify SSO](#configure-certify-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Certify test user](#create-certify-test-user)** - to have a counterpart of B.Simon in Certify that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Certify** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Certify Domain and URLs single sign-on information](common/idp-identifier.png)
- In the **Identifier** text box, type the URL: `https://www.certify.com`
To configure Azure AD single sign-on with Certify, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Certify Single Sign-On
-
-To configure single sign-on on **Certify** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Certify support team](mailto:support@certify.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Certify.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Certify.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Certify**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Certify**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Certify SSO
-2. In the applications list, select **Certify**.
-
- ![The Certify link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Certify** side, you need to send the downloaded **Certificate (Raw)** and appropriate copied URLs from Azure portal to [Certify support team](mailto:support@certify.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Certify test user
In this section, a user called Britta Simon is created in Certify. Certify suppo
> [!NOTE] > If you need to create an user manually, you need to contact the [Certify support team](mailto:support@certify.com).
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Certify tile in the Access Panel, you should be automatically signed in to the Certify for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Certify for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Certify tile in the My Apps, you should be automatically signed in to the Certify for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Certify you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Check Point Remote Access Vpn Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/check-point-remote-access-vpn-tutorial.md
Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Remote Access VPN | Microsoft Docs'
-description: Learn how to configure single sign-on between Azure Active Directory and Check Point Remote Access VPN.
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Remote Secure Access VPN | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Check Point Remote Secure Access VPN.
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Remote Access VPN
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point Remote Secure Access VPN
-In this tutorial, you'll learn how to integrate Check Point Remote Access VPN with Azure Active Directory (Azure AD). When you integrate Check Point Remote Access VPN with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Check Point Remote Secure Access VPN with Azure Active Directory (Azure AD). When you integrate Check Point Remote Secure Access VPN with Azure AD, you can:
-* Control in Azure AD who has access to Check Point Remote Access VPN.
-* Enable your users to be automatically signed-in to Check Point Remote Access VPN with their Azure AD accounts.
+* Control in Azure AD who has access to Check Point Remote Secure Access VPN.
+* Enable your users to be automatically signed-in to Check Point Remote Secure Access VPN with their Azure AD accounts.
* Manage your accounts in one central location - the Azure portal. ## Prerequisites
In this tutorial, you'll learn how to integrate Check Point Remote Access VPN wi
To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Check Point Remote Access VPN single sign-on (SSO) enabled subscription.
+* Check Point Remote Secure Access VPN single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Check Point Remote Access VPN supports **SP** initiated SSO.
+* Check Point Remote Secure Access VPN supports **SP** initiated SSO.
-## Adding Check Point Remote Access VPN from the gallery
+## Adding Check Point Remote Secure Access VPN from the gallery
-To configure the integration of Check Point Remote Access VPN into Azure AD, you need to add Check Point Remote Access VPN from the gallery to your list of managed SaaS apps.
+To configure the integration of Check Point Remote Secure Access VPN into Azure AD, you need to add Check Point Remote Secure Access VPN from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Check Point Remote Access VPN** in the search box.
-1. Select **Check Point Remote Access VPN** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **Check Point Remote Secure Access VPN** in the search box.
+1. Select **Check Point Remote Secure Access VPN** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Check Point Remote Access VPN
+## Configure and test Azure AD SSO for Check Point Remote Secure Access VPN
-Configure and test Azure AD SSO with Check Point Remote Access VPN using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Check Point Remote Access VPN.
+Configure and test Azure AD SSO with Check Point Remote Secure Access VPN using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Check Point Remote Secure Access VPN.
-To configure and test Azure AD SSO with Check Point Remote Access VPN, perform the following steps:
+To configure and test Azure AD SSO with Check Point Remote Secure Access VPN, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Check Point Remote Access VPN SSO](#configure-check-point-remote-access-vpn-sso)** - to enable your users to use this feature.
+1. **[Configure Check Point Remote Secure Access VPN SSO](#configure-check-point-remote-secure-access-vpn-sso)** - to enable your users to use this feature.
- 1. **[Create Check Point Remote Access VPN test user](#create-check-point-remote-access-vpn-test-user)** - to have a counterpart of B.Simon in Check Point Remote Access VPN that is linked to the Azure AD representation of user.
+ 1. **[Create Check Point Remote Secure Access VPN test user](#create-check-point-remote-secure-access-vpn-test-user)** - to have a counterpart of B.Simon in Check Point Remote Secure Access VPN that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Check Point Remote Access VPN** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Check Point Remote Secure Access VPN** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<GATEWAY_IP>/saml-vpn/` > [!NOTE]
- > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Check Point Remote Access VPN Client support team](mailto:support@checkpoint.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Check Point Remote Secure Access VPN Client support team](mailto:support@checkpoint.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ![The Certificate download link](common/metadataxml.png)
-1. On the **Set up Check Point Remote Access VPN** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Check Point Remote Secure Access VPN** section, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Check Point Remote Access VPN.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Check Point Remote Secure Access VPN.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Check Point Remote Access VPN**.
+1. In the applications list, select **Check Point Remote Secure Access VPN**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Check Point Remote Access VPN SSO
+## Configure Check Point Remote Secure Access VPN SSO
### Configure an External User Profile object
Open the Windows Command Prompt as an Administrator and run these commands:
`sudo launchctl start com.checkpoint.epc.service`
-### Create Check Point Remote Access VPN test user
+### Create Check Point Remote Secure Access VPN test user
-In this section, you create a user called Britta Simon in Check Point Remote Access VPN. Work with [Check Point Remote Access VPN support team](mailto:support@checkpoint.com) to add the users in the Check Point Remote Access VPN platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon in Check Point Remote Secure Access VPN. Work with [Check Point Remote Secure Access VPN support team](mailto:support@checkpoint.com) to add the users in the Check Point Remote Secure Access VPN platform. Users must be created and activated before you use single sign-on.
## Test SSO
In this section, you create a user called Britta Simon in Check Point Remote Acc
## Next steps
-Once you configure Check Point Remote Access VPN you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+Once you configure Check Point Remote Secure Access VPN you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Clearreview Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/clearreview-tutorial.md
Previously updated : 04/16/2019 Last updated : 05/19/2021 # Tutorial: Azure Active Directory integration with Clear Review
-In this tutorial, you learn how to integrate Clear Review with Azure Active Directory (Azure AD).
-Integrating Clear Review with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Clear Review with Azure Active Directory (Azure AD). When you integrate Clear Review with Azure AD, you can:
-* You can control in Azure AD who has access to Clear Review.
-* You can enable your users to be automatically signed-in to Clear Review (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Clear Review.
+* Enable your users to be automatically signed-in to Clear Review with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Clear Review, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Clear Review single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Clear Review single sign-on enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with Clear Review, you need the following item
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Clear Review supports **SP and IDP** initiated SSO
+* Clear Review supports **SP and IDP** initiated SSO.
-## Adding Clear Review from the gallery
+## Add Clear Review from the gallery
To configure the integration of Clear Review into Azure AD, you need to add Clear Review from the gallery to your list of managed SaaS apps.
-**To add Clear Review from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Clear Review**, select **Clear Review** from result panel then click **Add** button to add the application.
-
- ![Clear Review in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Clear Review based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Clear Review needs to be established.
-
-To configure and test Azure AD single sign-on with Clear Review, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Clear Review Single Sign-On](#configure-clear-review-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Clear Review test user](#create-clear-review-test-user)** - to have a counterpart of Britta Simon in Clear Review that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Clear Review** in the search box.
+1. Select **Clear Review** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Clear Review
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Clear Review using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Clear Review.
-To configure Azure AD single sign-on with Clear Review, perform the following steps:
+To configure and test Azure AD SSO with Clear Review, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Clear Review** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Clear Review SSO](#configure-clear-review-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Clear Review test user](#create-clear-review-test-user)** - to have a counterpart of B.Simon in Clear Review that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Clear Review** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern:
- `https://<customer name>.clearreview.com/sso/metadata/`
+ `https://<CUSTOMER_NAME>.clearreview.com/sso/metadata/`
b. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<customer name>.clearreview.com/sso/acs/`
+ `https://<CUSTOMER_NAME>.clearreview.com/sso/acs/`
5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<customer name>.clearreview.com`
+ `https://<CUSTOMER_NAME>.clearreview.com`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Clear Review Client support team](https://clearreview.com/contact/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Clear Review, perform the following st
a. Click **Edit icon** on the right of **Name identifier value**.
- ![Screenshot shows User Attributes & Claims with the Edit icon selected.](./media/clearreview-tutorial/attribute02.png)
+ ![Screenshot shows User Attributes & Claims with the Edit icon selected.](./media/clearreview-tutorial/attribute-2.png)
- ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](./media/clearreview-tutorial/attribute01.png)
+ ![Screenshot shows the Manage user claims dialog box where you can enter the values described.](./media/clearreview-tutorial/attribute-1.png)
b. From the **Source attribute** list, select the **user.mail** attribute value for that row.
To configure Azure AD single sign-on with Clear Review, perform the following st
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Clear Review.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Clear Review**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Clear Review Single Sign-On
+## Configure Clear Review SSO
1. To configure single sign-on on **Clear Review** side, open the **Clear Review** portal with admin credentials. 2. Select **Admin** from the left navigation.
- ![Screenshot shows the Clear Review portal with Admin selected.](./media/clearreview-tutorial/tutorial_clearreview_app_admin1.png)
+ ![Screenshot shows the Clear Review portal with Admin selected.](./media/clearreview-tutorial/admin.png)
3. In the **Integrations** section at the bottom of the page click the **Change** button to the right of **Single Sign-On Settings**.
- ![Screenshot shows the Single Sign-On Change button.](./media/clearreview-tutorial/tutorial_clearreview_app_admin2.png)
+ ![Screenshot shows the Single Sign-On Change button.](./media/clearreview-tutorial/integrations.png)
-4. Perform following steps on **Single Sign-On Settings** page
+4. Perform following steps on **Single Sign-On Settings** page.
- ![Screenshot shows the Single Sign-On Settings page where you can enter the information in this step.](./media/clearreview-tutorial/tutorial_clearreview_app_admin3.png)
+ ![Screenshot shows the Single Sign-On Settings page where you can enter the information in this step.](./media/clearreview-tutorial/settings.png)
a. In the **Issuer URL** textbox, paste the value of **Azure AD Identifier** which you have copied from Azure portal.
To configure Azure AD single sign-on with Clear Review, perform the following st
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Clear Review.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Clear Review**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Clear Review**.
-
- ![The Clear Review link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
+### Create Clear Review test user
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+In this section, you create a user called Britta Simon in Clear Review. Please work with [Clear Review support team](https://clearreview.com/contact/) to add the users in the Clear Review platform.
-7. In the **Add Assignment** dialog click the **Assign** button.
+## Test SSO
-### Create Clear Review test user
+In this section, you test your Azure AD single sign-on configuration with following options.
-In this section, you create a user called Britta Simon in Clear Review. Please work with [Clear Review support team](https://clearreview.com/contact/) to add the users in the Clear Review platform.
+#### SP initiated:
-### Test single sign-on
+* Click on **Test this application** in Azure portal. This will redirect to Clear Review Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Clear Review Sign-on URL directly and initiate the login flow from there.
-When you click the Clear Review tile in the Access Panel, you should be automatically signed in to the Clear Review for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Clear Review for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Clear Review tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Clear Review for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Clear Review you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Coda Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/coda-tutorial.md
Previously updated : 01/23/2020 Last updated : 05/20/2021
In this tutorial, you'll learn how to integrate Coda with Azure Active Directory
* Enable your users to be automatically signed-in to Coda with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Coda supports **IDP** initiated SSO
-
-* Coda supports **Just In Time** user provisioning
+* Coda supports **IDP** initiated SSO.
-* Once you configure Coda, you can enforce session controls which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Coda supports **Just In Time** user provisioning.
-## Adding Coda from the gallery
+## Add Coda from the gallery
To configure the integration of Coda into Azure AD, you need to add Coda from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Coda** in the search box. 1. Select **Coda** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Coda
+## Configure and test Azure AD SSO for Coda
Configure and test Azure AD SSO with Coda using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Coda.
-To configure and test Azure AD SSO with Coda, complete the following building blocks:
+To configure and test Azure AD SSO with Coda, perform the following steps:
1. **[Begin configuration of Coda SSO](#begin-configuration-of-coda-sso)** - to begin configuration of SSO in Coda. 1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Coda SSO](#configure-coda-sso)** - to complete configuration of single sign-on settings in Coda.
- * **[Create Coda test user](#create-coda-test-user)** - to have a counterpart of B.Simon in Coda that is linked to the Azure AD representation of user.
+ 1. **[Create Coda test user](#create-coda-test-user)** - to have a counterpart of B.Simon in Coda that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Begin configuration of Coda SSO
Follow these steps in Coda to begin.
1. In Coda, open your **Organization settings** panel.
- ![Open Organization Settings](media/coda-tutorial/org-settings.png)
+ ![Open Organization Settings](media/coda-tutorial/settings.png)
1. Ensure that your organization has GDrive Integration turned off. If it is currently enabled, contact the [Coda support team](mailto:support@coda.io) to help you migrate off GDrive.
Follow these steps in Coda to begin.
1. Under **Authenticate with SSO (SAML)**, select the **Configure SAML** option.
- ![Saml Settings](media/coda-tutorial/saml-settings-link.png)
+ ![Saml Settings](media/coda-tutorial/settings-link.png)
1. Note the values for **Entity ID** and **SAML Response URL**, which you'll need in subsequent steps.
Follow these steps in Coda to begin.
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Coda** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Coda** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
a. In the **Identifier** text box, enter the "Entity ID" from above. It should follow the pattern: `https://coda.io/samlId/<CUSTOMID>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Coda**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, a user called Britta Simon is created in Coda. Coda supports ju
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Coda tile in the Access Panel, you should be automatically signed in to the Coda for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Coda for which you set up the SSO.
-- [Try Coda with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Coda tile in the My Apps, you should be automatically signed in to the Coda for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Coda with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Coda you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Confluencemicrosoft Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/confluencemicrosoft-tutorial.md
Previously updated : 12/25/2020 Last updated : 05/07/2021
As of now, following versions of Confluence are supported:
- Confluence: 5.0 to 5.10 - Confluence: 6.0.1 to 6.15.9-- Confluence: 7.0.1 to 7.12.0
+- Confluence: 7.0.1 to 7.10.0
> [!NOTE] > Please note that our Confluence Plugin also works on Ubuntu Version 16.04
As of now, following versions of Confluence are supported:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Confluence SAML SSO by Microsoft supports **SP** initiated SSO
+* Confluence SAML SSO by Microsoft supports **SP** initiated SSO.
## Adding Confluence SAML SSO by Microsoft from the gallery
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, enter the values for the following fields:
- a. In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://<domain:port>/plugins/servlet/saml/auth`
+ a. In the **Identifier** box, type a URL using the following pattern:
+ `https://<DOMAIN:PORT>/`
- b. In the **Identifier** box, type a URL using the following pattern:
- `https://<domain:port>/`
-
- c. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<domain:port>/plugins/servlet/saml/auth`
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<DOMAIN:PORT>/plugins/servlet/saml/auth`
+
+ c. In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<DOMAIN:PORT>/plugins/servlet/saml/auth`
> [!NOTE] > These values are not real. Update these values with the actual Identifier, Reply URL, and Sign-On URL. Port is optional in case itΓÇÖs a named URL. These values are received during the configuration of Confluence plugin, which is explained later in the tutorial.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Hover on cog and click the **Add-ons**.
- ![Screenshot that shows the "Cog" icon selected, and "Add-ons" highlighted in the drop-down menu.](./media/confluencemicrosoft-tutorial/addon1.png)
+ ![Screenshot that shows the "Cog" icon selected, and "Add-ons" highlighted in the drop-down menu.](./media/confluencemicrosoft-tutorial/add-on-1.png)
1. Download the plugin from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56503). Manually upload the plugin provided by Microsoft using **Upload add-on** menu. The download of plugin is covered under [Microsoft Service Agreement](https://www.microsoft.com/servicesagreement/).
- ![Screenshot that shows the "Manage add-ons" page with the "Upload add-on" action selected.](./media/confluencemicrosoft-tutorial/addon12.png)
+ ![Screenshot that shows the "Manage add-ons" page with the "Upload add-on" action selected.](./media/confluencemicrosoft-tutorial/add-on-12.png)
1. For running the Confluence reverse proxy scenario or load balancer scenario perform the following steps:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
`scheme="https" proxyName="<subdomain.domain.com>" proxyPort="<proxy_port>" secure="true"`
- ![Screenshot that shows the "server.xml" file with the attribute added to the "connector" port.](./media/confluencemicrosoft-tutorial/reverseproxy1.png)
+ ![Screenshot that shows the "server.xml" file with the attribute added to the "connector" port.](./media/confluencemicrosoft-tutorial/reverse-proxy-1.png)
b. Change **Base URL** in **System Settings** according to proxy/load balancer.
- ![Screenshot that shows the "Administration - Settings" page with "Base URL" highlighted.](./media/confluencemicrosoft-tutorial/reverseproxy2.png)
+ ![Screenshot that shows the "Administration - Settings" page with "Base URL" highlighted.](./media/confluencemicrosoft-tutorial/reverse-proxy-2.png)
1. Once the plugin is installed, it appears in **User Installed** add-ons section of **Manage Add-on** section. Click **Configure** to configure the new plugin.
- ![Screenshot that shows the "User Installed" section with the "Configure" button highlighted.](./media/confluencemicrosoft-tutorial/addon15.png)
+ ![Screenshot that shows the "User Installed" section with the "Configure" button highlighted.](./media/confluencemicrosoft-tutorial/add-on-15.png)
1. Perform following steps on configuration page:
- ![Screenshot that shows the single sign-on configuration page.](./media/confluencemicrosoft-tutorial/addon54.png)
+ ![Screenshot that shows the single sign-on configuration page.](./media/confluencemicrosoft-tutorial/add-on-53.png)
> [!TIP] > Ensure that there is only one certificate mapped against the app so that there is no error in resolving the metadata. If there are multiple certificates, admin gets an error upon resolving the metadata.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
> [!Note] > To enable the default login form for admin login on the login page when the force azure login is enabled, add the query parameter in the browser URL.
- > `https://<domain:port>/login.action?force_azure_login=false`
+ > `https://<DOMAIN:PORT>/login.action?force_azure_login=false`
1. Click **Save** button to save the settings.
To enable Azure AD users to sign in to Confluence on-premises server, they must
1. Hover on cog and click the **User management**.
- ![Add Employee](./media/confluencemicrosoft-tutorial/user1.png)
+ ![Add Employee](./media/confluencemicrosoft-tutorial/user-1.png)
1. Under Users section, click **Add users** tab. On the **Add a User** dialog page, perform the following steps:
- ![Screenshot that shows the "Confluence administration" with the "Add Users" tab selected and "Add a User" information entered.](./media/confluencemicrosoft-tutorial/user2.png)
+ ![Screenshot that shows the "Confluence administration" with the "Add Users" tab selected and "Add a User" information entered.](./media/confluencemicrosoft-tutorial/user-2.png)
a. In the **Username** textbox, type the email of user like B.Simon.
active-directory Dome9arc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/dome9arc-tutorial.md
Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point CloudGuard Dome9 Arc | Microsoft Docs"
-description: Learn how to configure single sign-on between Azure Active Directory and Check Point CloudGuard Dome9 Arc.
+ Title: "Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point CloudGuard Posture Management | Microsoft Docs"
+description: Learn how to configure single sign-on between Azure Active Directory and Check Point CloudGuard Posture Management.
Previously updated : 05/14/2021 Last updated : 05/13/2021
-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point CloudGuard Dome9 Arc
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Check Point CloudGuard Posture Management
-In this tutorial, you'll learn how to integrate Check Point CloudGuard Dome9 Arc with Azure Active Directory (Azure AD). When you integrate Check Point CloudGuard Dome9 Arc with Azure AD, you can:
+In this tutorial, you'll learn how to integrate Check Point CloudGuard Posture Management with Azure Active Directory (Azure AD). When you integrate Check Point CloudGuard Posture Management with Azure AD, you can:
-* Control in Azure AD who has access to Check Point CloudGuard Dome9 Arc.
-* Enable your users to be automatically signed-in to Check Point CloudGuard Dome9 Arc with their Azure AD accounts.
-* Manage your accounts in one central location - the Azure portal.
+- Control in Azure AD who has access to Check Point CloudGuard Posture Management.
+- Enable your users to be automatically signed-in to Check Point CloudGuard Posture Management with their Azure AD accounts.
+- Manage your accounts in one central location - the Azure portal.
## Prerequisites To get started, you need the following items: * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
-* Check Point CloudGuard Dome9 Arc single sign-on (SSO) enabled subscription.
+* Check Point CloudGuard Posture Management single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Check Point CloudGuard Dome9 Arc supports **SP and IDP** initiated SSO.
+* Check Point CloudGuard Posture Management supports **SP and IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Add Check Point CloudGuard Dome9 Arc from the gallery
+## Adding Check Point CloudGuard Posture Management from the gallery
-To configure the integration of Check Point CloudGuard Dome9 Arc into Azure AD, you need to add Check Point CloudGuard Dome9 Arc from the gallery to your list of managed SaaS apps.
+To configure the integration of Check Point CloudGuard Posture Management into Azure AD, you need to add Check Point CloudGuard Posture Management from the gallery to your list of managed SaaS apps.
1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account. 1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
-1. In the **Add from the gallery** section, type **Check Point CloudGuard Dome9 Arc** in the search box.
-1. Select **Check Point CloudGuard Dome9 Arc** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+1. In the **Add from the gallery** section, type **Check Point CloudGuard Posture Management** in the search box.
+1. Select **Check Point CloudGuard Posture Management** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO for Check Point CloudGuard Dome9 Arc
+## Configure and test Azure AD SSO for Check Point CloudGuard Posture Management
-Configure and test Azure AD SSO with Check Point CloudGuard Dome9 Arc using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Check Point CloudGuard Dome9 Arc.
+Configure and test Azure AD SSO with Check Point CloudGuard Posture Management using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Check Point CloudGuard Posture Management.
-To configure and test Azure AD SSO with Check Point CloudGuard Dome9 Arc, perform the following steps:
+To configure and test Azure AD SSO with Check Point CloudGuard Posture Management, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Configure Check Point CloudGuard Dome9 Arc SSO](#configure-check-point-cloudguard-dome9-arc-sso)** - to configure the single sign-on settings on application side.
- 1. **[Create Check Point CloudGuard Dome9 Arc test user](#create-check-point-cloudguard-dome9-arc-test-user)** - to have a counterpart of B.Simon in Check Point CloudGuard Dome9 Arc that is linked to the Azure AD representation of user.
+1. **[Configure Check Point CloudGuard Posture Management SSO](#configure-check-point-cloudguard-posture-management-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Check Point CloudGuard Posture Management test user](#create-check-point-cloudguard-posture-management-test-user)** - to have a counterpart of B.Simon in Check Point CloudGuard Posture Management that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the Azure portal, on the **Check Point CloudGuard Dome9 Arc** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Check Point CloudGuard Posture Management** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**. 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step: In the **Reply URL** text box, type a URL using the following pattern:
- `https://secure.dome9.com/sso/saml/<yourcompanyname>`
+ `https://secure.dome9.com/sso/saml/<YOURCOMPANYNAME>`
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://secure.dome9.com/sso/saml/<yourcompanyname>`
+ `https://secure.dome9.com/sso/saml/<YOURCOMPANYNAME>`
> [!NOTE]
- > These values are not real. Update these values with the actual Reply URL and Sign-on URL. You will get the `<company name>` value from the **Configure Check Point CloudGuard Dome9 Arc SSO** section, which is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. You will get the `<company name>` value from the **Configure Check Point CloudGuard Posture Management SSO** section, which is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
-1. Check Point CloudGuard Dome9 Arc application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+1. Check Point CloudGuard Posture Management application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
![image](common/edit-attribute.png)
-1. In addition to above, Check Point CloudGuard Dome9 Arc application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
+1. In addition to above, Check Point CloudGuard Posture Management application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirement.
| Name | Source Attribute | | -- | |
Follow these steps to enable Azure AD SSO in the Azure portal.
![The Certificate download link](common/certificatebase64.png)
-1. On the **Set up Check Point CloudGuard Dome9 Arc** section, copy the appropriate URL(s) based on your requirement.
+1. On the **Set up Check Point CloudGuard Posture Management** section, copy the appropriate URL(s) based on your requirement.
![Copy configuration URLs](common/copy-configuration-urls.png)
In this section, you'll create a test user in the Azure portal called B.Simon.
### Assign the Azure AD test user
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Check Point CloudGuard Dome9 Arc.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Check Point CloudGuard Posture Management.
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Check Point CloudGuard Dome9 Arc**.
+1. In the applications list, select **Check Point CloudGuard Posture Management**.
1. In the app's overview page, find the **Manage** section and select **Users and groups**. 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you have setup the roles as explained in the above, you can select it from the **Select a role** dropdown. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Check Point CloudGuard Dome9 Arc SSO
+## Configure Check Point CloudGuard Posture Management SSO
-1. To automate the configuration within Check Point CloudGuard Dome9 Arc, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+1. To automate the configuration within Check Point CloudGuard Posture Management, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
![My apps extension](common/install-myappssecure-extension.png)
-2. After adding extension to the browser, click on **Setup Check Point CloudGuard Dome9 Arc** will direct you to the Check Point CloudGuard Dome9 Arc application. From there, provide the admin credentials to sign into Check Point CloudGuard Dome9 Arc. The browser extension will automatically configure the application for you and automate steps 3-6.
+2. After adding extension to the browser, click on **Setup Check Point CloudGuard Posture Management** will direct you to the Check Point CloudGuard Posture Management application. From there, provide the admin credentials to sign into Check Point CloudGuard Posture Management. The browser extension will automatically configure the application for you and automate steps 3-6.
![Setup configuration](common/setup-sso.png)
-3. If you want to setup Check Point CloudGuard Dome9 Arc manually, open a new web browser window and sign into your Check Point CloudGuard Dome9 Arc company site as an administrator and perform the following steps:
+3. If you want to setup Check Point CloudGuard Posture Management manually, open a new web browser window and sign into your Check Point CloudGuard Posture Management company site as an administrator and perform the following steps:
4. Click on the **Profile Settings** on the right top corner and then click **Account Settings**.
- ![Screenshot that shows the "Profile Settings" menu with "Account Settings" selected.](./media/dome9arc-tutorial/account.png)
+ ![Screenshot that shows the "Profile Settings" menu with "Account Settings" selected.](./media/dome9arc-tutorial/account-settings.png)
5. Navigate to **SSO** and then click **ENABLE**.
- ![Screenshot that shows the "S S O" tab and "Enable" selected.](./media/dome9arc-tutorial/settings.png)
+ ![Screenshot that shows the "S S O" tab and "Enable" selected.](./media/dome9arc-tutorial/enable.png)
6. In the SSO Configuration section, perform the following steps:
- ![Check Point CloudGuard Dome9 Arc Configuration](./media/dome9arc-tutorial/configuration.png)
+ ![Check Point CloudGuard Posture Management Configuration](./media/dome9arc-tutorial/configuration.png)
a. Enter company name in the **Account ID** textbox. This value is to be used in the **Reply** and **Sign on** URL mentioned in **Basic SAML Configuration** section of Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
e. Click **Save**.
-### Create Check Point CloudGuard Dome9 Arc test user
+### Create Check Point CloudGuard Posture Management test user
-To enable Azure AD users to sign in to Check Point CloudGuard Dome9 Arc, they must be provisioned into application. Check Point CloudGuard Dome9 Arc supports just-in-time provisioning but for that to work properly, user have to select particular **Role** and assign the same to the user.
+To enable Azure AD users to sign in to Check Point CloudGuard Posture Management, they must be provisioned into application. Check Point CloudGuard Posture Management supports just-in-time provisioning but for that to work properly, user have to select particular **Role** and assign the same to the user.
> [!Note]
-> For **Role** creation and other details contact [Check Point CloudGuard Dome9 Arc Client support team](mailto:Dome9@checkpoint.com).
+> For **Role** creation and other details contact [Check Point CloudGuard Posture Management Client support team](mailto:Dome9@checkpoint.com).
**To provision a user account manually, perform the following steps:**
-1. Sign in to your Check Point CloudGuard Dome9 Arc company site as an administrator.
+1. Sign in to your Check Point CloudGuard Posture Management company site as an administrator.
2. Click on the **Users & Roles** and then click **Users**.
- ![Screenshot that shows "Users & Roles" with the "Users" action selected.](./media/dome9arc-tutorial/user.png)
+ ![Screenshot that shows "Users & Roles" with the "Users" action selected.](./media/dome9arc-tutorial/users.png)
3. Click **ADD USER**.
In this section, you test your Azure AD single sign-on configuration with follow
#### SP initiated:
-* Click on **Test this application** in Azure portal. This will redirect to Check Point CloudGuard Dome9 Arc Sign on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Check Point CloudGuard Posture Management Sign on URL where you can initiate the login flow.
-* Go to Check Point CloudGuard Dome9 Arc Sign-on URL directly and initiate the login flow from there.
+* Go to Check Point CloudGuard Posture Management Sign-on URL directly and initiate the login flow from there.
#### IDP initiated:
-* Click on **Test this application** in Azure portal and you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO.
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Check Point CloudGuard Posture Management for which you set up the SSO
-You can also use Microsoft My Apps to test the application in any mode. When you click the Check Point CloudGuard Dome9 Arc tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Check Point CloudGuard Dome9 Arc for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+You can also use Microsoft My Apps to test the application in any mode. When you click the Check Point CloudGuard Posture Management tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Check Point CloudGuard Posture Management for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Check Point CloudGuard Dome9 Arc you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
+Once you configure Check Point CloudGuard Posture Management you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+
active-directory Ebsco Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ebsco-tutorial.md
Previously updated : 10/11/2019 Last updated : 05/17/2021
In this tutorial, you'll learn how to integrate EBSCO with Azure Active Director
* Enable your users to be automatically signed-in to EBSCO with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* EBSCO supports **SP and IDP** initiated SSO
-* EBSCO supports **Just In Time** user provisioning
+* EBSCO supports **SP and IDP** initiated SSO.
+* EBSCO supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding EBSCO from the gallery
+## Add EBSCO from the gallery
To configure the integration of EBSCO into Azure AD, you need to add EBSCO from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **EBSCO** in the search box. 1. Select **EBSCO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for EBSCO
+## Configure and test Azure AD SSO for EBSCO
Configure and test Azure AD SSO with EBSCO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in EBSCO.
-To configure and test Azure AD SSO with EBSCO, complete the following building blocks:
+To configure and test Azure AD SSO with EBSCO, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure EBSCO SSO](#configure-ebsco-sso)** - to configure the single sign-on settings on application side.
- * **[Create EBSCO test user](#create-ebsco-test-user)** - to have a counterpart of B.Simon in EBSCO that is linked to the Azure AD representation of user.
+ 1. **[Create EBSCO test user](#create-ebsco-test-user)** - to have a counterpart of B.Simon in EBSCO that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **EBSCO** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **EBSCO** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, then perform the following step:
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`pingsso.ebscohost.com` 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **EBSCO**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure EBSCO SSO
In the case of EBSCO, user provisioning is automatic.
Azure AD passes the required data to EBSCO application. EBSCOΓÇÖs user provisioning can be automatic OR require a one-time form. It depends on whether the client has a lot of pre-existing EBSCOhost accounts with personal settings saved. The same can be discussed with the [EBSCO support team](mailto:support@ebsco.com) during the implementation. Either way, the client doesnΓÇÖt have to create any EBSCOhost accounts prior to testing. > [!Note]
- > You can automate EBSCOhost user provisioning/personalization. Contact [EBSCO support team](mailto:support@ebsco.com) about Just-In-Time user provisioning.
+ > You can automate EBSCO host user provisioning/personalization. Contact [EBSCO support team](mailto:support@ebsco.com) about Just-In-Time user provisioning.
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration using My Apps.
-1. When you click the EBSCO tile in the Access Panel, you should get automatically signed-on to your EBSCO application.
-For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+1. When you click the EBSCO tile in My Apps, you should get automatically signed-on to your EBSCO application.
+For more information about My Apps, see [Introduction to My Apps](../user-help/my-apps-portal-end-user-access.md).
1. Once you login to the application, click on the **sign in** button in the top right corner.
- ![The EBSCO sign-in in the Applications list](./media/ebsco-tutorial/tutorial_ebsco_signin.png)
+ ![The EBSCO sign-in in the Applications list](./media/ebsco-tutorial/application.png)
1. You will receive a one-time prompt to pair the institutional/SAML login with an **Link your existing MyEBSCOhost account to your institution account now** OR **Create a new MyEBSCOhost account and link it to your institution account**. The account is used for personalization on the EBSCOhost application. Select the option **Create a new account** and you will see that the form for personalization is pre-completed with the values from the saml response as shown in the screenshot below. Click **ΓÇÿContinueΓÇÖ** to save this selection.
- ![The EBSCO user in the Applications list](./media/ebsco-tutorial/tutorial_ebsco_user.png)
+ ![The EBSCO user in the Applications list](./media/ebsco-tutorial/user.png)
1. After completing the above setup, clear cookies/cache and login again. You wonΓÇÖt have to manually sign in again and the personalization settings are remembered.
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)--- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try EBSCO with Azure AD](https://aad.portal.azure.com/)
+Once you configure EBSCO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Evernote Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/evernote-tutorial.md
Previously updated : 09/17/2019 Last updated : 05/18/2021
In this tutorial, you'll learn how to integrate Evernote with Azure Active Direc
* Enable your users to be automatically signed-in to Evernote with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Evernote supports **SP and IDP** initiated SSO
+* Evernote supports **SP and IDP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Evernote from the gallery
+## Add Evernote from the gallery
To configure the integration of Evernote into Azure AD, you need to add Evernote from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Evernote** in the search box. 1. Select **Evernote** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Evernote
+## Configure and test Azure AD SSO for Evernote
Configure and test Azure AD SSO with Evernote using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Evernote.
-To configure and test Azure AD SSO with Evernote, complete the following building blocks:
+To configure and test Azure AD SSO with Evernote, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Evernote, complete the following buildin
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Evernote** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Evernote** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode,perform the following steps:
- In the **Identifier** text box, type a URL:
+ In the **Identifier** text box, type the URL:
`https://www.evernote.com/saml2` 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://www.evernote.com/Login.action` 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Screenshot that shows the "S A M L Signing Certificate" dialog with the "Edit" button selected.](common/edit-certificate.png)
- ![image](./media/evernote-tutorial/samlassertion.png)
+ ![image](./media/evernote-tutorial/assertion.png)
a. Select the **Sign SAML response and assertion** option for **Signing Option**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Evernote**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Evernote SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. Go to **'Admin Console'**
- ![Admin-Console](./media/evernote-tutorial/tutorial_evernote_adminconsole.png)
+ ![Admin-Console](./media/evernote-tutorial/admin.png)
5. From the **'Admin Console'**, go to **ΓÇÿSecurityΓÇÖ** and select **ΓÇÿSingle Sign-OnΓÇÖ**
- ![SSO-Setting](./media/evernote-tutorial/tutorial_evernote_sso.png)
+ ![SSO-Setting](./media/evernote-tutorial/security.png)
6. Configure the following values:
- ![Certificate-Setting](./media/evernote-tutorial/tutorial_evernote_certx.png)
+ ![Certificate-Setting](./media/evernote-tutorial/certificate.png)
a. **Enable SSO:** SSO is enabled by default (Click **Disable Single Sign-on** to remove the SSO requirement)
In the case of Evernote, provisioning is a manual task.
2. Click the **'Admin Console'**.
- ![Admin-Console](./media/evernote-tutorial/tutorial_evernote_adminconsole.png)
+ ![Admin-Console](./media/evernote-tutorial/admin.png)
3. From the **'Admin Console'**, go to **ΓÇÿAdd usersΓÇÖ**.
- ![Screenshot that shows the "Users" menu with "Add Users" selected.](./media/evernote-tutorial/create_aaduser_0001.png)
+ ![Screenshot that shows the "Users" menu with "Add Users" selected.](./media/evernote-tutorial/create-user.png)
4. **Add team members** in the **Email** textbox, type the email address of user account and click **Invite.**
- ![Add-testUser](./media/evernote-tutorial/create_aaduser_0002.png)
+ ![Add-testUser](./media/evernote-tutorial/add-user.png)
5. After invitation is sent, the Azure Active Directory account holder will receive an email to accept the invitation. ## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Evernote Sign on URL where you can initiate the login flow.
-When you click the Evernote tile in the Access Panel, you should be automatically signed in to the Evernote for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Evernote Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Evernote for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Evernote tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Evernote for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Evernote with Azure AD](https://aad.portal.azure.com/)
+Once you configure Evernote you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Factset Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/factset-tutorial.md
Previously updated : 04/06/2020 Last updated : 05/17/2021
In this tutorial, you'll learn how to integrate FactSet with Azure Active Direct
* Enable your users to be automatically signed-in to FactSet with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* FactSet supports **IDP** initiated SSO
-* Once you configure FactSet you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* FactSet supports **IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding FactSet from the gallery
+## Add FactSet from the gallery
To configure the integration of FactSet into Azure AD, you need to add FactSet from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **FactSet** in the search box. 1. Select **FactSet** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for FactSet
+## Configure and test Azure AD SSO for FactSet
Configure and test Azure AD SSO with FactSet using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in FactSet.
-To configure and test Azure AD SSO with FactSet, complete the following building blocks:
+To configure and test Azure AD SSO with FactSet, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with FactSet, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **FactSet** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **FactSet** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
- a. In the **Identifier** text box, type a URL:
+ a. In the **Identifier** text box, type the URL:
`https://login.factset.com`
- b. In the **Reply URL** text box, type a URL:
+ b. In the **Reply URL** text box, type the URL:
`https://login.factset.com/services/saml2/` 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the metadata file and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **FactSet**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure FactSet SSO
In this section, you create a user called Britta Simon in FactSet. Work with you
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the FactSet tile in the Access Panel, you should be automatically signed in to the FactSet for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the FactSet for which you set up the SSO.
-- [Try FactSet with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the FactSet tile in the My Apps, you should be automatically signed in to the FactSet for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect FactSet with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure FactSet you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Fax.Plus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/fax.plus-tutorial.md
Previously updated : 03/03/2021 Last updated : 05/19/2021
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
## Configure FAX.PLUS SSO
-1. Log in to your FAX.PLUS company site as an administrator.
+1. To automate the configuration within FAX.PLUS, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+ ![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Set up FAX.PLUS** will direct you to the FAX.PLUS application. From there, provide the admin credentials to sign into FAX.PLUS. The browser extension will automatically configure the application for you and automate steps 3-5.
+
+ ![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup FAX.PLUS manually, in a different web browser window, sign in to your FAX.PLUS company site as an administrator.
2. Go to the **Security** section in your Admin Profile and scroll down to **Advanced**.
active-directory Foundu Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/foundu-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with foundU | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and foundU.
++++++++ Last updated : 05/20/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with foundU
+
+In this tutorial, you'll learn how to integrate foundU with Azure Active Directory (Azure AD). When you integrate foundU with Azure AD, you can:
+
+* Control in Azure AD who has access to foundU.
+* Enable your users to be automatically signed-in to foundU with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* foundU single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* foundU supports **SP and IDP** initiated SSO.
+
+## Adding foundU from the gallery
+
+To configure the integration of foundU into Azure AD, you need to add foundU from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **foundU** in the search box.
+1. Select **foundU** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
++
+## Configure and test Azure AD SSO for foundU
+
+Configure and test Azure AD SSO with foundU using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in foundU.
+
+To configure and test Azure AD SSO with foundU, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure foundU SSO](#configure-foundu-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create foundU test user](#create-foundu-test-user)** - to have a counterpart of B.Simon in foundU that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **foundU** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+ a. In the **Identifier** text box, type a URL using the following pattern:
+ `https://<CUSTOMER_NAME>.foundu.com.au/saml`
+
+ b. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://<CUSTOMER_NAME>.foundu.com.au/saml/consume`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://<CUSTOMER_NAME>.foundu.com.au/saml/login`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [foundU Client support team](mailto:help@foundu.com.au) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up foundU** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to foundU.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **foundU**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure foundU SSO
+
+1. Log in to foundU website as an administrator.
+
+1. Click Menu icon and in the **Platform Settings** select **Single Sign-on**.
+
+ ![Screenshot for foundU single sign on](./media/foundu-tutorial/single-sign-on.png)
+
+1. Perform the following steps in the **Single Sign-on Settings** page.
+
+ ![Screenshot for foundU sso configuration](./media/foundu-tutorial/configuration.png)
+
+ a. Copy **Identifier(Entity ID)** value, paste this value into the **Identifier** text box in the **Basic SAML Configuration section** in the Azure portal.
+
+ b. Copy **Reply URL (Assertion Consumer Service URL)** value, paste this value into the **Reply URL** text box in the **Basic SAML Configuration section** in the Azure portal.
+
+ c. Copy **Logout URL** value, paste this value into the **Logout URL** text box in the **Basic SAML Configuration section** in the Azure portal.
+
+ d. In the **Entity ID** textbox, paste the **Identifier** value which you have copied from the Azure portal.
+
+ e. In the **Single Sign-on Service URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
+
+ f. In the **Single Logout Service URL** textbox, paste the **Logout URL** value which you have copied from the Azure portal.
+
+ g. Click **Choose File** to upload the downloaded **Certificate (Base64)** file from Azure portal.
+
+ h. Click **Save Settings**.
+
+### Create foundU test user
+
+In this section, you create a user called Britta Simon in foundU. Work with [foundU support team](mailto:help@foundu.com.au) to add the users in the foundU platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to foundU Sign on URL where you can initiate the login flow.
+
+* Go to foundU Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the foundU for which you set up the SSO
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the foundU tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the foundU for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
++
+## Next steps
+
+Once you configure foundU you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
++
active-directory Frontline Education Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/frontline-education-tutorial.md
Previously updated : 08/09/2019 Last updated : 05/20/2021
In this tutorial, you'll learn how to integrate Frontline Education with Azure A
* Enable your users to be automatically signed-in to Frontline Education with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Frontline Education supports **SP** initiated SSO
+* Frontline Education supports **SP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Frontline Education from the gallery
+## Add Frontline Education from the gallery
To configure the integration of Frontline Education into Azure AD, you need to add Frontline Education from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Frontline Education** in the search box. 1. Select **Frontline Education** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Frontline Education
+## Configure and test Azure AD SSO for Frontline Education
Configure and test Azure AD SSO with Frontline Education using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Frontline Education.
-To configure and test Azure AD SSO with Frontline Education, complete the following building blocks:
+To configure and test Azure AD SSO with Frontline Education, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Frontline Education, complete the follow
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Frontline Education** application integration page, find the **Manage** section and select **Single sign-on**.
-1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. In the Azure portal, on the **Frontline Education** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)-
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign on URL** text box, type a URL using the following pattern: `https://login.frontlineeducation.com/sso/<CLIENTID>`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Frontline Education**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Frontline Education SSO
In this section, you create a user called Britta Simon in Frontline Education. W
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Frontline Education tile in the Access Panel, you should be automatically signed in to the Frontline Education for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Frontline Education Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to Frontline Education Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Frontline Education tile in the My Apps, this will redirect to Frontline Education Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Frontline Education you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Github Ae Provisioning Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/github-ae-provisioning-tutorial.md
This tutorial describes the steps you need to perform in both GitHub AE and Azur
> * Remove users in GitHub AE when they do not require access anymore > * Keep user attributes synchronized between Azure AD and GitHub AE > * Provision groups and group memberships in GitHub AE
-> * Single sign-on to [Github AE](./github-ae-tutorial.md) (recommended)
+> * Single sign-on to [GitHub AE](./github-ae-tutorial.md) (recommended)
## Prerequisites
Once you've configured provisioning, use the following resources to monitor your
## Next steps
-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
active-directory Harness Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/harness-tutorial.md
Previously updated : 09/02/2019 Last updated : 05/18/2021
In this tutorial, you'll learn how to integrate Harness with Azure Active Direct
* Enable your users to be automatically signed-in to Harness with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Harness supports **SP and IDP** initiated SSO
+* Harness supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Harness from the gallery
+## Add Harness from the gallery
To configure the integration of Harness into Azure AD, you need to add Harness from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Harness** in the search box. 1. Select **Harness** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Harness
+## Configure and test Azure AD SSO for Harness
Configure and test Azure AD SSO with Harness using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Harness.
-To configure and test Azure AD SSO with Harness, complete the following building blocks:
+To configure and test Azure AD SSO with Harness, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Harness, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Harness** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Harness** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
In the **Reply URL** text box, type a URL using the following pattern: `https://app.harness.io/gateway/api/users/saml-login?accountId=<harness_account_id>` 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.harness.io/` > [!NOTE]
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Harness**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Harness SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
4. On the top-right of the page, click on **Continuous Security** > **Access Management** > **Authentication Settings**.
- ![Screenshot that shows the "Continuous Security" menu with "Access Management" and "Authentication Settings" selected.](./media/harness-tutorial/configure01.png)
+ ![Screenshot that shows the "Continuous Security" menu with "Access Management" and "Authentication Settings" selected.](./media/harness-tutorial/authentication.png)
5. On the **SSO Providers** section, click on **+ Add SSO Providers** > **SAML**.
- ![Screenshot that shows the "S S O Providers" with "+ Add S S O Providers - S A M L" selected.](./media/harness-tutorial/configure03.png)
+ ![Screenshot that shows the "S S O Providers" with "+ Add S S O Providers - S A M L" selected.](./media/harness-tutorial/providers.png)
6. On the **SAML Provider** pop-up, perform the following steps:
- ![Screenshot that shows teh "S A M L Provider" pop-up with the "U R L" and "Display Name" fields highlighted, and the "Choose File" and "Submit" buttons selected.](./media/harness-tutorial/configure02.png)
+ ![Screenshot that shows teh "S A M L Provider" pop-up with the "U R L" and "Display Name" fields highlighted, and the "Choose File" and "Submit" buttons selected.](./media/harness-tutorial/file.png)
a. Copy the **In your SSO Provider, please enable SAML-based login, then enter the following URL** instance and paste it in Reply URL textbox in **Basic SAML Configuration** section on Azure portal.
To enable Azure AD users to sign in to Harness, they must be provisioned into Ha
1. On the top-right of the page, click on **Continuous Security** > **Access Management** > **Users**.
- ![Screenshot that shows the "Continuous Security" menu with "Access Management" and "Users" selected.](./media/harness-tutorial/configure04.png)
+ ![Screenshot that shows the "Continuous Security" menu with "Access Management" and "Users" selected.](./media/harness-tutorial/users.png)
1. On the right side of page, click on **+ Add User**.
- ![Screenshot that shows the "Users" page with the "+ Add User" action selected.](./media/harness-tutorial/configure05.png)
+ ![Screenshot that shows the "Users" page with the "+ Add User" action selected.](./media/harness-tutorial/add-user.png)
1. On the **Add User** pop-up, perform the following steps:
- ![Harness configuration](./media/harness-tutorial/configure06.png)
+ ![Harness configuration](./media/harness-tutorial/configure.png)
a. In **Email Address(es)** text box, enter the email of user like `B.simon@contoso.com`.
To enable Azure AD users to sign in to Harness, they must be provisioned into Ha
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Harness Sign on URL where you can initiate the login flow.
-When you click the Harness tile in the Access Panel, you should be automatically signed in to the Harness for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to Harness Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Harness for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Harness tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Harness for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try Harness with Azure AD](https://aad.portal.azure.com/)
+Once you configure Harness you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Ibm Digital Business Automation On Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ibm-digital-business-automation-on-cloud-tutorial.md
Previously updated : 06/08/2020 Last updated : 05/12/2021
In this tutorial, you'll learn how to integrate IBM Digital Business Automation
* Enable your users to be automatically signed-in to IBM Digital Business Automation on Cloud with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* IBM Digital Business Automation on Cloud supports **SP and IDP** initiated SSO
-* Once you configure IBM Digital Business Automation on Cloud you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* IBM Digital Business Automation on Cloud supports **SP and IDP** initiated SSO.
-## Adding IBM Digital Business Automation on Cloud from the gallery
+## Add IBM Digital Business Automation on Cloud from the gallery
To configure the integration of IBM Digital Business Automation on Cloud into Azure AD, you need to add IBM Digital Business Automation on Cloud from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **IBM Digital Business Automation on Cloud** in the search box. 1. Select **IBM Digital Business Automation on Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for IBM Digital Business Automation on Cloud
+## Configure and test Azure AD SSO for IBM Digital Business Automation on Cloud
Configure and test Azure AD SSO with IBM Digital Business Automation on Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in IBM Digital Business Automation on Cloud.
-To configure and test Azure AD SSO with IBM Digital Business Automation on Cloud, complete the following building blocks:
+To configure and test Azure AD SSO with IBM Digital Business Automation on Cloud, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with IBM Digital Business Automation on Cloud
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **IBM Digital Business Automation on Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **IBM Digital Business Automation on Cloud** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
> [!Note] > Customers can obtain the metadata file for their Cloud subscription from the [IBM Digital Business Automation on Cloud Client support team](mailto:supportbpmoncloud@us.ibm.com).
-1. If you don't have **Service Provider metadata file**, on the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+1. If you don't have **Service Provider metadata file**, on the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://www.automationcloud.ibm.com/isam/sps/<TENANT>/saml20`
Follow these steps to enable Azure AD SSO in the Azure portal.
1. On the **Set up IBM Digital Business Automation on Cloud** section, copy the appropriate URL(s) based on your requirement. ![Copy configuration URLs](common/copy-configuration-urls.png)+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called B.Simon.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **IBM Digital Business Automation on Cloud**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure IBM Digital Business Automation on Cloud SSO
In this section, you create a user called Britta Simon in IBM Digital Business A
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the IBM Digital Business Automation on Cloud tile in the Access Panel, you should be automatically signed in to the IBM Digital Business Automation on Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### SP initiated:
-## Additional resources
+* Click on **Test this application** in Azure portal. This will redirect to IBM Digital Business Automation on Cloud Sign on URL where you can initiate the login flow.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Go to IBM Digital Business Automation on Cloud Sign-on URL directly and initiate the login flow from there.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+#### IDP initiated:
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the IBM Digital Business Automation on Cloud for which you set up the SSO.
-- [Try IBM Digital Business Automation on Cloud with Azure AD](https://aad.portal.azure.com/)
+You can also use Microsoft My Apps to test the application in any mode. When you click the IBM Digital Business Automation on Cloud tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the IBM Digital Business Automation on Cloud for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect IBM Digital Business Automation on Cloud with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure IBM Digital Business Automation on Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Ibmopenpages Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/ibmopenpages-tutorial.md
Previously updated : 02/20/2019 Last updated : 05/12/2021 # Tutorial: Azure Active Directory integration with IBM OpenPages
-In this tutorial, you learn how to integrate IBM OpenPages with Azure Active Directory (Azure AD).
-Integrating IBM OpenPages with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate IBM OpenPages with Azure Active Directory (Azure AD). When you integrate IBM OpenPages with Azure AD, you can:
-* You can control in Azure AD who has access to IBM OpenPages.
-* You can enable your users to be automatically signed-in to IBM OpenPages (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to IBM OpenPages.
+* Enable your users to be automatically signed-in to IBM OpenPages with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with IBM OpenPages, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* IBM OpenPages single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* IBM OpenPages single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* IBM OpenPages supports **IDP** initiated SSO
+* IBM OpenPages supports **IDP** initiated SSO.
-## Adding IBM OpenPages from the gallery
+## Add IBM OpenPages from the gallery
To configure the integration of IBM OpenPages into Azure AD, you need to add IBM OpenPages from the gallery to your list of managed SaaS apps.
-**To add IBM OpenPages from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **IBM OpenPages**, select **IBM OpenPages** from result panel then click **Add** button to add the application.
-
- ![IBM OpenPages in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **IBM OpenPages** in the search box.
+1. Select **IBM OpenPages** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with IBM OpenPages based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in IBM OpenPages needs to be established.
+## Configure and test Azure AD SSO for IBM OpenPages
-To configure and test Azure AD single sign-on with IBM OpenPages, you need to complete the following building blocks:
+Configure and test Azure AD SSO with IBM OpenPages using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in IBM OpenPages.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure IBM OpenPages Single Sign-On](#configure-ibm-openpages-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create IBM OpenPages test user](#create-ibm-openpages-test-user)** - to have a counterpart of Britta Simon in IBM OpenPages that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with IBM OpenPages, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure IBM OpenPages SSO](#configure-ibm-openpages-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create IBM OpenPages test user](#create-ibm-openpages-test-user)** - to have a counterpart of B.Simon in IBM OpenPages that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with IBM OpenPages, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **IBM OpenPages** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **IBM OpenPages** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![IBM OpenPages Domain and URLs single sign-on information](common/idp-intiated.png)
- a. In the **Identifier** text box, type a URL using the following pattern: `http://<subdomain>.ibm.com:<ID>/openpages`
To configure Azure AD single sign-on with IBM OpenPages, perform the following s
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure IBM OpenPages Single Sign-On
-
-To configure single sign-on on **IBM OpenPages** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [IBM OpenPages support team](https://www.ibm.com/support/home/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
+In this section, you'll create a test user in the Azure portal called B.Simon.
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to IBM OpenPages.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **IBM OpenPages**.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to IBM OpenPages.
- ![Enterprise applications blade](common/enterprise-applications.png)
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **IBM OpenPages**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-2. In the applications list, select **IBM OpenPages**.
+## Configure IBM OpenPages SSO
- ![The IBM OpenPages link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **IBM OpenPages** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [IBM OpenPages support team](https://www.ibm.com/support/home/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create IBM OpenPages test user In this section, you create a user called Britta Simon in IBM OpenPages. Work with [IBM OpenPages support team](https://www.ibm.com/support/home/) to add the users in the IBM OpenPages platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the IBM OpenPages tile in the Access Panel, you should be automatically signed in to the IBM OpenPages for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the IBM OpenPages for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the IBM OpenPages tile in the My Apps, you should be automatically signed in to the IBM OpenPages for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure IBM OpenPages you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Infinitecampus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/infinitecampus-tutorial.md
Previously updated : 03/28/2019 Last updated : 05/17/2021 # Tutorial: Azure Active Directory integration with Infinite Campus
-In this tutorial, you learn how to integrate Infinite Campus with Azure Active Directory (Azure AD).
-Integrating Infinite Campus with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Infinite Campus with Azure Active Directory (Azure AD). When you integrate Infinite Campus with Azure AD, you can:
-* You can control in Azure AD who has access to Infinite Campus.
-* You can enable your users to be automatically signed-in to Infinite Campus (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Infinite Campus.
+* Enable your users to be automatically signed-in to Infinite Campus with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Infinite Campus, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Infinite Campus single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Infinite Campus single sign-on enabled subscription.
* At minimum, you need to be an Azure Active Directory administrator, and have a Campus Product Security Role of "Student Information System (SIS)" to complete the configuration. ## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Infinite Campus supports **SP** initiated SSO
+* Infinite Campus supports **SP** initiated SSO.
-## Adding Infinite Campus from the gallery
+## Add Infinite Campus from the gallery
To configure the integration of Infinite Campus into Azure AD, you need to add Infinite Campus from the gallery to your list of managed SaaS apps.
-**To add Infinite Campus from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, click the **New application** button at the top of the dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Infinite Campus**, select **Infinite Campus** from the result panel then click the **Add** button to add the application.
-
- ![Infinite Campus in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Infinite Campus based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Infinite Campus needs to be established.
-
-To configure and test Azure AD single sign-on with Infinite Campus, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Infinite Campus Single Sign-On](#configure-infinite-campus-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Infinite Campus test user](#create-infinite-campus-test-user)** - to have a counterpart of Britta Simon in Infinite Campus that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Infinite Campus** in the search box.
+1. Select **Infinite Campus** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-### Configure Azure AD single sign-on
+## Configure and test Azure AD SSO for Infinite Campus
-In this section, you enable Azure AD single sign-on in the Azure portal.
+Configure and test Azure AD SSO with Infinite Campus using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Infinite Campus.
-To configure Azure AD single sign-on with Infinite Campus, perform the following steps:
+To configure and test Azure AD SSO with Infinite Campus, perform the following steps:
-1. In the [Azure portal](https://portal.azure.com/), on the **Infinite Campus** application integration page, select **Single sign-on**.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Infinite Campus SSO](#configure-infinite-campus-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Infinite Campus test user](#create-infinite-campus-test-user)** - to have a counterpart of B.Simon in Infinite Campus that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
- ![Configure single sign-on link](common/select-sso.png)
+## Configure Azure AD SSO
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+Follow these steps to enable Azure AD SSO in the Azure portal.
- ![Single sign-on select mode](common/select-saml-option.png)
+1. In the Azure portal, on the **Infinite Campus** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the Basic SAML Configuration section, perform the following steps (note that the domain will vary with Hosting Model, but the **FULLY-QUALIFIED-DOMAIN** value must match your Infinite Campus installation):
To configure Azure AD single sign-on with Infinite Campus, perform the following
c. In the **Reply URL** textbox, type a URL using the following pattern: `https://<DOMAIN>.infinitecampus.com/campus/SSO/<DISTRICTNAME>`
- ![Infinite Campus Domain and URLs single sign-on information](common/sp-identifier-reply.png)
- 5. On the **Set up Single Sign-On with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer. ![The Certificate download link](common/copy-metadataurl.png)
-### Configure Infinite Campus Single Sign-On
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Infinite Campus.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Infinite Campus**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Infinite Campus SSO
1. In a different web browser window, sign in to Infinite Campus as a Security Administrator. 2. On the left side of menu, click **System Administration**.
- ![The Admin](./media/infinitecampus-tutorial/tutorial_infinitecampus_admin.png)
+ ![The Admin](./media/infinitecampus-tutorial/admin.png)
3. Navigate to **User Security** > **SAML Management** > **SSO Service Provider Configuration**.
- ![The saml](./media/infinitecampus-tutorial/tutorial_infinitecampus_saml.png)
+ ![The saml](./media/infinitecampus-tutorial/security.png)
4. On the **SSO Service Provider Configuration** page, perform the following steps:
- ![The sso](./media/infinitecampus-tutorial/tutorial_infinitecampus_sso.png)
+ ![The sso](./media/infinitecampus-tutorial/configuration.png)
a. Select **Enable SAML Single Sign On**.
- b. Edit the **Optional Attribute Name** to contain **name**
+ b. Edit the **Optional Attribute Name** to contain **name**.
c. On the **Select an option to retrieve Identity Provider (IDP) server data** section, select **Metadata URL**, paste the **App Federation Metadata Url** value, which you have copied from the Azure portal in the box, and then click **Sync**.
To configure Azure AD single sign-on with Infinite Campus, perform the following
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com.
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-> [!NOTE]
-> If you want all of your Azure users to have single sign-on access to Infinite Campus and rely on Infinite Campus internal permissions system to control access, you can set the **User Assignment Required** property of the application to No and skip the following steps.
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Infinite Campus.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Infinite Campus**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Infinite Campus**.
-
- ![The Infinite Campus link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Infinite Campus test user Infinite Campus has a demographics centered architecture. Please contact [Infinite Campus support team](mailto:sales@infinitecampus.com) to add the users in the Infinite Campus platform.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Infinite Campus tile in the Access Panel, you should be automatically signed in to the Infinite Campus for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Infinite Campus Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to Infinite Campus Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Infinite Campus tile in the My Apps, this will redirect to Infinite Campus Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Infinite Campus you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Iprova Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/iprova-tutorial.md
Previously updated : 03/19/2020 Last updated : 05/17/2021
In this tutorial, you'll learn how to integrate iProva with Azure Active Directo
* Enable your users to be automatically signed-in to iProva with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* iProva supports **SP** initiated SSO
-
-* Once you configure iProva you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* iProva supports **SP** initiated SSO.
-## Adding iProva from the gallery
+## Add iProva from the gallery
To configure the integration of iProva into Azure AD, you need to add iProva from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **iProva** in the search box. 1. Select **iProva** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for iProva
+## Configure and test Azure AD SSO for iProva
Configure and test Azure AD SSO with iProva using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in iProva.
-To configure and test Azure AD SSO with iProva, complete the following building blocks:
+To configure and test Azure AD SSO with iProva, perform the following steps:
-1. **[Retrieve configuration information from iProva](#retrieve-configuration-information-from-iprova)** - as a preparation for the next steps.
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-1. **[Create iProva test user](#create-iprova-test-user)** - to have a counterpart of B.Simon in iProva that is linked to the Azure AD representation of user.
-1. **[Configure iProva SSO](#configure-iprova-sso)** - to configure the Single Sign-On settings on application side.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure iProva SSO](#configure-iprova-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create iProva test user](#create-iprova-test-user)** - to have a counterpart of B.Simon in iProva that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Retrieve configuration information from iProva In this section, you retrieve information from iProva to configure Azure AD single sign-on.
-1. Open a web browser, and go to the **SAML2 info** page in iProva by using the following URL pattern:
+1. Open a web browser, and go to the **SAML2 info** page in iProva by using the following URL patterns:
+
+ `https://<SUBDOMAIN>.iprova.nl/saml2info`
+ `https://<SUBDOMAIN>.iprova.be/saml2info`
- ```https
- https://SUBDOMAIN.iprova.nl/saml2info
- https://SUBDOMAIN.iprova.be/saml2info
- ```
-
- ![View the iProva SAML2 info page](media/iprova-tutorial/iprova-saml2-info.png)
+ ![View the iProva SAML2 info page](media/iprova-tutorial/information.png)
1. Leave the browser tab open while you proceed with the next steps in another browser tab.
In this section, you retrieve information from iProva to configure Azure AD sing
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **iProva** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **iProva** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **iProva**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button.
-## Create iProva test user
-
-1. Sign in to iProva by using the **Administrator** account.
-
-2. Open the **Go to** menu.
-
-3. Select **Application management**.
-
-4. Select **Users** in the **Users and user groups** panel.
-
-5. Select **Add**.
-
-6. In the **Username** box, enter the username of user like `B.Simon@contoso.com`.
-
-7. In the **Full name** box, enter a full name of user like **B.Simon**.
-
-8. Select the **No password (use single sign-on)** option.
-
-9. In the **E-mail address** box, enter the email address of user like `B.Simon@contoso.com`.
-
-10. Scroll down to the end of the page, and select **Finish**.
- ## Configure iProva SSO 1. Sign in to iProva by using the **Administrator** account.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
6. Scroll down to **Access control**.
- ![iProva Access control settings](media/iprova-tutorial/iprova-accesscontrol.png)
+ ![iProva Access control settings](media/iprova-tutorial/access-control.png)
7. Find the setting **Users are automatically logged on with their network accounts**, and change it to **Yes, authentication via SAML**. Additional options now appear.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
10. iProva asks if you want to download federation data from a URL or upload it from a file. Select the **From URL** option.
- ![Download Azure AD metadata](media/iprova-tutorial/iprova-download-metadata.png)
+ ![Download Azure AD metadata](media/iprova-tutorial/metadata.png)
11. Paste the metadata URL you saved in the last step of the "Configure Azure AD single sign-on" section.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
18. You now return to the **Edit general settings** screen. Scroll down to the bottom of the page, and select **OK** to save your configuration.
-## Test SSO
+## Create iProva test user
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+1. Sign in to iProva by using the **Administrator** account.
-When you click the iProva tile in the Access Panel, you should be automatically signed in to the iProva for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+2. Open the **Go to** menu.
+
+3. Select **Application management**.
-## Additional resources
+4. Select **Users** in the **Users and user groups** panel.
+
+5. Select **Add**.
+
+6. In the **Username** box, enter the username of user like `B.Simon@contoso.com`.
+
+7. In the **Full name** box, enter a full name of user like **B.Simon**.
+
+8. Select the **No password (use single sign-on)** option.
+
+9. In the **E-mail address** box, enter the email address of user like `B.Simon@contoso.com`.
+
+10. Scroll down to the end of the page, and select **Finish**.
+
+## Test SSO
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to iProva Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to iProva Sign-on URL directly and initiate the login flow from there.
-- [Try iProva with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the iProva tile in the My Apps, this will redirect to iProva Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect iProva with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure iProva you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Kiteworks Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/kiteworks-tutorial.md
Previously updated : 07/11/2019 Last updated : 05/12/2021
In this tutorial, you'll learn how to integrate Kiteworks with Azure Active Dire
* Enable your users to be automatically signed-in to Kiteworks with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Kiteworks single sign-on (SSO) enabled subscription. ## Scenario description In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Kiteworks supports **SP** initiated SSO
-* Kiteworks supports **Just In Time** user provisioning
+* Kiteworks supports **SP** initiated SSO.
+* Kiteworks supports **Just In Time** user provisioning.
-## Adding Kiteworks from the gallery
+## Add Kiteworks from the gallery
To configure the integration of Kiteworks into Azure AD, you need to add Kiteworks from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Kiteworks** in the search box. 1. Select **Kiteworks** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Kiteworks
Configure and test Azure AD SSO with Kiteworks using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Kiteworks.
-To configure and test Azure AD SSO with Kiteworks, complete the following building blocks:
+To configure and test Azure AD SSO with Kiteworks, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Kiteworks SSO](#configure-kiteworks-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Kiteworks test user](#create-kiteworks-test-user)** - to have a counterpart of Britta Simon in Kiteworks that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Kiteworks SSO](#configure-kiteworks-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Kiteworks test user](#create-kiteworks-test-user)** - to have a counterpart of B.Simon in Kiteworks that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
### Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Kiteworks** application integration page, find the **Manage** section and select **Single sign-on**.
+1. In the Azure portal, on the **Kiteworks** application integration page, find the **Manage** section and select **Single sign-on**.
1. On the **Select a Single sign-on method** page, select **SAML**.
-1. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up Single Sign-On with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Sign on URL** text box, type a URL using the following pattern: `https://<kiteworksURL>.kiteworks.com`
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Kiteworks SSO
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kiteworks.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Kiteworks**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Kiteworks SSO
1. Sign on to your Kiteworks company site as an administrator. 1. In the toolbar on the top, click **Settings**.
- ![Screenshot that shows the "Settings" icon on the toolbar selected.](./media/kiteworks-tutorial/tutorial_kiteworks_06.png)
+ ![Screenshot that shows the "Settings" icon on the toolbar selected.](./media/kiteworks-tutorial/settings.png)
1. In the **Authentication and Authorization** section, click **SSO Setup**.
- ![Screenshot that shows "S S O Setup" selected from the "Authentication and Authorization" section.](./media/kiteworks-tutorial/tutorial_kiteworks_07.png)
+ ![Screenshot that shows "S S O Setup" selected from the "Authentication and Authorization" section.](./media/kiteworks-tutorial/authentication.png)
1. On the SSO Setup page, perform the following steps:
- ![Configure Single Sign-On](./media/kiteworks-tutorial/tutorial_kiteworks_09.png)
+ ![Configure Single Sign-On](./media/kiteworks-tutorial/setup-page.png)
a. Select **Authenticate via SSO**.
Follow these steps to enable Azure AD SSO in the Azure portal.
g. Click **Save**.
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `B.Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Kiteworks.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Kiteworks**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create Kiteworks test user
-The objective of this section is to create a user called Britta Simon in Kiteworks.
-
-Kiteworks supports just-in-time provisioning, which is by default enabled. There is no action item for you in this section. A new user is created during an attempt to access Kiteworks if it doesn't exist yet.
-
-> [!NOTE]
-> If you need to create a user manually, you need to contact the [Kiteworks support team](https://accellion.com/support).
+In this section, a user called B.Simon is created in Kiteworks. Kiteworks supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Kiteworks, a new one is created after authentication.
-### Test SSO
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Kiteworks tile in the Access Panel, you should be automatically signed in to the Kiteworks for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Kiteworks Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Kiteworks Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Kiteworks tile in the My Apps, this will redirect to Kiteworks Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Kiteworks you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Lifesize Cloud Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/lifesize-cloud-tutorial.md
Previously updated : 1/4/2019 Last updated : 05/24/2021 # Tutorial: Azure Active Directory integration with Lifesize Cloud
-In this tutorial, you learn how to integrate Lifesize Cloud with Azure Active Directory (Azure AD).
-Integrating Lifesize Cloud with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Lifesize Cloud with Azure Active Directory (Azure AD). When you integrate Lifesize Cloud with Azure AD, you can:
-* You can control in Azure AD who has access to Lifesize Cloud.
-* You can enable your users to be automatically signed-in to Lifesize Cloud (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Lifesize Cloud.
+* Enable your users to be automatically signed-in to Lifesize Cloud with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Lifesize Cloud, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Lifesize Cloud single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Lifesize Cloud single sign-on (SSO) enabled subscription.
> [!NOTE] > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
To configure Azure AD integration with Lifesize Cloud, you need the following it
In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Lifesize Cloud supports **SP** initiated SSO
+* Lifesize Cloud supports **SP** initiated SSO.
-* Lifesize Cloud supports **Automated** user provisioning
+* Lifesize Cloud supports **Automated** user provisioning.
-## Adding Lifesize Cloud from the gallery
+## Add Lifesize Cloud from the gallery
To configure the integration of Lifesize Cloud into Azure AD, you need to add Lifesize Cloud from the gallery to your list of managed SaaS apps.
-**To add Lifesize Cloud from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Lifesize Cloud**, select **Lifesize Cloud** from result panel then click **Add** button to add the application.
-
- ![Lifesize Cloud in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Lifesize Cloud based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Lifesize Cloud needs to be established.
-
-To configure and test Azure AD single sign-on with Lifesize Cloud, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Lifesize Cloud** in the search box.
+1. Select **Lifesize Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Lifesize Cloud Single Sign-On](#configure-lifesize-cloud-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Lifesize Cloud test user](#create-lifesize-cloud-test-user)** - to have a counterpart of Britta Simon in Lifesize Cloud that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Lifesize Cloud
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Lifesize Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Lifesize Cloud.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Lifesize Cloud, perform the following steps:
-To configure Azure AD single sign-on with Lifesize Cloud, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Lifesize Cloud SSO](#configure-lifesize-cloud-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Lifesize Cloud test user](#create-lifesize-cloud-test-user)** - to have a counterpart of B.Simon in Lifesize Cloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Lifesize Cloud** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Lifesize Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Lifesize Cloud Domain and URLs single sign-on information](common/sp-identifier-relay.png)
- a. In the **Sign-on URL** text box, type a URL using the following pattern: `https://login.lifesizecloud.com/ls/?acs` b. In the **Identifier** text box, type a URL using the following pattern:
- `https://login.lifesizecloud.com/<companyname>`
+ `https://login.lifesizecloud.com/<COMPANY_NAME>`
c. Click **set additional URLs**. d. In the **Relay State** text box, type a URL using the following pattern:
- `https://webapp.lifesizecloud.com/?ent=<identifier>`
+ `https://webapp.lifesizecloud.com/?ent=<IDENTIFIER>`
> [!NOTE] > These values are not real. Update these values with the actual Sign-on URL, Identifier and Relay State. Contact [Lifesize Cloud Client support team](https://legacy.lifesize.com/en/support) to get Sign-On URL, and Identifier values and you can get Relay State value from SSO Configuration that is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Lifesize Cloud, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure Ad Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Lifesize Cloud.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Lifesize Cloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Lifesize Cloud Single Sign-On
+## Configure Lifesize Cloud SSO
1. To get SSO configured for your application, login into the Lifesize Cloud application with Admin privileges. 2. In the top right corner click on your name and then click on the **Advance Settings**.
- ![Screenshot shows the Advanced Settings menu item.](./media/lifesize-cloud-tutorial/tutorial_lifesizecloud_06.png)
+ ![Screenshot shows the Advanced Settings menu item.](./media/lifesize-cloud-tutorial/settings.png)
3. In the Advance Settings now click on the **SSO Configuration** link. It will open the SSO Configuration page for your instance.
- ![Screenshot shows Advanced Settings where you can select S S O Configuration.](./media/lifesize-cloud-tutorial/tutorial_lifesizecloud_07.png)
+ ![Screenshot shows Advanced Settings where you can select S S O Configuration.](./media/lifesize-cloud-tutorial/configuration.png)
4. Now configure the following values in the SSO configuration UI.
- ![Screenshot shows the S S O Configuration page where you can enter the values described.](./media/lifesize-cloud-tutorial/tutorial_lifesizecloud_08.png)
+ ![Screenshot shows the S S O Configuration page where you can enter the values described.](./media/lifesize-cloud-tutorial/values.png)
a. In **Identity Provider Issuer** textbox, paste the value of **Azure Ad Identifier** which you have copied from Azure portal.
To configure Azure AD single sign-on with Lifesize Cloud, perform the following
7. Now click on the **Update** button so that all the settings are saved. This will generate the RelayState value. Copy the RelayState value, which is generated in the text box, paste it in the **Relay State** textbox under **Lifesize Cloud Domain and URLs** section.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Lifesize Cloud.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Lifesize Cloud**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Lifesize Cloud**.
-
- ![The Lifesize Cloud link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Lifesize Cloud test user In this section, you create a user called Britta Simon in Lifesize Cloud. Lifesize cloud does support automatic user provisioning. After successful authentication at Azure AD, the user will be automatically provisioned in the application.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Lifesize Cloud tile in the Access Panel, you should get login page of Lifesize Cloud application. Here you need to enter your username, and after that you will redirected to the application homepage.
+In this section, you test your Azure AD single sign-on configuration with following options.
-For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Lifesize Cloud Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Lifesize Cloud Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Lifesize Cloud tile in the My Apps, this will redirect to Lifesize Cloud Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Lifesize Cloud you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Litmos Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/litmos-tutorial.md
Previously updated : 08/26/2019 Last updated : 05/12/2021
In this tutorial, you'll learn how to integrate Litmos with Azure Active Directo
* Enable your users to be automatically signed-in to Litmos with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Litmos supports **IDP** initiated SSO
-* Litmos supports **Just In Time** user provisioning
+* Litmos supports **IDP** initiated SSO.
+* Litmos supports **Just In Time** user provisioning.
-## Adding Litmos from the gallery
+## Add Litmos from the gallery
To configure the integration of Litmos into Azure AD, you need to add Litmos from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Litmos** in the search box. 1. Select **Litmos** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Litmos
+## Configure and test Azure AD SSO for Litmos
Configure and test Azure AD SSO with Litmos using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Litmos.
-To configure and test Azure AD SSO with Litmos, complete the following building blocks:
+To configure and test Azure AD SSO with Litmos, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Litmos, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Litmos** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Litmos** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+1. On the **Set up single sign-on with SAML** page, perform the following steps:
a. In the **Identifier** text box, type a URL using the following pattern: `https://<companyname>.litmos.com/account/Login`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Litmos**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Litmos SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. In the navigation bar on the left side, click **Accounts**.
- ![Accounts Section on App Side][22]
+ ![Accounts Section on App Side](./media/litmos-tutorial/account.png)
3. Click the **Integrations** tab.
- ![Integration Tab][23]
+ ![Integration Tab](./media/litmos-tutorial/integrate.png)
4. On the **Integrations** tab, scroll down to **3rd Party Integrations**, and then click **SAML 2.0** tab.
- ![SAML 2.0 Section][24]
+ ![SAML 2.0 Section](./media/litmos-tutorial/third-party.png)
5. Copy the value under **The SAML endpoint for litmos is:** and paste it into the **Reply URL** textbox in the **Litmos Domain and URLs** section in Azure portal.
- ![SAML endpoint][26]
+ ![SAML endpoint](./media/litmos-tutorial/certificate.png)
6. In your **Litmos** application, perform the following steps:
- ![Litmos Application][25]
+ ![Litmos Application](./media/litmos-tutorial/application.png)
a. Click **Enable SAML**.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
### Create Litmos test user
-The objective of this section is to create a user called Britta Simon in Litmos. The Litmos application supports Just-in-Time provisioning. This means, a user account is automatically created if necessary during an attempt to access the application using the Access Panel.
+In this section, a user called B.Simon is created in Litmos. Litmos supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in Litmos, a new one is created after authentication.
**To create a user called Britta Simon in Litmos, perform the following steps:**
The objective of this section is to create a user called Britta Simon in Litmos.
2. In the navigation bar on the left side, click **Accounts**.
- ![Accounts Section On App Side][22]
+ ![Accounts Section On App Side](./media/litmos-tutorial/account.png)
3. Click the **Integrations** tab.
- ![Integrations Tab][23]
+ ![Integrations Tab](./media/litmos-tutorial/integrate.png)
4. On the **Integrations** tab, scroll down to **3rd Party Integrations**, and then click **SAML 2.0** tab.
- ![SAML 2.0][24]
+ ![SAML 2.0](./media/litmos-tutorial/third-party.png)
5. Select **Autogenerate Users**
- ![Autogenerate Users][27]
+ ![Autogenerate Users](./media/litmos-tutorial/users.png)
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Litmos tile in the Access Panel, you should be automatically signed in to the Litmos for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Litmos for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Litmos tile in the My Apps, you should be automatically signed in to the Litmos for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Litmos with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-[21]: ./media/litmos-tutorial/tutorial_litmos_60.png
-[22]: ./media/litmos-tutorial/tutorial_litmos_61.png
-[23]: ./media/litmos-tutorial/tutorial_litmos_62.png
-[24]: ./media/litmos-tutorial/tutorial_litmos_63.png
-[25]: ./media/litmos-tutorial/tutorial_litmos_64.png
-[26]: ./media/litmos-tutorial/tutorial_litmos_65.png
-[27]: ./media/litmos-tutorial/tutorial_litmos_66.png
+Once you configure Litmos you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Menlosecurity Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/menlosecurity-tutorial.md
Previously updated : 02/20/2019 Last updated : 05/19/2021 # Tutorial: Azure Active Directory integration with Menlo Security
-In this tutorial, you learn how to integrate Menlo Security with Azure Active Directory (Azure AD).
-Integrating Menlo Security with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Menlo Security with Azure Active Directory (Azure AD). When you integrate Menlo Security with Azure AD, you can:
-* You can control in Azure AD who has access to Menlo Security.
-* You can enable your users to be automatically signed-in to Menlo Security (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Menlo Security.
+* Enable your users to be automatically signed-in to Menlo Security with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Menlo Security, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Menlo Security single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Menlo Security single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Menlo Security supports **SP** initiated SSO
+* Menlo Security supports **SP** initiated SSO.
-## Adding Menlo Security from the gallery
+## Add Menlo Security from the gallery
To configure the integration of Menlo Security into Azure AD, you need to add Menlo Security from the gallery to your list of managed SaaS apps.
-**To add Menlo Security from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Menlo Security**, select **Menlo Security** from result panel then click **Add** button to add the application.
-
- ![Menlo Security in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Menlo Security based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Menlo Security needs to be established.
-
-To configure and test Azure AD single sign-on with Menlo Security, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Menlo Security** in the search box.
+1. Select **Menlo Security** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Menlo Security Single Sign-On](#configure-menlo-security-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Menlo Security test user](#create-menlo-security-test-user)** - to have a counterpart of Britta Simon in Menlo Security that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Menlo Security
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Menlo Security using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Menlo Security.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Menlo Security, perform the following steps:
-To configure Azure AD single sign-on with Menlo Security, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Menlo Security SSO](#configure-menlo-security-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Menlo Security test user](#create-menlo-security-test-user)** - to have a counterpart of B.Simon in Menlo Security that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Menlo Security** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Menlo Security** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Menlo Security Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.menlosecurity.com/account/login`
+ `https://<SUBDOMAIN>.menlosecurity.com/account/login`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<subdomain>.menlosecurity.com/safeview-auth-server/saml/metadata`
+ `https://<SUBDOMAIN>.menlosecurity.com/safeview-auth-server/saml/metadata`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Menlo Security Client support team](https://www.menlosecurity.com/menlo-contact) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Menlo Security, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Menlo Security Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Menlo Security.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Menlo Security**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Menlo Security SSO
1. To configure single sign-on on **Menlo Security** side, login to the **Menlo Security** website as an administrator. 2. Under **Settings** go to **Authentication** and perform following actions:
- ![Configure Single Sign-On](./media/menlosecurity-tutorial/menlo_user_setup.png)
+ ![Configure Single Sign-On](./media/menlosecurity-tutorial/authentication.png)
a. Tick the checkbox **Enable user authentication using SAML**.
To configure Azure AD single sign-on with Menlo Security, perform the following
g. Click **Save** to save the settings.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon\@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Menlo Security.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Menlo Security**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Menlo Security**.
-
- ![The Menlo Security link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Menlo Security test user In this section, you create a user called Britta Simon in Menlo Security. Work with [Menlo Security Client support team](https://www.menlosecurity.com/menlo-contact) to add the users in the Menlo Security platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Menlo Security tile in the Access Panel, you should be automatically signed in to the Menlo Security for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Menlo Security Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Menlo Security Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Menlo Security tile in the My Apps, this will redirect to Menlo Security Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Menlo Security you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Optimizely Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/optimizely-tutorial.md
Previously updated : 03/14/2019 Last updated : 05/24/2021 # Tutorial: Azure Active Directory integration with Optimizely
-In this tutorial, you learn how to integrate Optimizely with Azure Active Directory (Azure AD).
-Integrating Optimizely with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Optimizely with Azure Active Directory (Azure AD). When you integrate Optimizely with Azure AD, you can:
-* You can control in Azure AD who has access to Optimizely.
-* You can enable your users to be automatically signed-in to Optimizely (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Optimizely.
+* Enable your users to be automatically signed-in to Optimizely with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Optimizely, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Optimizely single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Optimizely single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Optimizely supports **SP** initiated SSO
+* Optimizely supports **SP** initiated SSO.
-## Adding Optimizely from the gallery
+## Add Optimizely from the gallery
To configure the integration of Optimizely into Azure AD, you need to add Optimizely from the gallery to your list of managed SaaS apps.
-**To add Optimizely from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Optimizely**, select **Optimizely** from result panel then click **Add** button to add the application.
-
- ![Optimizely in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Optimizely based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Optimizely needs to be established.
-
-To configure and test Azure AD single sign-on with Optimizely, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Optimizely** in the search box.
+1. Select **Optimizely** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Optimizely Single Sign-On](#configure-optimizely-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Optimizely test user](#create-optimizely-test-user)** - to have a counterpart of Britta Simon in Optimizely that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Optimizely
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Optimizely using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Optimizely.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Optimizely, perform the following steps:
-To configure Azure AD single sign-on with Optimizely, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Optimizely SSO](#configure-optimizely-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Optimizely test user](#create-optimizely-test-user)** - to have a counterpart of B.Simon in Optimizely that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Optimizely** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Optimizely** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Optimizely Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://app.optimizely.net/<instance name>`
+ `https://app.optimizely.net/<INSTANCE_NAME>`
- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
+ b. In the **Identifier (Entity ID)** text box, type a value using the following pattern:
`urn:auth0:optimizely:contoso` > [!NOTE]
To configure Azure AD single sign-on with Optimizely, perform the following step
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Optimizely.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Optimizely**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Optimizely Single Sign-On
+## Configure Optimizely SSO
1. To configure single sign-on on **Optimizely** side, contact your Optimizely Account Manager and provide the downloaded **Certificate (Base64)** and appropriate copied URLs.
To configure Azure AD single sign-on with Optimizely, perform the following step
4. Click you account name in the top right corner and then **Account Settings**.
- ![Screenshot that shows the account name selected in the top-right corner, with "Account Settings" selected from the menu.](./media/optimizely-tutorial/tutorial_optimizely_09.png)
+ ![Screenshot that shows the account name selected in the top-right corner, with "Account Settings" selected from the menu.](./media/optimizely-tutorial/settings.png)
5. In the Account tab, check the box **Enable SSO** under Single Sign On in the **Overview** section.
- ![Azure AD Single Sign-On](./media/optimizely-tutorial/tutorial_optimizely_10.png)
-
-6. Click **Save**
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Optimizely.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Optimizely**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Optimizely**.
-
- ![The Optimizely link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
+ ![Azure AD Single Sign-On](./media/optimizely-tutorial/account.png)
-7. In the **Add Assignment** dialog click the **Assign** button.
+6. Click **Save**.
### Create Optimizely test user
In this section, you create a user called Britta Simon in Optimizely.
2. To add new collaborator to the project, click **New Collaborator**.
- ![Screenshot that shows the Optimizely home page with the "Collaborators" tab and "New Collaborator" button selected.](./media/optimizely-tutorial/create_aaduser_10.png)
+ ![Screenshot that shows the Optimizely home page with the "Collaborators" tab and "New Collaborator" button selected.](./media/optimizely-tutorial/collaborator.png)
3. Fill in the email address and assign them a role. Click **Invite**.
- ![Creating an Azure AD test user](./media/optimizely-tutorial/create_aaduser_11.png)
+ ![Creating an Azure AD test user](./media/optimizely-tutorial/invite-collaborator.png)
4. They receive an email invite. Using the email address, they have to log in to Optimizely.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Optimizely tile in the Access Panel, you should be automatically signed in to the Optimizely for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Optimizely Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Optimizely Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Optimizely tile in the My Apps, this will redirect to Optimizely Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Optimizely you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Pandadoc Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/pandadoc-tutorial.md
Previously updated : 10/17/2019 Last updated : 05/24/2021
In this tutorial, you'll learn how to integrate PandaDoc with Azure Active Direc
* Enable your users to be automatically signed-in to PandaDoc with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* PandaDoc supports **SP and IDP** initiated SSO
-* PandaDoc supports **Just In Time** user provisioning
+* PandaDoc supports **SP and IDP** initiated SSO.
+* PandaDoc supports **Just In Time** user provisioning.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding PandaDoc from the gallery
+## Add PandaDoc from the gallery
To configure the integration of PandaDoc into Azure AD, you need to add PandaDoc from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **PandaDoc** in the search box. 1. Select **PandaDoc** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for PandaDoc
+## Configure and test Azure AD SSO for PandaDoc
Configure and test Azure AD SSO with PandaDoc using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in PandaDoc.
-To configure and test Azure AD SSO with PandaDoc, complete the following building blocks:
+To configure and test Azure AD SSO with PandaDoc, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with PandaDoc, complete the following buildin
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **PandaDoc** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **PandaDoc** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.pandadoc.com/sso-login/` 1. PandaDoc application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **PandaDoc**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure PandaDoc SSO
In this section, a user called B.Simon is created in PandaDoc. PandaDoc supports
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to PandaDoc Sign on URL where you can initiate the login flow.
-When you click the PandaDoc tile in the Access Panel, you should be automatically signed in to the PandaDoc for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to PandaDoc Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the PandaDoc for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the PandaDoc tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the PandaDoc for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try PandaDoc with Azure AD](https://aad.portal.azure.com/)
+Once you configure PandaDoc you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Perforce Helix Core Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/perforce-helix-core-tutorial.md
Previously updated : 06/23/2020 Last updated : 05/18/2021
In this tutorial, you'll learn how to integrate Perforce Helix Core - Helix Auth
* Enable your users to be automatically signed-in to Perforce Helix Core - Helix Authentication Service with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Perforce Helix Core - Helix Authentication Service supports **SP** initiated SSO
-* Once you configure Perforce Helix Core - Helix Authentication Service you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Perforce Helix Core - Helix Authentication Service supports **SP** initiated SSO.
-## Adding Perforce Helix Core - Helix Authentication Service from the gallery
+## Add Perforce Helix Core - Helix Authentication Service from the gallery
To configure the integration of Perforce Helix Core - Helix Authentication Service into Azure AD, you need to add Perforce Helix Core - Helix Authentication Service from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Perforce Helix Core - Helix Authentication Service** in the search box. 1. Select **Perforce Helix Core - Helix Authentication Service** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for Perforce Helix Core - Helix Authentication Service
+## Configure and test Azure AD SSO for Perforce Helix Core - Helix Authentication Service
Configure and test Azure AD SSO with Perforce Helix Core - Helix Authentication Service using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Perforce Helix Core - Helix Authentication Service.
-To configure and test Azure AD SSO with Perforce Helix Core - Helix Authentication Service, complete the following building blocks:
+To configure and test Azure AD SSO with Perforce Helix Core - Helix Authentication Service, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Perforce Helix Core - Helix Authenticati
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Perforce Helix Core - Helix Authentication Service** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Perforce Helix Core - Helix Authentication Service** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png) 1. On the **Basic SAML Configuration** section, enter the values for the following fields: a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<helix-auth-service>.<customer-hostname>.com/`
+ `https://<HELIX-AUTH-SERVICE>.<CUSTOMER_HOSTNAME>.com/`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<helix-auth-service>.<customer-hostname>.com/saml`
+ `https://<HELIX-AUTH-SERVICE>.<CUSTOMER_HOSTNAME>.com/saml`
c. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<HELIX-AUTH-SERVICE>.<CUSTOMER-HOSTNAME>.com/saml/sso`
+ `https://<HELIX-AUTH-SERVICE>.<CUSTOMER_HOSTNAME>.com/saml/sso`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL, Identifier and Reply URL. Contact [Perforce Helix Core - Helix Authentication Service Client support team](mailto:support@perforce.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Perforce Helix Core - Helix Authentication Service**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Perforce Helix Core - Helix Authentication Service SSO
In this section, you create a user called Britta Simon in Perforce Helix Core -
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Perforce Helix Core - Helix Authentication Service tile in the Access Panel, you should be automatically signed in to the Perforce Helix Core - Helix Authentication Service for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to Perforce Helix Core - Helix Authentication Service Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to Perforce Helix Core - Helix Authentication Service Sign-on URL directly and initiate the login flow from there.
-- [Try Perforce Helix Core - Helix Authentication Service with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Perforce Helix Core - Helix Authentication Service tile in the My Apps, this will redirect to Perforce Helix Core - Helix Authentication Service Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Perforce Helix Core - Helix Authentication Service with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Perforce Helix Core - Helix Authentication Service you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Pulse Secure Virtual Traffic Manager Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/pulse-secure-virtual-traffic-manager-tutorial.md
Previously updated : 09/11/2020 Last updated : 05/18/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Pulse Secure Virtual Traffic Manager supports **SP** initiated SSO
+* Pulse Secure Virtual Traffic Manager supports **SP** initiated SSO.
-## Adding Pulse Secure Virtual Traffic Manager from the gallery
+## Add Pulse Secure Virtual Traffic Manager from the gallery
To configure the integration of Pulse Secure Virtual Traffic Manager into Azure AD, you need to add Pulse Secure Virtual Traffic Manager from the gallery to your list of managed SaaS apps.
To configure the integration of Pulse Secure Virtual Traffic Manager into Azure
1. In the **Add from the gallery** section, type **Pulse Secure Virtual Traffic Manager** in the search box. 1. Select **Pulse Secure Virtual Traffic Manager** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. - ## Configure and test Azure AD SSO for Pulse Secure Virtual Traffic Manager Configure and test Azure AD SSO with Pulse Secure Virtual Traffic Manager using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Pulse Secure Virtual Traffic Manager.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Pulse Secure Virtual Traffic Manager** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<published virtual server FQDN>/saml/consume`
+ `https://<PUBLISHED VIRTUAL SERVER FQDN>/saml/consume`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<published virtual server FQDN>/saml/metadata`
+ `https://<PUBLISHED VIRTUAL SERVER FQDN>/saml/metadata`
c. In the **Reply URL** text box, type a URL using the following pattern:
- `https://<published virtual server FQDN>/saml/consume`
+ `https://<PUBLISHED VIRTUAL SERVER FQDN>/saml/consume`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Pulse Secure Virtual Traffic Manager Client support team](mailto:support@pulsesecure.net) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Sign on URL,Reply URL and Identifier. Contact [Pulse Secure Virtual Traffic Manager Client support team](mailto:support@pulsesecure.net) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
This section covers the configuration needed to enable Azure AD SAML authentication on the Pulse Virtual Traffic Manager. All configuration changes are made on the Pulse Virtual Traffic Manager using the Admin web UI.
-#### Create a SAML Trusted Identity Provider
+### Create a SAML Trusted Identity Provider
a. Go to the **Pulse Virtual Traffic Manager Appliance Admin UI > Catalog > SAML > Trusted Identity Providers Catalog** page and click **Edit**.
a. Go to the **Pulse Virtual Traffic Manager Appliance Admin UI > Catalog > SAML
b. Add the details for the new SAML Trusted Identity Provider, copying the information from the Azure AD Enterprise application under the Single sign-on settings page and then click **Create New Trusted Identity Provider**.
-![Create New Trusted Identity Provider](./media/pulse-secure-virtual-traffic-manager-tutorial/create-trusted-identity-provider.png)
+![Create New Trusted Identity Provider](./media/pulse-secure-virtual-traffic-manager-tutorial/identity-provider.png)
* In the **Name** textbox, enter a name for the trusted identity provider.
b. Add the details for the new SAML Trusted Identity Provider, copying the infor
c. Verify that the new SAML Identity Provider was successfully created.
-![Verify Trusted Identity Provider](./media/pulse-secure-virtual-traffic-manager-tutorial/verify-saml-identity-provider.png)
+![Verify Trusted Identity Provider](./media/pulse-secure-virtual-traffic-manager-tutorial/verify-identity-provider.png)
-#### Configure the Virtual Server to use Azure AD Authentication
+### Configure the Virtual Server to use Azure AD Authentication
a. Go to the **Pulse Virtual Traffic Manager Appliance Admin UI > Services > Virtual Servers** page and click **Edit** next to the previously created Virtual server.
c. Configure the following authentication settings for the virtual server:
![authentication settings for virtual server](./media/pulse-secure-virtual-traffic-manager-tutorial/authentication-1.png)
- a. In the **Auth!type**, select **SAML Service Provider**
+ a. In the **Auth!type**, select **SAML Service Provider**.
- b. In the **Auth!verbose**, set to ΓÇ£YesΓÇ¥ to troubleshoot any authentication issues, otherwise, leave default as ΓÇ£NoΓÇ¥
+ b. In the **Auth!verbose**, set to ΓÇ£YesΓÇ¥ to troubleshoot any authentication issues, otherwise, leave default as ΓÇ£NoΓÇ¥.
2. Authentication Session Management - ![Authentication Session Management](./media/pulse-secure-virtual-traffic-manager-tutorial/authentication-session.png)
- a. For **Auth!session!cookie_name**, leave default as ΓÇ£VS_SamlSP_AuthΓÇ¥
+ a. For **Auth!session!cookie_name**, leave default as ΓÇ£VS_SamlSP_AuthΓÇ¥.
- b. For **auth!session!timeout**, leave default to ΓÇ£7200ΓÇ¥
+ b. For **auth!session!timeout**, leave default to ΓÇ£7200ΓÇ¥.
- c. In **auth!session!log_external_state**, set to ΓÇ£YesΓÇ¥ to troubleshoot any authentication issues, otherwise, leave default as ΓÇ£NoΓÇ¥
+ c. In **auth!session!log_external_state**, set to ΓÇ£YesΓÇ¥ to troubleshoot any authentication issues, otherwise, leave default as ΓÇ£NoΓÇ¥.
- d. In **auth!session!cookie_attributes**, change to ΓÇ£HTTPOnlyΓÇ¥
+ d. In **auth!session!cookie_attributes**, change to ΓÇ£HTTPOnlyΓÇ¥.
3. SAML Service Provider -
- ![SAML Service Provider](./media/pulse-secure-virtual-traffic-manager-tutorial/saml-service-provider.png)
+ ![SAML Service Provider](./media/pulse-secure-virtual-traffic-manager-tutorial/service-provider.png)
a. In the **auth!saml!sp_entity_id** textbox, set to the same URL used as the Azure AD Single sign-on configuration Identifier (Entity ID). Like `https://pulseweb.labb.info/saml/metadata`.
In this section, you create a user called Britta Simon in Pulse Secure Virtual T
In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on **Test this application** in Azure portal. This will redirect to Pulse Secure Virtual Traffic Manager Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Pulse Secure Virtual Traffic Manager Sign-on URL where you can initiate the login flow.
-2. Go to Pulse Secure Virtual Traffic Manager Sign-on URL directly and initiate the login flow from there.
+* Go to Pulse Secure Virtual Traffic Manager Sign-on URL directly and initiate the login flow from there.
-3. You can use Microsoft Access Panel. When you click the Pulse Secure Virtual Traffic Manager tile in the Access Panel, this will redirect to Pulse Secure Virtual Traffic Manager Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Pulse Secure Virtual Traffic Manager tile in the My Apps, this will redirect to Pulse Secure Virtual Traffic Manager Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
-Once you configure Pulse Secure Virtual Traffic Manager you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Pulse Secure Virtual Traffic Manager you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Reward Gateway Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/reward-gateway-tutorial.md
Previously updated : 03/26/2019 Last updated : 05/18/2021 # Tutorial: Azure Active Directory integration with Reward Gateway
-In this tutorial, you learn how to integrate Reward Gateway with Azure Active Directory (Azure AD).
-Integrating Reward Gateway with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Reward Gateway with Azure Active Directory (Azure AD). When you integrate Reward Gateway with Azure AD, you can:
-* You can control in Azure AD who has access to Reward Gateway.
-* You can enable your users to be automatically signed-in to Reward Gateway (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Reward Gateway.
+* Enable your users to be automatically signed-in to Reward Gateway with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Reward Gateway, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Reward Gateway single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Reward Gateway single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Reward Gateway supports **IDP** initiated SSO
+* Reward Gateway supports **IDP** initiated SSO.
-## Adding Reward Gateway from the gallery
+## Add Reward Gateway from the gallery
To configure the integration of Reward Gateway into Azure AD, you need to add Reward Gateway from the gallery to your list of managed SaaS apps.
-**To add Reward Gateway from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Reward Gateway**, select **Reward Gateway** from result panel then click **Add** button to add the application.
-
- ![Reward Gateway in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Reward Gateway** in the search box.
+1. Select **Reward Gateway** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with Reward Gateway based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Reward Gateway needs to be established.
+## Configure and test Azure AD SSO for Reward Gateway
-To configure and test Azure AD single sign-on with Reward Gateway, you need to complete the following building blocks:
+Configure and test Azure AD SSO with Reward Gateway using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Reward Gateway.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Reward Gateway Single Sign-On](#configure-reward-gateway-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Reward Gateway test user](#create-reward-gateway-test-user)** - to have a counterpart of Britta Simon in Reward Gateway that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with Reward Gateway, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Reward Gateway SSO](#configure-reward-gateway-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Reward Gateway test user](#create-reward-gateway-test-user)** - to have a counterpart of B.Simon in Reward Gateway that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with Reward Gateway, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Reward Gateway** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **Reward Gateway** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Set up Single Sign-On with SAML** page, perform the following steps:
- ![Reward Gateway Domain and URLs single sign-on information](common/idp-intiated.png)
-
- a. In the **Identifier** text box, type a URL using the following pattern:
+ a. In the **Identifier** text box, type a URL using one of the following patterns:
- - `https://<companyname>.rewardgateway.com`
- - `https://<companyname>.rewardgateway.co.uk/`
- - `https://<companyname>.rewardgateway.co.nz/`
- - `https://<companyname>.rewardgateway.com.au/`
+ | Identifier URL |
+ ||
+ | `https://<COMPANY_NAME>.rewardgateway.com` |
+ | `https://<COMPANY_NAME>.rewardgateway.co.uk/` |
+ | `https://<COMPANY_NAME>.rewardgateway.co.nz/` |
+ | `https://<COMPANY_NAME>.rewardgateway.com.au/`|
+ |
- b. In the **Reply URL** text box, type a URL using the following pattern:
+ b. In the **Reply URL** text box, type a URL using one of the following patterns:
- - `https://<companyname>.rewardgateway.com/Authentication/EndLogin?idp=<Unique Id>`
- - `https://<companyname>.rewardgateway.co.uk/Authentication/EndLogin?idp=<Unique Id>`
- - `https://<companyname>.rewardgateway.co.nz/Authentication/EndLogin?idp=<Unique Id>`
- - `https://<companyname>.rewardgateway.com.au/Authentication/EndLogin?idp=<Unique Id>`
+ | Reply URL |
+ ||
+ | `https://<COMPANY_NAME>.rewardgateway.com/Authentication/EndLogin?idp=<Unique Id>` |
+ | `https://<COMPANY_NAME>.rewardgateway.co.uk/Authentication/EndLogin?idp=<Unique Id>` |
+ | `https://<COMPANY_NAME>.rewardgateway.co.nz/Authentication/EndLogin?idp=<Unique Id>` |
+ | `https://<COMPANY_NAME>.rewardgateway.com.au/Authentication/EndLogin?idp=<Unique Id>` |
+ |
> [!NOTE] > These values are not real. Update these values with the actual Identifier and Reply URL. To get these values start setting up an Integration on the Reward Manager Portal. Details can be found on https://success.rewardgateway.com/hc/en-us/articles/360038650573-Microsoft-Azure-for-Authentication
To configure Azure AD single sign-on with Reward Gateway, perform the following
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure Ad Identifier
-
- c. Logout URL
-
-### Configure Reward Gateway Single Sign-On
-
-To configure single sign-on on **Reward Gateway** side, start setting up an Integration on the Reward Manager Portal. Use the downloaded metadata to obtain your Signing Certificate and upload that during the configuration. Details can be found on https://success.rewardgateway.com/hc/en-us/articles/360038650573-Microsoft-Azure-for-Authentication
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Reward Gateway.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Reward Gateway.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Reward Gateway**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Reward Gateway**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Reward Gateway SSO
-2. In the applications list, select **Reward Gateway**.
-
- ![The Reward Gateway link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Reward Gateway** side, start setting up an Integration on the Reward Manager Portal. Use the downloaded metadata to obtain your Signing Certificate and upload that during the configuration. Details can be found on https://success.rewardgateway.com/hc/en-us/articles/360038650573-Microsoft-Azure-for-Authentication.
### Create Reward Gateway test user In this section, you create a user called Britta Simon in Reward Gateway. Work with [Reward Gateway support team](mailto:clientsupport@rewardgateway.com) to add the users in the Reward Gateway platform. Users must be created and activated before you use single sign-on.
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Reward Gateway tile in the Access Panel, you should be automatically signed in to the Reward Gateway for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Reward Gateway for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Reward Gateway tile in the My Apps, you should be automatically signed in to the Reward Gateway for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Reward Gateway you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Saucelabs Mobileandwebtesting Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/saucelabs-mobileandwebtesting-tutorial.md
Previously updated : 03/22/2019 Last updated : 05/20/2021 # Tutorial: Azure Active Directory integration with Sauce Labs - Mobile and Web Testing
-In this tutorial, you learn how to integrate Sauce Labs - Mobile and Web Testing with Azure Active Directory (Azure AD).
-Integrating Sauce Labs - Mobile and Web Testing with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Sauce Labs - Mobile and Web Testing with Azure Active Directory (Azure AD). When you integrate Sauce Labs - Mobile and Web Testing with Azure AD, you can:
-* You can control in Azure AD who has access to Sauce Labs - Mobile and Web Testing.
-* You can enable your users to be automatically signed-in to Sauce Labs - Mobile and Web Testing (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Sauce Labs - Mobile and Web Testing.
+* Enable your users to be automatically signed-in to Sauce Labs - Mobile and Web Testing with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Sauce Labs - Mobile and Web Testing, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Sauce Labs - Mobile and Web Testing single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Sauce Labs - Mobile and Web Testing single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Sauce Labs - Mobile and Web Testing supports **IDP** initiated SSO
-* Sauce Labs - Mobile and Web Testing supports **Just In Time** user provisioning
+* Sauce Labs - Mobile and Web Testing supports **IDP** initiated SSO.
+* Sauce Labs - Mobile and Web Testing supports **Just In Time** user provisioning.
-## Adding Sauce Labs - Mobile and Web Testing from the gallery
+## Add Sauce Labs - Mobile and Web Testing from the gallery
To configure the integration of Sauce Labs - Mobile and Web Testing into Azure AD, you need to add Sauce Labs - Mobile and Web Testing from the gallery to your list of managed SaaS apps.
-**To add Sauce Labs - Mobile and Web Testing from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Sauce Labs - Mobile and Web Testing**, select **Sauce Labs - Mobile and Web Testing** from result panel then click **Add** button to add the application.
-
- ![Sauce Labs - Mobile and Web Testing in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Sauce Labs - Mobile and Web Testing based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Sauce Labs - Mobile and Web Testing needs to be established.
-
-To configure and test Azure AD single sign-on with Sauce Labs - Mobile and Web Testing, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Sauce Labs - Mobile and Web Testing** in the search box.
+1. Select **Sauce Labs - Mobile and Web Testing** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Sauce Labs - Mobile and Web Testing Single Sign-On](#configure-sauce-labsmobile-and-web-testing-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Sauce Labs - Mobile and Web Testing test user](#create-sauce-labsmobile-and-web-testing-test-user)** - to have a counterpart of Britta Simon in Sauce Labs - Mobile and Web Testing that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Sauce Labs - Mobile and Web Testing
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Sauce Labs - Mobile and Web Testing using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Sauce Labs - Mobile and Web Testing.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Sauce Labs - Mobile and Web Testing, perform the following steps:
-To configure Azure AD single sign-on with Sauce Labs - Mobile and Web Testing, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Sauce Labs - Mobile and Web Testing SSO](#configure-sauce-labsmobile-and-web-testing-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Sauce Labs - Mobile and Web Testing test user](#create-sauce-labsmobile-and-web-testing-test-user)** - to have a counterpart of B.Simon in Sauce Labs - Mobile and Web Testing that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Sauce Labs - Mobile and Web Testing** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Sauce Labs - Mobile and Web Testing** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
- ![Sauce Labs - Mobile and Web Testing Domain and URLs single sign-on information](common/preintegrated.png)
- 5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer. ![The Certificate download link](common/metadataxml.png)
To configure Azure AD single sign-on with Sauce Labs - Mobile and Web Testing, p
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- b. Azure AD Identifier
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Sauce Labs - Mobile and Web Testing.
- c. Logout URL
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Sauce Labs - Mobile and Web Testing**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure Sauce Labs - Mobile and Web Testing Single Sign-On
+## Configure Sauce Labs - Mobile and Web Testing SSO
1. In a different web browser window, sign in to your Sauce Labs - Mobile and Web Testing company site as an administrator. 2. Click on the **User icon** and select **Team Management** tab.
- ![Screenshot that shows the "User" icon and "Team Management" drop-down selected.](./media/saucelabs-mobileandwebtesting-tutorial/configure1.png)
+ ![Screenshot that shows the "User" icon and "Team Management" drop-down selected.](./media/saucelabs-mobileandwebtesting-tutorial/user.png)
3. Enter your **Domain name** in the textbox.
- ![Screenshot that shows an example domain name in the textbox.](./media/saucelabs-mobileandwebtesting-tutorial/configure2.png)
+ ![Screenshot that shows an example domain name in the textbox.](./media/saucelabs-mobileandwebtesting-tutorial/domain.png)
4. Click **Configure** tab.
- ![Screenshot that shows the "Configure" tab selected under "Single Sign On is Enabled".](./media/saucelabs-mobileandwebtesting-tutorial/configure3.png)
+ ![Screenshot that shows the "Configure" tab selected under "Single Sign On is Enabled".](./media/saucelabs-mobileandwebtesting-tutorial/configure.png)
5. In the **Configure Single Sign On** section, perform the following steps.
- ![Configure Single Sign-On](./media/saucelabs-mobileandwebtesting-tutorial/configure4.png)
+ ![Configure Single Sign-On](./media/saucelabs-mobileandwebtesting-tutorial/browse.png)
a. Click **Browse** and upload the downloaded metadata file from the Azure AD.
To configure Azure AD single sign-on with Sauce Labs - Mobile and Web Testing, p
c. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Sauce Labs - Mobile and Web Testing.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Sauce Labs - Mobile and Web Testing**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Sauce Labs - Mobile and Web Testing**.
-
- ![The Sauce Labs - Mobile and Web Testing link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create Sauce Labs - Mobile and Web Testing test user In this section, a user called Britta Simon is created in Sauce Labs - Mobile and Web Testing. Sauce Labs - Mobile and Web Testing supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Sauce Labs - Mobile and Web Testing, a new one is created after authentication.
In this section, a user called Britta Simon is created in Sauce Labs - Mobile an
> [!Note] > If you need to create a user manually, contact [Sauce Labs - Mobile and Web Testing support team](mailto:support@saucelabs.com).
-### Test single sign-on
-
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+## Test SSO
-When you click the Sauce Labs - Mobile and Web Testing tile in the Access Panel, you should be automatically signed in to the Sauce Labs - Mobile and Web Testing for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+In this section, you test your Azure AD single sign-on configuration with following options.
-## Additional Resources
+* Click on Test this application in Azure portal and you should be automatically signed in to the Sauce Labs - Mobile and Web Testing for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Sauce Labs - Mobile and Web Testing tile in the My Apps, you should be automatically signed in to the Sauce Labs - Mobile and Web Testing for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Sauce Labs - Mobile and Web Testing you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Simplenexus Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/simplenexus-tutorial.md
Previously updated : 03/07/2019 Last updated : 05/18/2021 # Tutorial: Azure Active Directory integration with SimpleNexus
-In this tutorial, you learn how to integrate SimpleNexus with Azure Active Directory (Azure AD).
-Integrating SimpleNexus with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SimpleNexus with Azure Active Directory (Azure AD). When you integrate SimpleNexus with Azure AD, you can:
-* You can control in Azure AD who has access to SimpleNexus.
-* You can enable your users to be automatically signed-in to SimpleNexus (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SimpleNexus.
+* Enable your users to be automatically signed-in to SimpleNexus with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with SimpleNexus, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* SimpleNexus single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* SimpleNexus single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SimpleNexus supports **SP** initiated SSO
+* SimpleNexus supports **SP** initiated SSO.
-## Adding SimpleNexus from the gallery
+## Add SimpleNexus from the gallery
To configure the integration of SimpleNexus into Azure AD, you need to add SimpleNexus from the gallery to your list of managed SaaS apps.
-**To add SimpleNexus from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SimpleNexus**, select **SimpleNexus** from result panel then click **Add** button to add the application.
-
- ![SimpleNexus in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SimpleNexus** in the search box.
+1. Select **SimpleNexus** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you configure and test Azure AD single sign-on with SimpleNexus based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SimpleNexus needs to be established.
+## Configure and test Azure AD SSO for SimpleNexus
-To configure and test Azure AD single sign-on with SimpleNexus, you need to complete the following building blocks:
+Configure and test Azure AD SSO with SimpleNexus using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SimpleNexus.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SimpleNexus Single Sign-On](#configure-simplenexus-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SimpleNexus test user](#create-simplenexus-test-user)** - to have a counterpart of Britta Simon in SimpleNexus that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure and test Azure AD SSO with SimpleNexus, perform the following steps:
-### Configure Azure AD single sign-on
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SimpleNexus SSO](#configure-simplenexus-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SimpleNexus test user](#create-simplenexus-test-user)** - to have a counterpart of B.Simon in SimpleNexus that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure Azure AD SSO
-To configure Azure AD single sign-on with SimpleNexus, perform the following steps:
+Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **SimpleNexus** application integration page, select **Single sign-on**.
+1. In the Azure portal, on the **SimpleNexus** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Configure single sign-on link](common/select-sso.png)
-
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
-
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![SimpleNexus Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://simplenexus.com/<companyname>_login`
+ `https://simplenexus.com/<COMPANY_NAME>_login`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://simplenexus.com/<companyname>`
+ `https://simplenexus.com/<COMPANY_NAME>`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [SimpleNexus Client support team](https://www.simplenexus.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with SimpleNexus, perform the following ste
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure SimpleNexus Single Sign-On
-
-To configure single sign-on on **SimpleNexus** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [SimpleNexus support team](https://www.simplenexus.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SimpleNexus.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SimpleNexus.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SimpleNexus**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SimpleNexus**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure SimpleNexus SSO
-2. In the applications list, select **SimpleNexus**.
-
- ![The SimpleNexus link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **SimpleNexus** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [SimpleNexus support team](https://www.simplenexus.com/contact-us/). They set this setting to have the SAML SSO connection set properly on both sides.
### Create SimpleNexus test user
In order to enable Azure AD users to log in to SimpleNexus, they must be provisi
> [!NOTE] > You can use any other SimpleNexus user account creation tools or APIs provided by SimpleNexus to provision Azure AD user accounts.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SimpleNexus tile in the Access Panel, you should be automatically signed in to the SimpleNexus for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to SimpleNexus Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to SimpleNexus Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SimpleNexus tile in the My Apps, this will redirect to SimpleNexus Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SimpleNexus you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Skillport Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/skillport-tutorial.md
Previously updated : 03/25/2019 Last updated : 05/21/2021 # Tutorial: Azure Active Directory integration with Skillport
-In this tutorial, you learn how to integrate Skillport with Azure Active Directory (Azure AD).
-Integrating Skillport with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Skillport with Azure Active Directory (Azure AD). When you integrate Skillport with Azure AD, you can:
-* You can control in Azure AD who has access to Skillport.
-* You can enable your users to be automatically signed-in to Skillport (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Skillport.
+* Enable your users to be automatically signed-in to Skillport with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Skillport, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Skillport single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Skillport single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Skillport supports **SP** initiated SSO
-
-## Adding Skillport from the gallery
-
-To configure the integration of Skillport into Azure AD, you need to add Skillport from the gallery to your list of managed SaaS apps.
-
-**To add Skillport from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Skillport supports **SP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-4. In the search box, type **Skillport**, select **Skillport** from result panel then click **Add** button to add the application.
+## Add Skillport from the gallery
- ![Skillport in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Skillport based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Skillport needs to be established.
-
-To configure and test Azure AD single sign-on with Skillport, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Skillport Single Sign-On](#configure-skillport-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Skillport test user](#create-skillport-test-user)** - to have a counterpart of Britta Simon in Skillport that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Skillport into Azure AD, you need to add Skillport from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Skillport** in the search box.
+1. Select **Skillport** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Skillport
-To configure Azure AD single sign-on with Skillport, perform the following steps:
+Configure and test Azure AD SSO with Skillport using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Skillport.
-1. In the [Azure portal](https://portal.azure.com/), on the **Skillport** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Skillport, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Skillport SSO](#configure-skillport-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Skillport test user](#create-skillport-test-user)** - to have a counterpart of B.Simon in Skillport that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Skillport** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Skillport Domain and URLs single sign-on information](common/sp-identifier-reply.png)
-
- 1. In the **Sign-on URL** text box, type the URL:
+ 1. In the **Sign-on URL** text box, type one of the following URLs:
EU Datacenter: `https://adfs.skillport.eu` US Datacenter: `https://sso.skillport.com`
- 1. In the **Identifier** box, type the URL:
+ 1. In the **Identifier** box, type one of the following URLs:
EU Datacenter: `http://adfs.skillport.eu/adfs/services/trust` US Datacenter: `https://sso.skillport.com`
- 1. In the **Reply URL** text box, type the URL:
+ 1. In the **Reply URL** text box, type one of the following URLs:
EU Datacenter: `https://adfs.skillport.eu/adfs/ls/`
To configure Azure AD single sign-on with Skillport, perform the following steps
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Skillport Single Sign-On
-
-To configure single sign-on on **Skillport** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Skillport support team](https://www.skillsoft.com/about/contact-us). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Skillport.
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Skillport.
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Skillport**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Skillport**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![Enterprise applications blade](common/enterprise-applications.png)
+## Configure Skillport SSO
-2. In the applications list, select **Skillport**.
-
- ![The Skillport link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Skillport** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Skillport support team](https://www.skillsoft.com/about/contact-us). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Skillport test user In order to create Skillport test user, you need to contact [Skillport support team](https://www.skillsoft.com/about/contact-us) as they have multiple business scenarios according to the requirement of end user. They will configure it after discussion with the users.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Skillport tile in the Access Panel, you should be automatically signed in to the Skillport for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Skillport Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Skillport Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Skillport tile in the My Apps, this will redirect to Skillport Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Skillport you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Smartdraw Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/smartdraw-tutorial.md
Previously updated : 01/02/2020 Last updated : 05/18/2021
In this tutorial, you'll learn how to integrate SmartDraw with Azure Active Dire
* Enable your users to be automatically signed-in to SmartDraw with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* SmartDraw supports **SP and IDP** initiated SSO
-* SmartDraw supports **Just In Time** user provisioning
+* SmartDraw supports **SP and IDP** initiated SSO.
+* SmartDraw supports **Just In Time** user provisioning.
-## Adding SmartDraw from the gallery
+## Add SmartDraw from the gallery
To configure the integration of SmartDraw into Azure AD, you need to add SmartDraw from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **SmartDraw** in the search box. 1. Select **SmartDraw** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for SmartDraw
+## Configure and test Azure AD SSO for SmartDraw
Configure and test Azure AD SSO with SmartDraw using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SmartDraw.
-To configure and test Azure AD SSO with SmartDraw, complete the following building blocks:
+To configure and test Azure AD SSO with SmartDraw, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure SmartDraw SSO](#configure-smartdraw-sso)** - to configure the single sign-on settings on application side.
- * **[Create SmartDraw test user](#create-smartdraw-test-user)** - to have a counterpart of B.Simon in SmartDraw that is linked to the Azure AD representation of user.
+ 1. **[Create SmartDraw test user](#create-smartdraw-test-user)** - to have a counterpart of B.Simon in SmartDraw that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **SmartDraw** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **SmartDraw** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://cloud.smartdraw.com/sso/saml/login/<domain>`
+ `https://cloud.smartdraw.com/sso/saml/login/<DOMAIN>`
> [!NOTE] > The Sign-on URL value is not real. You will update the Sign-on URL value with the actual Sign-on URL, which is explained later in the tutorial. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **SmartDraw**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Click on **Single Sign-On** under Manage your SmartDraw License.
- ![Screenshot shows the Manage your SmartDraw License dialog box where you can select Single Sign-On.](./media/smartdraw-tutorial/configure01.png)
+ ![Screenshot shows the Manage your SmartDraw License dialog box where you can select Single Sign-On.](./media/smartdraw-tutorial/single-sign-on.png)
1. On the Configuration page, perform the following steps:
- ![Screenshot shows the Configuration page where you can enter the values described.](./media/smartdraw-tutorial/configure02.png)
+ ![Screenshot shows the Configuration page where you can enter the values described.](./media/smartdraw-tutorial/configuration.png)
a. In the **Your Domain (like acme.com)** textbox, type your domain.
In this section, a user called B.Simon is created in SmartDraw. SmartDraw suppor
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to SmartDraw Sign on URL where you can initiate the login flow.
-When you click the SmartDraw tile in the Access Panel, you should be automatically signed in to the SmartDraw for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Go to SmartDraw Sign-on URL directly and initiate the login flow from there.
-## Additional resources
+#### IDP initiated:
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the SmartDraw for which you set up the SSO.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the SmartDraw tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the SmartDraw for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+## Next steps
-- [Try SmartDraw with Azure AD](https://aad.portal.azure.com/)
+Once you configure SmartDraw you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Soloinsight Cloudgate Sso Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/soloinsight-cloudgate-sso-tutorial.md
Previously updated : 05/06/2019 Last updated : 05/24/2021
In this tutorial, you'll learn how to integrate Soloinsight-CloudGate SSO with A
* Enable your users to be automatically signed-in to Soloinsight-CloudGate SSO with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get one-month free trial [here](https://azure.microsoft.com/pricing/free-trial/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Soloinsight-CloudGate SSO single sign-on (SSO) enabled subscription. ## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Soloinsight-CloudGate SSO supports **SP** initiated SSO.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Soloinsight-CloudGate SSO supports **SP** initiated SSO.
-## Adding Soloinsight-CloudGate SSO from the gallery
+## Add Soloinsight-CloudGate SSO from the gallery
To configure the integration of Soloinsight-CloudGate SSO into Azure AD, you need to add Soloinsight-CloudGate SSO from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Soloinsight-CloudGate SSO** in the search box. 1. Select **Soloinsight-CloudGate SSO** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on
+## Configure and test Azure AD SSO for Soloinsight-CloudGate SSO
-Configure and test Azure AD SSO with Soloinsight-CloudGate SSO using a test user called **Britta Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Soloinsight-CloudGate SSO.
+Configure and test Azure AD SSO with Soloinsight-CloudGate SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Soloinsight-CloudGate SSO.
-To configure and test Azure AD SSO with Soloinsight-CloudGate SSO, complete the following building blocks:
+To configure and test Azure AD SSO with Soloinsight-CloudGate SSO, perform the following steps:
-1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature.
-2. **[Configure Soloinsight-CloudGate SSO](#configure-soloinsight-cloudgate-sso)** to configure the SSO settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Soloinsight-CloudGate SSO test user](#create-soloinsight-cloudgate-sso-test-user)** to have a counterpart of Britta Simon in Soloinsight-CloudGate SSO that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** to verify whether the configuration works.
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Soloinsight-CloudGate SSO](#configure-soloinsight-cloudgate-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Soloinsight-CloudGate SSO test user](#create-soloinsight-cloudgate-sso-test-user)** - to have a counterpart of B.Simon in Soloinsight-CloudGate SSO that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
### Configure Azure AD SSO
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Soloinsight-CloudGate SSO
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Soloinsight-CloudGate SSO.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Soloinsight-CloudGate SSO**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Soloinsight-CloudGate SSO
1. To automate the configuration within Soloinsight-CloudGate SSO, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
Follow these steps to enable Azure AD SSO in the Azure portal.
4. To get the values that are to be pasted in the Azure portal while configuring Basic SAML, sign in to the CloudGate Web Portal using your credentials then access the SSO settings, which can be found on the following path **Home>Administration>System settings>General**.
- ![CloudGate SSO Settings](./media/soloinsight-cloudgate-sso-tutorial/sso-main-settings.png)
+ ![CloudGate SSO Settings](./media/soloinsight-cloudgate-sso-tutorial/main-settings.png)
5. **SAML Consumer URL** * Copy the links available against the **Saml Consumer URL** and the **Redirect URL** fields and paste them in the Azure portal **Basic SAML Configuration** section for **Identifier (Entity ID)** and **Reply URL** fields respectively.
- ![SAMLIdentifier](./media/soloinsight-cloudgate-sso-tutorial/saml-identifier.png)
+ ![SAMLIdentifier](./media/soloinsight-cloudgate-sso-tutorial/identifier.png)
6. **SAML Signing Certificate**
Follow these steps to enable Azure AD SSO in the Azure portal.
![Ad login](./media/soloinsight-cloudgate-sso-tutorial/ad-login.png)
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called Britta Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-1. Select **New user** at the top of the screen.
-1. In the **User** properties, follow these steps:
- 1. In the **Name** field, enter `Britta Simon`.
- 1. In the **User name** field, enter the username@companydomain.extension. For example, `BrittaSimon@contoso.com`.
- 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
- 1. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable Britta Simon to use Azure single sign-on by granting access to Soloinsight-CloudGate SSO.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Soloinsight-CloudGate SSO**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add User link](common/add-assign-user.png)
-
-1. In the **Users and groups** dialog, select **Britta Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** dialog, click the **Assign** button.
- ### Create Soloinsight-CloudGate SSO test user To Create a test user, Select **Employees** from the main menu of your CloudGate Web Portal and fill out the Add New employee form. The Authority Level that is to be assigned to the test user is **Business Admin** Click on **Create** once all the required fields are filled. ![Employee test](./media/soloinsight-cloudgate-sso-tutorial/employee-test.png)
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you select the Soloinsight-CloudGate SSO tile in the Access Panel, you should be automatically signed in to the Soloinsight-CloudGate SSO for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Soloinsight-CloudGate SSO Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Soloinsight-CloudGate SSO Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Soloinsight-CloudGate SSO tile in the My Apps, this will redirect to Soloinsight-CloudGate SSO Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Soloinsight-CloudGate SSO you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Splashtop Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/splashtop-tutorial.md
Previously updated : 02/04/2020 Last updated : 05/19/2021
In this tutorial, you'll learn how to integrate Splashtop with Azure Active Dire
* Enable your users to be automatically signed-in to Splashtop with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Splashtop supports **SP** initiated SSO
+* Splashtop supports **SP** initiated SSO.
-* Once you configure the Splashtop you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Splashtop from the gallery
+## Add Splashtop from the gallery
To configure the integration of Splashtop into Azure AD, you need to add Splashtop from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Splashtop** in the search box. 1. Select **Splashtop** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Splashtop
+## Configure and test Azure AD SSO for Splashtop
Configure and test Azure AD SSO with Splashtop using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Splashtop.
-To configure and test Azure AD SSO with Splashtop, complete the following building blocks:
+To configure and test Azure AD SSO with Splashtop, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Splashtop SSO](#configure-splashtop-sso)** - to configure the single sign-on settings on application side.
- * **[Create Splashtop test user](#create-splashtop-test-user)** - to have a counterpart of B.Simon in Splashtop that is linked to the Azure AD representation of user.
+ 1. **[Create Splashtop test user](#create-splashtop-test-user)** - to have a counterpart of B.Simon in Splashtop that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Splashtop** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Splashtop** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set-up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set-up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following step:
In the **Sign-on URL** text box, type the URL: `https://my.splashtop.com/login/sso`
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Splashtop**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Splashtop SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
In this section, you will need to apply for a new SSO method from [Splashtop web portal](https://my.splashtop.com/login). 1. In the Splashtop web portal, go to **Account info** / **Team** tab, scroll down to find **Single Sign On** section. Then click **Apply for new SSO method**.
- ![Screenshot shows the Single Sign On page where you can select Apply for new S S O method.](media/splashtop-tutorial/apply-for-new-SSO-method.png)
+ ![Screenshot shows the Single Sign On page where you can select Apply for new S S O method.](media/splashtop-tutorial/new-method.png)
1. On the applying window, give an **SSO name**. For example, New Azure, then select **Azure** as the IDP type, and insert **Login URL** and **Azure AD Identifier** copied from Splashtop application on Azure portal.
- ![Screenshot shows the Apply for S S O method page where you can enter a name and other information.](media/splashtop-tutorial/azure-sso-1.png)
+ ![Screenshot shows the Apply for S S O method page where you can enter a name and other information.](media/splashtop-tutorial/new-azure.png)
1. For certificate info, right-click on the cert file downloaded from Splashtop application on Azure portal, edit it with Notepad, then copy the contents, paste it in **Download Certificate (Base64)** field.
- ![Screenshot show selecting a certificate file and opening it with Notepad.](media/splashtop-tutorial/cert-1.png)
- ![Screenshot shows the contents of the certificate file.](media/splashtop-tutorial/cert-2.png)
- ![Screenshot shows the Download Certificate text box.](media/splashtop-tutorial/azure-sso-2.png)
+ ![Screenshot show selecting a certificate file and opening it with Notepad.](media/splashtop-tutorial/certificate.png)
+ ![Screenshot shows the contents of the certificate file.](media/splashtop-tutorial/file.png)
+ ![Screenshot shows the Download Certificate text box.](media/splashtop-tutorial/azure.png)
1. That's it! Click **Save** and Splashtop SSO validation team will contact you for the verification info, then activate the SSO method.
In this section, you will need to apply for a new SSO method from [Splashtop web
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Splashtop tile in the Access Panel, you should be automatically signed in to the Splashtop for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal. This will redirect to Splashtop Sign-on URL where you can initiate the login flow.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* Go to Splashtop Sign-on URL directly and initiate the login flow from there.
-- [Try Splashtop with Azure AD](https://aad.portal.azure.com/)
+* You can use Microsoft My Apps. When you click the Splashtop tile in the My Apps, this will redirect to Splashtop Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Splashtop with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Splashtop you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Spring Cm Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/spring-cm-tutorial.md
Previously updated : 04/08/2019 Last updated : 05/24/2021 # Tutorial: Azure Active Directory integration with SpringCM
-In this tutorial, you learn how to integrate SpringCM with Azure Active Directory (Azure AD).
-Integrating SpringCM with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate SpringCM with Azure Active Directory (Azure AD). When you integrate SpringCM with Azure AD, you can:
-* You can control in Azure AD who has access to SpringCM.
-* You can enable your users to be automatically signed-in to SpringCM (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to SpringCM.
+* Enable your users to be automatically signed-in to SpringCM with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with SpringCM, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* SpringCM single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* SpringCM single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* SpringCM supports **SP** initiated SSO
-
-## Adding SpringCM from the gallery
-
-To configure the integration of SpringCM into Azure AD, you need to add SpringCM from the gallery to your list of managed SaaS apps.
-
-**To add SpringCM from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click the **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add a new application, click the **New application** button at the top of the dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **SpringCM**, select **SpringCM** from the result panel then click the **Add** button to add the application.
-
- ![SpringCM in the results list](common/search-new-app.png)
+* SpringCM supports **SP** initiated SSO.
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with SpringCM based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in SpringCM needs to be established.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-To configure and test Azure AD single sign-on with SpringCM, you need to complete the following building blocks:
+## Add SpringCM from the gallery
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure SpringCM Single Sign-On](#configure-springcm-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create SpringCM test user](#create-springcm-test-user)** - to have a counterpart of Britta Simon in SpringCM that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of SpringCM into Azure AD, you need to add SpringCM from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **SpringCM** in the search box.
+1. Select **SpringCM** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for SpringCM
-To configure Azure AD single sign-on with SpringCM, perform the following steps:
+Configure and test Azure AD SSO with SpringCM using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in SpringCM.
-1. In the [Azure portal](https://portal.azure.com/), on the **SpringCM** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with SpringCM, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure SpringCM SSO](#configure-springcm-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create SpringCM test user](#create-springcm-test-user)** - to have a counterpart of B.Simon in SpringCM that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **SpringCM** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![SpringCM Domain and URLs single sign-on information](common/sp-signonurl.png)
- In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://na11.springcm.com/atlas/SSO/SSOEndpoint.ashx?aid=<identifier>`
+ `https://na11.springcm.com/atlas/SSO/SSOEndpoint.ashx?aid=<IDENTIFIER>`
> [!NOTE] > The value is not real. Update the value with the actual Sign-On URL. Contact [SpringCM Client support team](https://knowledge.springcm.com/support) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with SpringCM, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to SpringCM.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **SpringCM**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
-### Configure SpringCM Single Sign-On
+## Configure SpringCM SSO
1. In a different web browser window, sign on to your **SpringCM** company site as administrator. 1. In the menu on the top, click **GO TO**, click **Preferences**, and then, in the **Account Preferences** section, click **SAML SSO**.
- ![SAML SSO](./media/spring-cm-tutorial/ic797051.png "SAML SSO")
+ ![SAML SSO](./media/spring-cm-tutorial/preferences.png "SAML SSO")
1. In the Identity Provider Configuration section, perform the following steps:
- ![Identity Provider Configuration](./media/spring-cm-tutorial/ic797052.png "Identity Provider Configuration")
+ ![Identity Provider Configuration](./media/spring-cm-tutorial/configuration.png "Identity Provider Configuration")
a. To upload your downloaded Azure Active Directory certificate, click **Select Issuer Certificate** or **Change Issuer Certificate**.
To configure Azure AD single sign-on with SpringCM, perform the following steps:
e. Click **Save**.
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to SpringCM.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **SpringCM**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **SpringCM**.
-
- ![The SpringCM link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
- ### Create SpringCM test user To enable Azure Active Directory users to sign in to SpringCM, they must be provisioned into SpringCM. In the case of SpringCM, provisioning is a manual task.
To enable Azure Active Directory users to sign in to SpringCM, they must be prov
1. Click **GOTO**, and then click **ADDRESS BOOK**.
- ![Create User](./media/spring-cm-tutorial/ic797054.png "Create User")
+ ![Create User](./media/spring-cm-tutorial/user.png "Create User")
1. Click **Create User**.
To enable Azure Active Directory users to sign in to SpringCM, they must be prov
> [!NOTE] > You can use any other SpringCM user account creation tools or APIs provided by SpringCM to provision Azure AD user accounts.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the SpringCM tile in the Access Panel, you should be automatically signed in to the SpringCM for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to SpringCM Sign-on URL where you can initiate the login flow.
-## Additional resources
+* Go to SpringCM Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the SpringCM tile in the My Apps, this will redirect to SpringCM Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure SpringCM you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Sprinklr Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sprinklr-tutorial.md
Previously updated : 03/07/2019 Last updated : 05/18/2021 # Tutorial: Azure Active Directory integration with Sprinklr
-In this tutorial, you learn how to integrate Sprinklr with Azure Active Directory (Azure AD).
-Integrating Sprinklr with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Sprinklr with Azure Active Directory (Azure AD). When you integrate Sprinklr with Azure AD, you can:
-* You can control in Azure AD who has access to Sprinklr.
-* You can enable your users to be automatically signed-in to Sprinklr (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Sprinklr.
+* Enable your users to be automatically signed-in to Sprinklr with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites
-To configure Azure AD integration with Sprinklr, you need the following items:
+To get started, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)
-* Sprinklr single sign-on enabled subscription
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Sprinklr single sign-on (SSO) enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Sprinklr supports **SP** initiated SSO
+* Sprinklr supports **SP** initiated SSO.
-## Adding Sprinklr from the gallery
+## Add Sprinklr from the gallery
To configure the integration of Sprinklr into Azure AD, you need to add Sprinklr from the gallery to your list of managed SaaS apps.
-**To add Sprinklr from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
-
- ![The New application button](common/add-new-app.png)
-
-4. In the search box, type **Sprinklr**, select **Sprinklr** from result panel then click **Add** button to add the application.
-
- ![Sprinklr in the results list](common/search-new-app.png)
-
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Sprinklr based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Sprinklr needs to be established.
-
-To configure and test Azure AD single sign-on with Sprinklr, you need to complete the following building blocks:
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Sprinklr** in the search box.
+1. Select **Sprinklr** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Sprinklr Single Sign-On](#configure-sprinklr-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Sprinklr test user](#create-sprinklr-test-user)** - to have a counterpart of Britta Simon in Sprinklr that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+## Configure and test Azure AD SSO for Sprinklr
-### Configure Azure AD single sign-on
+Configure and test Azure AD SSO with Sprinklr using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Sprinklr.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+To configure and test Azure AD SSO with Sprinklr, perform the following steps:
-To configure Azure AD single sign-on with Sprinklr, perform the following steps:
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Sprinklr SSO](#configure-sprinklr-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Sprinklr test user](#create-sprinklr-test-user)** - to have a counterpart of B.Simon in Sprinklr that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-1. In the [Azure portal](https://portal.azure.com/), on the **Sprinklr** application integration page, select **Single sign-on**.
+## Configure Azure AD SSO
- ![Configure single sign-on link](common/select-sso.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+1. In the Azure portal, on the **Sprinklr** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Single sign-on select mode](common/select-saml-option.png)
-
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
-
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, perform the following steps:
- ![Sprinklr Domain and URLs single sign-on information](common/sp-identifier.png)
- a. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<subdomain>.sprinklr.com`
+ `https://<SUBDOMAIN>.sprinklr.com`
b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<subdomain>.sprinklr.com`
+ `https://<SUBDOMAIN>.sprinklr.com`
> [!NOTE] > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Sprinklr Client support team](https://www.sprinklr.com/contact-us/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
To configure Azure AD single sign-on with Sprinklr, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
- b. Azure AD Identifier
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
- c. Logout URL
+### Assign the Azure AD test user
-### Configure Sprinklr Single Sign-On
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Sprinklr.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Sprinklr**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Sprinklr SSO
1. In a different web browser window, log in to your Sprinklr company site as an administrator. 1. Go to **Administration \> Settings**.
- ![Administration](./media/sprinklr-tutorial/ic782907.png "Administration")
+ ![Administration](./media/sprinklr-tutorial/settings.png "Administration")
1. Go to **Manage Partner \> Single Sign** on from the left pane.
- ![Manage Partner](./media/sprinklr-tutorial/ic782908.png "Manage Partner")
+ ![Manage Partner](./media/sprinklr-tutorial/users.png "Manage Partner")
1. Click **+Add Single Sign Ons**.
- ![Screenshot shows the Add Single Sign Ons button.](./media/sprinklr-tutorial/ic782909.png "Single Sign-Ons")
+ ![Screenshot shows the Add Single Sign Ons button.](./media/sprinklr-tutorial/add-user.png "Single Sign-Ons")
1. On the **Single Sign on** page, perform the following steps:
- ![Screenshot shows the Single Sign on page where you can enter the values described.](./media/sprinklr-tutorial/ic782910.png "Single Sign-Ons")
+ ![Screenshot shows the Single Sign on page where you can enter the values described.](./media/sprinklr-tutorial/configuration.png "Single Sign-Ons")
- a. In the **Name** textbox, type a name for your configuration (for example: *WAADSSOTest*).
+ a. In the **Name** textbox, type a name for your configuration (for example: **WAADSSOTest**).
b. Select **Enabled**.
To configure Azure AD single sign-on with Sprinklr, perform the following steps:
j. Click **Save**.
- ![SAML](./media/sprinklr-tutorial/ic782911.png "SAML")
-
-### Create an Azure AD test user
-
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
-
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**
- For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Sprinklr.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Sprinklr**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
-
-2. In the applications list, select **Sprinklr**.
-
- ![The Sprinklr link in the Applications list](common/all-applications.png)
-
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+ ![SAML](./media/sprinklr-tutorial/save-configuration.png "SAML")
### Create Sprinklr test user
In this section, you enable Britta Simon to use Azure single sign-on by granting
1. Go to **Administration \> Settings**.
- ![Administration](./media/sprinklr-tutorial/ic782907.png "Administration")
+ ![Administration](./media/sprinklr-tutorial/settings.png "Administration")
1. Go to **Manage Client \> Users** from the left pane.
- ![Screenshot shows the Add User button in Settings/Users.](./media/sprinklr-tutorial/ic782914.png "Settings")
+ ![Screenshot shows the Add User button in Settings/Users.](./media/sprinklr-tutorial/client.png "Settings")
1. Click **Add User**.
- ![Screenshot shows the Edit user dialog box where you can enter the values described.](./media/sprinklr-tutorial/ic782915.png "Settings")
+ ![Screenshot shows the Edit user dialog box where you can enter the values described.](./media/sprinklr-tutorial/search-users.png "Settings")
1. On the **Edit user** dialog, perform the following steps:
- ![Edit user](./media/sprinklr-tutorial/ic782916.png "Edit user")
+ ![Edit user](./media/sprinklr-tutorial/update-users.png "Edit user")
a. In the **Email**, **First Name** and **Last Name** textboxes, type the information of an Azure AD user account you want to provision.
In this section, you enable Britta Simon to use Azure single sign-on by granting
1. Go to **Role**, and then perform the following steps:
- ![Partner Roles](./media/sprinklr-tutorial/ic782917.png "Partner Roles")
+ ![Partner Roles](./media/sprinklr-tutorial/role.png "Partner Roles")
a. From the **Global** list, select **ALL_Permissions**.
In this section, you enable Britta Simon to use Azure single sign-on by granting
> [!NOTE] > You can use any other Sprinklr user account creation tools or APIs provided by Sprinklr to provision Azure AD user accounts.
-### Test single sign-on
+## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you click the Sprinklr tile in the Access Panel, you should be automatically signed in to the Sprinklr for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Sprinklr Sign-on URL where you can initiate the login flow.
-## Additional Resources
+* Go to Sprinklr Sign-on URL directly and initiate the login flow from there.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+* You can use Microsoft My Apps. When you click the Sprinklr tile in the My Apps, this will redirect to Sprinklr Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Sprinklr you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Syncplicity Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/syncplicity-tutorial.md
Previously updated : 06/10/2019 Last updated : 05/21/2021
In this tutorial, you'll learn how to integrate Syncplicity with Azure Active Di
* Enable your users to be automatically signed-in to Syncplicity with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
-* An Azure AD subscription. If you don't have a subscription, you can get a 12-month free trial [here](https://azure.microsoft.com/free/).
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
* Syncplicity single sign-on (SSO) enabled subscription. ## Scenario description
-In this tutorial, you configure and test Azure AD SSO in a test environment. Syncplicity supports **SP** initiated SSO.
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+* Syncplicity supports **SP** initiated SSO.
-## Adding Syncplicity from the gallery
+## Add Syncplicity from the gallery
To configure the integration of Syncplicity into Azure AD, you need to add Syncplicity from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Under **Create**, click **Enterprise Application**. 1. In the **Browse Azure AD gallery** section, type **Syncplicity** in the search box. 1. Select **Syncplicity** from results panel and then click **Create** to add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD SSO
+## Configure and test Azure AD SSO for Syncplicity
Configure and test Azure AD SSO with Syncplicity using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Syncplicity.
-To configure and test Azure AD SSO with Syncplicity, complete the following building blocks:
+To configure and test Azure AD SSO with Syncplicity, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
-2. **[Configure Syncplicity SSO](#configure-syncplicity-sso)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
-5. **[Create Syncplicity test user](#create-syncplicity-test-user)** - to have a counterpart of B.Simon in Syncplicity that is linked to the Azure AD representation of user.
-6. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-7. **[Update SSO](#update-sso)**) - to make the necessary changes in Syncplicity if you have changed the SSO settings in Azure AD.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Syncplicity SSO](#configure-syncplicity-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Syncplicity test user](#create-syncplicity-test-user)** - to have a counterpart of B.Simon in Syncplicity that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+1. **[Update SSO](#update-sso)** - to make the necessary changes in Syncplicity if you have changed the SSO settings in Azure AD.
### Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Syncplicity** application integration page, find the **Getting Started** section and select **Set up single sign-on**.
-2. On the **Select a Single sign-on method** page, select **SAML**.
-3. On the **Set up Single Sign-On with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. In the Azure portal, on the **Syncplicity** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-4. In the **Basic SAML Configuration** section, enter the values for the following fields:
+4. In the **Basic SAML Configuration** section, perform the following steps:
a. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
- `https://<companyname>.syncplicity.com/sp`
+ `https://<COMPANY_NAME>.syncplicity.com/sp`
b. In the **Sign on URL** text box, type a URL using the following pattern:
- `https://<companyname>.syncplicity.com`
+ `https://<COMPANY_NAME>.syncplicity.com`
c. In the **Reply URL (Assertion Consumer Service URL)** text box, type a URL using the following pattern:
- `https://<companyname>.syncplicity.com/Auth/AssertionConsumerService.aspx`
+ `https://<COMPANY_NAME>.syncplicity.com/Auth/AssertionConsumerService.aspx`
> [!NOTE]
- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Syncplicity Client support team](https://www.syncplicity.com/contact-us) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+ > These values are not real. Update these values with the actual Reply URL,Sign on URL and Identifier. Contact [Syncplicity Client support team](https://www.syncplicity.com/contact-us) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Edit**. Then in the dialog click the ellipsis button next to your active certificate and select **PEM certificate download**.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
-### Configure Syncplicity SSO
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Syncplicity.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Syncplicity**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Syncplicity SSO
1. Sign in to your **Syncplicity** tenant. 1. In the menu on the top, click **Admin**, select **Settings**, and then click **Custom domain and single sign-on**.
- ![Syncplicity](./media/syncplicity-tutorial/ic769545.png "Syncplicity")
+ ![Syncplicity](./media/syncplicity-tutorial/admin.png "Syncplicity")
1. On the **Single Sign-On (SSO)** dialog page, perform the following steps:
- ![Single Sign-On \(SSO\)](./media/syncplicity-tutorial/ic769550.png "Single Sign-On \\\(SSO\\\)")
+ ![Single Sign-On \(SSO\)](./media/syncplicity-tutorial/configuration.png "Single Sign-On \\\(SSO\\\)")
a. In the **Custom Domain** textbox, type the name of your domain.
Follow these steps to enable Azure AD SSO in the Azure portal.
g. Click **SAVE CHANGES**.
-### Create an Azure AD test user
-
-In this section, you'll create a test user in the Azure portal called B.Simon.
-
-1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
-2. Select **New user** at the top of the screen.
-3. In the **User** properties, follow these steps:
-
- a. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
-
- b. In the **Name** field, enter `B.Simon`.
-
- c. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
-
- d. Click **Create**.
-
-### Assign the Azure AD test user
-
-In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Syncplicity.
-
-1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
-1. In the applications list, select **Syncplicity**.
-1. In the app's overview page, find the **Manage** section and select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-1. Select **Add user/group**.
-
- ![The Add User link](common/add-assign-user.png)
-1. In the **Add Assignment** page select **Users**.
-1. In the **Users** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
-1. In the **Add Assignment** page, click the **Assign** button.
- ### Create Syncplicity test user For Azure AD users to be able to sign in, they must be provisioned to Syncplicity application. This section describes how to create Azure AD user accounts in Syncplicity.
For Azure AD users to be able to sign in, they must be provisioned to Syncplicit
1. Click **Admin** and select **User Accounts**, then click **Add a User**.
- ![Manage Users](./media/syncplicity-tutorial/ic769764.png "Manage Users")
+ ![Manage Users](./media/syncplicity-tutorial/users.png "Manage Users")
1. Type the **Email addresses** of an Azure AD account you want to provision, select **User** as **Role**, and then click **Next**.
- ![Account Information](./media/syncplicity-tutorial/ic769765.png "Account Information")
+ ![Account Information](./media/syncplicity-tutorial/roles.png "Account Information")
> [!NOTE] > The Azure AD account holder gets an email including a link to confirm and activate the account. 1. Select a group in your company that your new user should become a member of, and then click **Next**.
- ![Group Membership](./media/syncplicity-tutorial/ic769772.png "Group Membership")
+ ![Group Membership](./media/syncplicity-tutorial/group.png "Group Membership")
> [!NOTE] > If there are no groups listed, click **Next**. 1. Select the folders you would like to place under SyncplicityΓÇÖs control on the userΓÇÖs computer, and then click **Next**.
- ![Syncplicity Folders](./media/syncplicity-tutorial/ic769773.png "Syncplicity Folders")
+ ![Syncplicity Folders](./media/syncplicity-tutorial/folder.png "Syncplicity Folders")
> [!NOTE] > You can use any other Syncplicity user account creation tools or APIs provided by Syncplicity to provision Azure AD user accounts.
-### Test SSO
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
-When you select the Syncplicity tile in the Access Panel, you should be automatically signed in to the Syncplicity for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Syncplicity Sign-on URL where you can initiate the login flow.
+
+* Go to Syncplicity Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Syncplicity tile in the My Apps, this will redirect to Syncplicity Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
### Update SSO
Whenever you need to make changes to the SSO, you need to check the **SAML Signi
If you are using the Syncplicity Mobile app, please contact the Syncplicity Customer Support (support@syncplicity.com) for assistance.
-## Additional Resources
--- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)--- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Syncplicity you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Thousandeyes Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/thousandeyes-tutorial.md
Previously updated : 10/04/2019 Last updated : 05/24/2021
In this tutorial, you'll learn how to integrate ThousandEyes with Azure Active D
* Enable your users to be automatically signed-in to ThousandEyes with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* ThousandEyes supports **SP and IDP** initiated SSO
-* ThousandEyes supports [**Automated** user provisioning](./thousandeyes-provisioning-tutorial.md)
+* ThousandEyes supports **SP and IDP** initiated SSO.
+* ThousandEyes supports [**Automated** user provisioning](./thousandeyes-provisioning-tutorial.md).
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding ThousandEyes from the gallery
+## Add ThousandEyes from the gallery
To configure the integration of ThousandEyes into Azure AD, you need to add ThousandEyes from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **ThousandEyes** in the search box. 1. Select **ThousandEyes** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-## Configure and test Azure AD single sign-on for ThousandEyes
+## Configure and test Azure AD SSO for ThousandEyes
Configure and test Azure AD SSO with ThousandEyes using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in ThousandEyes.
-To configure and test Azure AD SSO with ThousandEyes, complete the following building blocks:
+To configure and test Azure AD SSO with ThousandEyes, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure ThousandEyes SSO](#configure-thousandeyes-sso)** - to configure the single sign-on settings on application side.
- * **[Create ThousandEyes test user](#create-thousandeyes-test-user)** - to have a counterpart of B.Simon in ThousandEyes that is linked to the Azure AD representation of user.
+ 1. **[Create ThousandEyes test user](#create-thousandeyes-test-user)** - to have a counterpart of B.Simon in ThousandEyes that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **ThousandEyes** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **ThousandEyes** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://app.thousandeyes.com/login/sso` 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **ThousandEyes**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure ThousandEyes SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
2. In the menu on the top, click **Settings**.
- ![Screenshot shows the ThousandEyes site with Settings selected.](./media/thousandeyes-tutorial/ic790066.png "Settings")
+ ![Screenshot shows the ThousandEyes site with Settings selected.](./media/thousandeyes-tutorial/settings-tab.png "Settings")
3. Click **Account**
- ![Screenshot shows Account selected from the Settings menu.](./media/thousandeyes-tutorial/ic790067.png "Account")
+ ![Screenshot shows Account selected from the Settings menu.](./media/thousandeyes-tutorial/menu.png "Account")
4. Click the **Security & Authentication** tab.
- ![Security & Authentication](./media/thousandeyes-tutorial/ic790068.png "Security & Authentication")
+ ![Security & Authentication](./media/thousandeyes-tutorial/security.png "Security & Authentication")
5. In the **Setup Single Sign-On** section, perform the following steps:
- ![Setup Single Sign-On](./media/thousandeyes-tutorial/ic790069.png "Setup Single Sign-On")
+ ![Setup Single Sign-On](./media/thousandeyes-tutorial/configuration.png "Setup Single Sign-On")
a. Select **Enable Single Sign-On**.
The objective of this section is to create a user called Britta Simon in Thousan
2. Click **Settings**.
- ![Screenshot shows the ThousandEyes site with Settings selected.](./media/thousandeyes-tutorial/ic790066.png "Settings")
+ ![Screenshot shows the ThousandEyes site with Settings selected.](./media/thousandeyes-tutorial/settings-tab.png "Settings")
3. Click **Account**.
- ![Screenshot shows Account selected from the Settings menu.](./media/thousandeyes-tutorial/ic790067.png "Account")
+ ![Screenshot shows Account selected from the Settings menu.](./media/thousandeyes-tutorial/menu.png "Account")
4. Click the **Accounts & Users** tab.
- ![Accounts & Users](./media/thousandeyes-tutorial/IC790073.png "Accounts & Users")
+ ![Accounts & Users](./media/thousandeyes-tutorial/user.png "Accounts & Users")
5. In the **Add Users & Accounts** section, perform the following steps:
- ![Add User Accounts](./media/thousandeyes-tutorial/IC790074.png "Add User Accounts")
+ ![Add User Accounts](./media/thousandeyes-tutorial/add-user.png "Add User Accounts")
a. In **Name** textbox, type the name of user like **B.Simon**.
The objective of this section is to create a user called Britta Simon in Thousan
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the ThousandEyes tile in the Access Panel, you should be automatically signed in to the ThousandEyes for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to ThousandEyes Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to ThousandEyes Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the ThousandEyes for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the ThousandEyes tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the ThousandEyes for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try ThousandEyes with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [Configure User Provisioning](./thousandeyes-provisioning-tutorial.md)
+Once you configure ThousandEyes you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Verkada Command Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/verkada-command-tutorial.md
Previously updated : 02/07/2020 Last updated : 05/24/2021
In this tutorial, you'll learn how to integrate Verkada Command with Azure Activ
* Enable your users to be automatically signed-in to Verkada Command with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with single sign-on in Azure AD, see [Single sign-on to applications in Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Verkada Command supports **SP and IDP** initiated SSO
+* Verkada Command supports **SP and IDP** initiated SSO.
-* Once you configure the Verkada Command you can enforce session controls, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session controls extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Verkada Command from the gallery
+## Add Verkada Command from the gallery
To configure the integration of Verkada Command into Azure AD, you need to add Verkada Command from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**. 1. In the **Add from the gallery** section, type **Verkada Command** in the search box. 1. Select **Verkada Command** from results panel and then add the app. Wait a few seconds while the app is added to your tenant. -
-## Configure and test Azure AD single sign-on for Verkada Command
+## Configure and test Azure AD SSO for Verkada Command
Configure and test Azure AD SSO with Verkada Command using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Verkada Command.
-To configure and test Azure AD SSO with Verkada Command, complete the following building blocks:
+To configure and test Azure AD SSO with Verkada Command, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
1. **[Configure Verkada Command SSO](#configure-verkada-command-sso)** - to configure the single sign-on settings on application side.
- * **[Create Verkada Command test user](#create-verkada-command-test-user)** - to have a counterpart of B.Simon in Verkada Command that is linked to the Azure AD representation of user.
+ 1. **[Create Verkada Command test user](#create-verkada-command-test-user)** - to have a counterpart of B.Simon in Verkada Command that is linked to the Azure AD representation of user.
1. **[Test SSO](#test-sso)** - to verify whether the configuration works. ## Configure Azure AD SSO Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Verkada Command** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Verkada Command** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
Follow these steps to enable Azure AD SSO in the Azure portal.
c. After the metadata file is successfully uploaded, the **Identifier** and **Reply URL** values get auto populated in Basic SAML Configuration section.
- ![Screenshot shows the Basic SAML Configuration, where you can enter Identifier, Reply U R L, and select Save.](common/idp-intiated.png)
- > [!Note]
- > If the **Identifier** and **Reply URL** values do not get auto polulated, then fill in the values manually according to your requirement.
+ > If the **Identifier** and **Reply URL** values do not get auto populated, then fill in the values manually according to your requirement.
1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode: In the **Sign-on URL** text box, type a URL using the following pattern:
- `https://vauth.command.verkada.com/saml/login/<client id>`
+ `https://vauth.command.verkada.com/saml/login/<CLIENT_ID>`
> [!NOTE] > The Sign-on URL value is not real. Update this value with the actual Sign-on URL. Contact [Verkada Command Client support team](mailto:support@verkada.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Verkada Command**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Verkada Command SSO
In this section, you create a user called B.Simon in Verkada Command. Work with
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
-When you click the Verkada Command tile in the Access Panel, you should be automatically signed in to the Verkada Command for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* Click on **Test this application** in Azure portal. This will redirect to Verkada Command Sign on URL where you can initiate the login flow.
-## Additional resources
+* Go to Verkada Command Sign-on URL directly and initiate the login flow from there.
-- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+#### IDP initiated:
-- [What is application access and single sign-on with Azure Active Directory? ]( https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on)
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Verkada Command for which you set up the SSO.
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Verkada Command tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Verkada Command for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Verkada Command with Azure AD](https://aad.portal.azure.com/)
+## Next steps
-- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+Once you configure Verkada Command you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory Wootric Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wootric-tutorial.md
Previously updated : 07/23/2020 Last updated : 05/19/2021
In this tutorial, you'll learn how to integrate Wootric with Azure Active Direct
* Enable your users to be automatically signed-in to Wootric with their Azure AD accounts. * Manage your accounts in one central location - the Azure portal.
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
- ## Prerequisites To get started, you need the following items:
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Wootric supports **IDP** initiated SSO
-* Wootric supports **Just In Time** user provisioning
-* Once you configure Wootric you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+* Wootric supports **IDP** initiated SSO.
+* Wootric supports **Just In Time** user provisioning.
## Adding Wootric from the gallery To configure the integration of Wootric into Azure AD, you need to add Wootric from the gallery to your list of managed SaaS apps.
-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
1. On the left navigation pane, select the **Azure Active Directory** service. 1. Navigate to **Enterprise Applications** and then select **All Applications**. 1. To add new application, select **New application**.
To configure the integration of Wootric into Azure AD, you need to add Wootric f
Configure and test Azure AD SSO with Wootric using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Wootric.
-To configure and test Azure AD SSO with Wootric, complete the following building blocks:
+To configure and test Azure AD SSO with Wootric, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
To configure and test Azure AD SSO with Wootric, complete the following building
Follow these steps to enable Azure AD SSO in the Azure portal.
-1. In the [Azure portal](https://portal.azure.com/), on the **Wootric** application integration page, find the **Manage** section and select **single sign-on**.
+1. In the Azure portal, on the **Wootric** application integration page, find the **Manage** section and select **single sign-on**.
1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**. 1. In the applications list, select **Wootric**. 1. In the app's overview page, find the **Manage** section and select **Users and groups**.-
- ![The "Users and groups" link](common/users-groups-blade.png)
- 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.-
- ![The Add User link](common/add-assign-user.png)
- 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
-1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Wootric SSO
-1. Log in to the Wootric in a different browser window as an administrator.
+1. To automate the configuration within Wootric, you need to install **My Apps Secure Sign-in browser extension** by clicking **Install the extension**.
+
+ ![My apps extension](common/install-myappssecure-extension.png)
+
+2. After adding extension to the browser, click on **Set up Wootric** will direct you to the Wootric application. From there, provide the admin credentials to sign into Wootric. The browser extension will automatically configure the application for you and automate steps 3-6.
+
+ ![Setup configuration](common/setup-sso.png)
+
+3. If you want to setup Wootric manually, in a different web browser window, sign in to your Wootric company site as an administrator.
1. Click on **Settings Icon** from the top menu.
In this section, a user called B.Simon is created in Wootric. Wootric supports j
## Test SSO
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
-
-When you click the Wootric tile in the Access Panel, you should be automatically signed in to the Wootric for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
-
-## Additional resources
--- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](./tutorial-list.md)
+In this section, you test your Azure AD single sign-on configuration with following options.
-- [What is application access and single sign-on with Azure Active Directory? ](../manage-apps/what-is-single-sign-on.md)
+* Click on Test this application in Azure portal and you should be automatically signed in to the Wootric for which you set up the SSO
-- [What is conditional access in Azure Active Directory?](../conditional-access/overview.md)
+* You can use Microsoft My Apps. When you click the Wootric tile in the My Apps, you should be automatically signed in to the Wootric for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [Try Wootric with Azure AD](https://aad.portal.azure.com/) -- [What is session control in Microsoft Cloud App Security?](/cloud-app-security/proxy-intro-aad)
+## Next steps
-- [How to protect Wootric with advanced visibility and controls](/cloud-app-security/proxy-intro-aad)
+Once you configure Wootric you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory Wrike Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/wrike-tutorial.md
Previously updated : 04/03/2019 Last updated : 05/21/2021 # Tutorial: Azure Active Directory integration with Wrike
-In this tutorial, you learn how to integrate Wrike with Azure Active Directory (Azure AD).
-Integrating Wrike with Azure AD provides you with the following benefits:
+In this tutorial, you'll learn how to integrate Wrike with Azure Active Directory (Azure AD). When you integrate Wrike with Azure AD, you can:
-* You can control in Azure AD who has access to Wrike.
-* You can enable your users to be automatically signed-in to Wrike (Single Sign-On) with their Azure AD accounts.
-* You can manage your accounts in one central location - the Azure portal.
-
-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).
-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.
+* Control in Azure AD who has access to Wrike.
+* Enable your users to be automatically signed-in to Wrike with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
## Prerequisites To configure Azure AD integration with Wrike, you need the following items:
-* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/)
-* Wrike single sign-on enabled subscription
+* An Azure AD subscription. If you don't have an Azure AD environment, you can get a [free account](https://azure.microsoft.com/free/).
+* Wrike single sign-on enabled subscription.
## Scenario description In this tutorial, you configure and test Azure AD single sign-on in a test environment.
-* Wrike supports **SP** and **IDP** initiated SSO
-
-* Wrike supports **Just In Time** user provisioning
-
-## Adding Wrike from the gallery
-
-To configure the integration of Wrike into Azure AD, you need to add Wrike from the gallery to your list of managed SaaS apps.
-
-**To add Wrike from the gallery, perform the following steps:**
-
-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.
-
- ![The Azure Active Directory button](common/select-azuread.png)
-
-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.
-
- ![The Enterprise applications blade](common/enterprise-applications.png)
-
-3. To add new application, click **New application** button on the top of dialog.
+* Wrike supports **SP** and **IDP** initiated SSO.
- ![The New application button](common/add-new-app.png)
+* Wrike supports **Just In Time** user provisioning.
-4. In the search box, type **Wrike**, select **Wrike** from result panel then click **Add** button to add the application.
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
- ![Wrike in the results list](common/search-new-app.png)
+## Add Wrike from the gallery
-## Configure and test Azure AD single sign-on
-
-In this section, you configure and test Azure AD single sign-on with Wrike based on a test user called **Britta Simon**.
-For single sign-on to work, a link relationship between an Azure AD user and the related user in Wrike needs to be established.
-
-To configure and test Azure AD single sign-on with Wrike, you need to complete the following building blocks:
-
-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.
-2. **[Configure Wrike Single Sign-On](#configure-wrike-single-sign-on)** - to configure the Single Sign-On settings on application side.
-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.
-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.
-5. **[Create Wrike test user](#create-wrike-test-user)** - to have a counterpart of Britta Simon in Wrike that is linked to the Azure AD representation of user.
-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.
+To configure the integration of Wrike into Azure AD, you need to add Wrike from the gallery to your list of managed SaaS apps.
-### Configure Azure AD single sign-on
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Wrike** in the search box.
+1. Select **Wrike** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
-In this section, you enable Azure AD single sign-on in the Azure portal.
+## Configure and test Azure AD SSO for Wrike
-To configure Azure AD single sign-on with Wrike, perform the following steps:
+Configure and test Azure AD SSO with Wrike using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Wrike.
-1. In the [Azure portal](https://portal.azure.com/), on the **Wrike** application integration page, select **Single sign-on**.
+To configure and test Azure AD SSO with Wrike, perform the following steps:
- ![Configure single sign-on link](common/select-sso.png)
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Wrike SSO](#configure-wrike-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Wrike test user](#create-wrike-test-user)** - to have a counterpart of B.Simon in Wrike that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.
+## Configure Azure AD SSO
- ![Single sign-on select mode](common/select-saml-option.png)
+Follow these steps to enable Azure AD SSO in the Azure portal.
-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.
+1. In the Azure portal, on the **Wrike** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
- ![Edit Basic SAML Configuration](common/edit-urls.png)
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
4. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode the user does not have to perform any step as the app is already pre-integrated with Azure.
- ![Screenshot shows the Basic SAML Configuration.](common/preintegrated.png)
- 5. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
- ![Screenshot shows Set additional U R Ls where you can enter a Sign on U R L.](common/metadata-upload-additional-signon.png)
-
- In the **Sign-on URL** text box, type a URL:
+ In the **Sign-on URL** text box, type the URL:
`https://www.wrike.com/login/` 6. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
To configure Azure AD single sign-on with Wrike, perform the following steps:
![Copy configuration URLs](common/copy-configuration-urls.png)
- a. Login URL
-
- b. Azure AD Identifier
-
- c. Logout URL
-
-### Configure Wrike Single Sign-On
-
-To configure single sign-on on **Wrike** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Wrike support team](mailto:support@team.wrike.com). They set this setting to have the SAML SSO connection set properly on both sides.
- ### Create an Azure AD test user
-The objective of this section is to create a test user in the Azure portal called Britta Simon.
-
-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.
-
- ![The "Users and groups" and "All users" links](common/users.png)
-
-2. Select **New user** at the top of the screen.
-
- ![New user Button](common/new-user.png)
-
-3. In the User properties, perform the following steps.
+In this section, you'll create a test user in the Azure portal called B.Simon.
- ![The User dialog box](common/user-properties.png)
-
- a. In the **Name** field enter **BrittaSimon**.
-
- b. In the **User name** field type `brittasimon@yourcompanydomain.extension`. For example, BrittaSimon@contoso.com
-
- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.
-
- d. Click **Create**.
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
### Assign the Azure AD test user
-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Wrike.
-
-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Wrike**.
-
- ![Enterprise applications blade](common/enterprise-applications.png)
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Wrike.
-2. In the applications list, select **Wrike**.
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Wrike**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
- ![The Wrike link in the Applications list](common/all-applications.png)
+## Configure Wrike SSO
-3. In the menu on the left, select **Users and groups**.
-
- ![The "Users and groups" link](common/users-groups-blade.png)
-
-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.
-
- ![The Add Assignment pane](common/add-assign-user.png)
-
-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.
-
-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.
-
-7. In the **Add Assignment** dialog click the **Assign** button.
+To configure single sign-on on **Wrike** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [Wrike support team](mailto:support@team.wrike.com). They set this setting to have the SAML SSO connection set properly on both sides.
### Create Wrike test user
In this section, a user called Britta Simon is created in Wrike. Wrike supports
>[!Note] >If you need to create a user manually, contact [Wrike support team](mailto:support@team.wrike.com).
-### Test single sign-on
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Wrike Sign on URL where you can initiate the login flow.
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+* Go to Wrike Sign-on URL directly and initiate the login flow from there.
-When you click the Wrike tile in the Access Panel, you should be automatically signed in to the Wrike for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+#### IDP initiated:
-## Additional Resources
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Wrike for which you set up the SSO.
-- [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](./tutorial-list.md)
+You can also use Microsoft My Apps to test the application in any mode. When you click the Wrike tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Wrike for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
-- [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+## Next steps
-- [What is Conditional Access in Azure Active Directory?](../conditional-access/overview.md)
+Once you configure Wrike you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
active-directory User Help Register Device On Network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/user-help-register-device-on-network.md
Previously updated : 08/31/2020 Last updated : 05/24/2020
Follow these steps to register your personal device on your network.
![Accounts on the Settings screen](./media/user-help-register-device-on-network/register-device-settings-accounts.png)
-2. Select **Access work or school**, and then select **Connect** from the **Access work or school** screen.
+1. Select **Access work or school**, and then select **Connect** from the **Access work or school** screen.
![Access work or school screen with Connect option highlighted](./media/user-help-register-device-on-network/register-device-access-work-school-connect.png)
-3. On the **Add a work or school account** screen, type in your email address for your work or school account, and then select **Next**. For example, alain@contoso.com.
+1. On the **Add a work or school account** screen, type in your email address for your work or school account, and then select **Next**. For example, alain@contoso.com.
-4. Sign in to your work or school account, and then select **Sign in**.
+1. Sign in to your work or school account, and then select **Sign in**.
-5. Complete the rest of the registration process, including approving your identity verification request (if you use two-step verification) and setting up Windows Hello (if necessary).
+1. Complete the rest of the registration process, including approving your identity verification request (if you use two-step verification) and setting up Windows Hello (if necessary).
+
+1. Restart the device.
## To verify that you're registered+ You can make sure that you're registered by looking at your settings. 1. Open **Settings**, and then select **Accounts**. ![Accounts on the Settings screen](./media/user-help-register-device-on-network/register-device-settings-accounts.png)
-2. Select **Access work or school**, and make sure you see your work or school account.
+1. Select **Access work or school**, and make sure you see your work or school account.
![Access work or school screen with connected contoso account](./media/user-help-register-device-on-network/register-device-setup-verify.png)
active-directory Credential Design https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/credential-design.md
description: This article shows you how to create your own custom verifiable cre
-+ Last updated 04/01/2021
active-directory Decentralized Identifier Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/decentralized-identifier-overview.md
editor:-+ Last updated 04/01/2021
active-directory Enable Your Tenant Verifiable Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/enable-your-tenant-verifiable-credentials.md
description: In this tutorial, you build the environment needed to deploy verifi
documentationCenter: '' -+ Last updated 05/18/2021
active-directory Get Started Verifiable Credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/get-started-verifiable-credentials.md
Title: Tutorial - Get started with Azure Active Directory Verifiable Credentials using a sample app (preview) description: In this tutorial, you learn how to issue verifiable credentials using our sample app and test tenant-+
active-directory How To Create A Free Developer Account https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/how-to-create-a-free-developer-account.md
description: This article shows you how to create a developer account
-+ Last updated 04/01/2021
active-directory How To Dnsbind https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/how-to-dnsbind.md
description: Learn how to DNS Bind?
documentationCenter: '' -+ Last updated 04/01/2021
active-directory How To Issuer Revoke https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/how-to-issuer-revoke.md
description: Learn how to revoke a Verifiable Credential that you've issued
documentationCenter: '' -+ Last updated 04/01/2021
active-directory How To Opt Out https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/how-to-opt-out.md
description: Learn how to Opt Out of the Verifiable Credentials Preview
documentationCenter: '' -+ Last updated 04/01/2021
active-directory Issue Verify Verifiable Credentials Your Tenant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/issue-verify-verifiable-credentials-your-tenant.md
description: Change the Verifiable Credential code sample to work with your Azur
documentationCenter: '' -+ Last updated 04/01/2021
active-directory Issuer Openid https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/issuer-openid.md
Title: Issuer service communication examples (preview) - Azure Active Directory
description: Details of communication between identity provider and issuer service -+
active-directory Verifiable Credentials Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/verifiable-credentials/verifiable-credentials-faq.md
Title: Frequently asked questions - Azure Verifiable Credentials (preview)
description: Find answers to common questions about Verifiable Credentials -+ Last updated 04/01/2021
aks Azure Disk Customer Managed Keys https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/azure-disk-customer-managed-keys.md
Azure Storage encrypts all data in a storage account at rest. By default, data i
## Limitations * Data disk encryption support is limited to AKS clusters running Kubernetes version 1.17 and above.
-* Encryption of OS and data disk with customer-managed keys can only be enabled when creating an AKS cluster.
+* Encryption of OS disk with customer-managed keys can only be enabled when creating an AKS cluster.
## Prerequisites * You must enable soft delete and purge protection for *Azure Key Vault* when using Key Vault to encrypt managed disks.
Review [best practices for AKS cluster security][best-practices-security]
[customer-managed-keys-windows]: ../virtual-machines/disk-encryption.md#customer-managed-keys [customer-managed-keys-linux]: ../virtual-machines/disk-encryption.md#customer-managed-keys [key-vault-generate]: ../key-vault/general/manage-with-cli2.md
-[supported-regions]: ../virtual-machines/disk-encryption.md#supported-regions
+[supported-regions]: ../virtual-machines/disk-encryption.md#supported-regions
aks Cluster Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/cluster-configuration.md
az aks nodepool add --name ubuntu1804 --cluster-name myAKSCluster --resource-gro
## Container runtime configuration
-A container runtime is software that executes containers and manages container images on a node. The runtime helps abstract away sys-calls or operating system (OS) specific functionality to run containers on Linux or Windows. AKS clusters using Kubernetes version 1.19 node pools and greater use `containerd` as its container runtime. AKS clusters using Kubernetes prior to v1.19 for node pools use [Moby](https://mobyproject.org/) (upstream docker) as its container runtime.
+A container runtime is software that executes containers and manages container images on a node. The runtime helps abstract away sys-calls or operating system (OS) specific functionality to run containers on Linux or Windows. For Linux node pools, `containerd` is used for node pools using Kubernetes version 1.19 and greater, and Docker is used for node pools using Kubernetes 1.18 and earlier. For Windows Server 2019 node pools, `containerd` is available in preview and can be used in node pools using Kubernetes 1.20 and greater, but Docker is still used by default.
-![Docker CRI 1](media/cluster-configuration/docker-cri.png)
-
-[`Containerd`](https://containerd.io/) is an [OCI](https://opencontainers.org/) (Open Container Initiative) compliant core container runtime that provides the minimum set of required functionality to execute containers and manage images on a node. It was [donated](https://www.cncf.io/announcement/2017/03/29/containerd-joins-cloud-native-computing-foundation/) to the Cloud Native Compute Foundation (CNCF) in March of 2017. The current Moby version that AKS uses already leverages and is built on top of `containerd`, as shown above.
+[`Containerd`](https://containerd.io/) is an [OCI](https://opencontainers.org/) (Open Container Initiative) compliant core container runtime that provides the minimum set of required functionality to execute containers and manage images on a node. It was [donated](https://www.cncf.io/announcement/2017/03/29/containerd-joins-cloud-native-computing-foundation/) to the Cloud Native Compute Foundation (CNCF) in March of 2017. The current Moby (upstream Docker) version that AKS uses already leverages and is built on top of `containerd`, as shown above.
With a `containerd`-based node and node pools, instead of talking to the `dockershim`, the kubelet will talk directly to `containerd` via the CRI (container runtime interface) plugin, removing extra hops on the flow when compared to the Docker CRI implementation. As such, you'll see better pod startup latency and less resource (CPU and memory) usage.
By using `containerd` for AKS nodes, pod startup latency improves and node resou
`Containerd` works on every GA version of Kubernetes in AKS, and in every upstream kubernetes version above v1.19, and supports all Kubernetes and AKS features. > [!IMPORTANT]
-> Clusters with node pools created on Kubernetes v1.19 or greater default to `containerd` for its container runtime. Clusters with node pools on a supported Kubernetes version less than 1.19 receive `Moby` for its container runtime, but will be updated to `ContainerD` once the node pool Kubernetes version is updated to v1.19 or greater. You can still use `Moby` node pools and clusters on older supported versions until those fall off support.
+> Clusters with Linux node pools created on Kubernetes v1.19 or greater default to `containerd` for its container runtime. Clusters with node pools on a earlier supported Kubernetes versions receive Docker for their container runtime. Linux node pools will be updated to `containerd` once the node pool Kubernetes version is updated to a version that supports `containerd`. You can still use Docker node pools and clusters on older supported versions until those fall off support.
+>
+> Using `containerd` with Windows Server 2019 node pools is currently in preview. For more details, see [Add a Windows Server node pool with `containerd`][aks-add-np-containerd].
>
-> It is highly recommended to test your workloads on AKS node pools with `containerD` prior to using clusters on 1.19 or greater.
+> It is highly recommended to test your workloads on AKS node pools with `containerd` prior to using clusters with a Kubernetes version that supports `containerd` for your node pools.
### `Containerd` limitations/differences
-* To use `containerd` as the container runtime you must use AKS Ubuntu 18.04 as your base OS image.
-* While the docker toolset is still present on the nodes, Kubernetes uses `containerd` as the container runtime. Therefore, since Moby/Docker doesn't manage the Kubernetes-created containers on the nodes, you can't view or interact with your containers using Docker commands (like `docker ps`) or the Docker API.
* For `containerd`, we recommend using [`crictl`](https://kubernetes.io/docs/tasks/debug-application-cluster/crictl) as a replacement CLI instead of the Docker CLI for **troubleshooting** pods, containers, and container images on Kubernetes nodes (for example, `crictl ps`). * It doesn't provide the complete functionality of the docker CLI. It's intended for troubleshooting only. * `crictl` offers a more kubernetes-friendly view of containers, with concepts like pods, etc. being present. * `Containerd` sets up logging using the standardized `cri` logging format (which is different from what you currently get from dockerΓÇÖs json driver). Your logging solution needs to support the `cri` logging format (like [Azure Monitor for Containers](../azure-monitor/containers/container-insights-enable-new-cluster.md)) * You can no longer access the docker engine, `/var/run/docker.sock`, or use Docker-in-Docker (DinD). * If you currently extract application logs or monitoring data from Docker Engine, please use something like [Azure Monitor for Containers](../azure-monitor/containers/container-insights-enable-new-cluster.md) instead. Additionally AKS doesn't support running any out of band commands on the agent nodes that could cause instability.
- * Even when using Moby/docker, building images and directly leveraging the docker engine via the methods above is strongly discouraged. Kubernetes isn't fully aware of those consumed resources, and those approaches present numerous issues detailed [here](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) and [here](https://securityboulevard.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1/), for example.
+ * Even when using Docker, building images and directly leveraging the Docker engine via the methods above is strongly discouraged. Kubernetes isn't fully aware of those consumed resources, and those approaches present numerous issues detailed [here](https://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/) and [here](https://securityboulevard.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1/), for example.
* Building images - You can continue to use your current docker build workflow as normal, unless you are building images inside your AKS cluster. In this case, please consider switching to the recommended approach for building images using [ACR Tasks](../container-registry/container-registry-quickstart-task-cli.md), or a more secure in-cluster option like [docker buildx](https://github.com/docker/buildx). ## Generation 2 virtual machines
By contrast, ephemeral OS disks are stored only on the host machine, just like a
Like the temporary disk, an ephemeral OS disk is included in the price of the virtual machine, so you incur no additional storage costs. > [!IMPORTANT]
->When a user does not explicitly request managed disks for the OS, AKS will default to ephemeral OS if possible for a given nodepool configuration.
+>When a user does not explicitly request managed disks for the OS, AKS will default to ephemeral OS if possible for a given node pool configuration.
When using ephemeral OS, the OS disk must fit in the VM cache. The sizes for VM cache are available in the [Azure documentation](../virtual-machines/dv3-dsv3-series.md) in parentheses next to IO throughput ("cache size in GiB").
Using the AKS default VM size Standard_DS2_v2 with the default OS disk size of 1
If a user requests the same Standard_DS2_v2 with a 60GB OS disk, this configuration would default to ephemeral OS: the requested size of 60GB is smaller than the maximum cache size of 86GB.
-Using Standard_D8s_v3 with 100GB OS disk, this VM size supports ephemeral OS and has 200GB of cache space. If a user does not specify the OS disk type, the nodepool would receive ephemeral OS by default.
+Using Standard_D8s_v3 with 100GB OS disk, this VM size supports ephemeral OS and has 200GB of cache space. If a user does not specify the OS disk type, the node pool would receive ephemeral OS by default.
Ephemeral OS requires at least version 2.15.0 of the Azure CLI.
As you work with the node resource group, keep in mind that you can't:
[az-feature-register]: /cli/azure/feature#az_feature_register [az-feature-list]: /cli/azure/feature#az_feature_list [az-provider-register]: /cli/azure/provider#az_provider_register
+[aks-add-np-containerd]: windows-container-cli.md#add-a-windows-server-node-pool-with-containerd-preview
aks Cluster Container Registry Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/cluster-container-registry-integration.md
You can set up the AKS to ACR integration in a few simple commands with the Azur
These examples require:
-* **Owner** or **Azure account administrator** role on the **Azure subscription**
+* **Owner**, **Azure account administrator**, or **Azure co-adminstrator** role on the **Azure subscription**
* Azure CLI version 2.7.0 or later
-To avoid needing an **Owner** or **Azure account administrator** role, you can configure a managed identity manually or use an existing managed identity to authenticate ACR from AKS. For more information, see [Use an Azure managed identity to authenticate to an Azure container registry](../container-registry/container-registry-authentication-managed-identity.md).
+To avoid needing an **Owner**, **Azure account administrator**, or **Azure co-adminstrator** role, you can use an existing managed identity to authenticate ACR from AKS. For more information, see [Use an Azure managed identity to authenticate to an Azure container registry](../container-registry/container-registry-authentication-managed-identity.md).
## Create a new AKS cluster with ACR integration
or,
az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-resource-id> ```
+> [!NOTE]
+> Running `az aks update --attach-acr` uses the permissions of the user running the command to create the role ACR assignment. This role is assigned to the kubelet managed identity. For more information on the AKS managed identities, see [Summary of managed identities][summary-msi].
+ You can also remove the integration between an ACR and an AKS cluster with the following ```azurecli
nginx0-deployment-669dfc4d4b-xdpd6 1/1 Running 0 20s
<!-- LINKS - external --> [AKS AKS CLI]: /cli/azure/aks#az_aks_create
-[Image Pull secret]: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+[Image Pull secret]: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+
+[summary-msi]: use-managed-identity.md#summary-of-managed-identities
aks Concepts Clusters Workloads https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/concepts-clusters-workloads.md
To run your applications and supporting services, you need a Kubernetes *node*.
| Component | Description | | -- | - |
-| `kubelet` | The Kubernetes agent that processes the orchestration requests from the control plane and scheduling of running the requested containers. |
-| *kube-proxy* | Handles virtual networking on each node. The proxy routes network traffic and manages IP addressing for services and pods. |
-| *container runtime* | Allows containerized applications to run and interact with additional resources, such as the virtual network and storage. AKS clusters using Kubernetes version 1.19+ node pools use `containerd` as their container runtime. AKS clusters using Kubernetes prior to node pool version 1.19 for node pools use [Moby](https://mobyproject.org/) (upstream docker) as their container runtime. |
-
+| `kubelet` | The Kubernetes agent that processes the orchestration requests from the control plane and scheduling of running the requested containers. |
+| *kube-proxy* | Handles virtual networking on each node. The proxy routes network traffic and manages IP addressing for services and pods. |
+| *container runtime* | Allows containerized applications to run and interact with additional resources, such as the virtual network and storage. AKS clusters using Kubernetes version 1.19+ for Linux node pools use `containerd` as their container runtime. Beginning in Kubernetes version 1.20 for Windows node pools, `containerd` can be used in preview for the container runtime, but Docker is still the default container runtime. AKS clusters using prior versions of Kubernetes for node pools use Docker as their container runtime. |
![Azure virtual machine and supporting resources for a Kubernetes node](media/concepts-clusters-workloads/aks-node-resource-interactions.png)
The Azure VM size for your nodes defines the storage CPUs, memory, size, and typ
In AKS, the VM image for your cluster's nodes is based on Ubuntu Linux or Windows Server 2019. When you create an AKS cluster or scale out the number of nodes, the Azure platform automatically creates and configures the requested number of VMs. Agent nodes are billed as standard VMs, so any VM size discounts (including [Azure reservations][reservation-discounts]) are automatically applied.
-Deploy your own Kubernetes cluster with [aks-engine][aks-engine] if using a different host OS, container runtime, or including different custom packages. The upstream `aks-engine` releases features and provides configuration options ahead of support in AKS clusters. So, if you wish to use a container runtime other than `containerd` or [Moby](https://mobyproject.org/), you can run `aks-engine` to configure and deploy a Kubernetes cluster that meets your current needs.
+Deploy your own Kubernetes cluster with [aks-engine][aks-engine] if using a different host OS, container runtime, or including different custom packages. The upstream `aks-engine` releases features and provides configuration options ahead of support in AKS clusters. So, if you wish to use a container runtime other than `containerd` or Docker, you can run `aks-engine` to configure and deploy a Kubernetes cluster that meets your current needs.
### Resource reservations
aks Concepts Security https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/concepts-security.md
You can control access to the API server using Kubernetes role-based access cont
## Node security AKS nodes are Azure virtual machines (VMs) that you manage and maintain.
-* Linux nodes run an optimized Ubuntu distribution using the `containerd` or Moby container runtime.
-* Windows Server nodes run an optimized Windows Server 2019 release using the `containerd` or Moby container runtime.
+* Linux nodes run an optimized Ubuntu distribution using the `containerd` or Docker container runtime.
+* Windows Server nodes run an optimized Windows Server 2019 release using the `containerd` or Docker container runtime.
When an AKS cluster is created or scaled up, the nodes are automatically deployed with the latest OS security updates and configurations. > [!NOTE] > AKS clusters using:
-> * Kubernetes version 1.19 node pools and greater use `containerd` as its container runtime.
-> * Kubernetes prior to v1.19 node pools use [Moby](https://mobyproject.org/) (upstream docker) as its container runtime.
+> * Kubernetes version 1.19 and greater for Linux node pools use `containerd` as its container runtime. Using `containerd` with Windows Server 2019 node pools is currently in preview. For more details, see [Add a Windows Server node pool with `containerd`][aks-add-np-containerd].
+> * Kubernetes prior to v1.19 for Linux node pools use Docker as its container runtime. For Windows Server 2019 node pools, Docker is the default container runtime.
### Node security patches
For more information on core Kubernetes and AKS concepts, see:
[aks-daemonsets]: concepts-clusters-workloads.md#daemonsets [aks-upgrade-cluster]: upgrade-cluster.md [aks-aad]: ./managed-aad.md
+[aks-add-np-containerd]: windows-container-cli.md#add-a-windows-server-node-pool-with-containerd-preview
[aks-concepts-clusters-workloads]: concepts-clusters-workloads.md [aks-concepts-identity]: concepts-identity.md [aks-concepts-scale]: concepts-scale.md
For more information on core Kubernetes and AKS concepts, see:
[nodepool-upgrade]: use-multiple-node-pools.md#upgrade-a-node-pool [authorized-ip-ranges]: api-server-authorized-ip-ranges.md [private-clusters]: private-clusters.md
-[network-policy]: use-network-policies.md
+[network-policy]: use-network-policies.md
aks Ingress Basic https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-basic.md
You can also:
## Before you begin
-This article uses [Helm 3][helm] to install the NGINX ingress controller. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* Helm repository.
+This article uses [Helm 3][helm] to install the NGINX ingress controller on a [supported version of Kubernetes][aks-supported versions]. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* Helm repository. The steps outlined in this article may not be compatible with previous versions of the Helm chart, NGINX ingress controller, or Kubernetes.
This article also requires that you are running the Azure CLI version 2.0.64 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
You can also:
[aks-http-app-routing]: http-application-routing.md [aks-ingress-own-tls]: ingress-own-tls.md [client-source-ip]: concepts-network.md#ingress-controllers
+[aks-supported versions]: supported-kubernetes-versions.md
aks Ingress Internal Ip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-internal-ip.md
You can also:
## Before you begin
-This article uses [Helm 3][helm] to install the NGINX ingress controller. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* Helm repository. For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm].
+This article uses [Helm 3][helm] to install the NGINX ingress controller on a [supported version of Kubernetes][aks-supported versions]. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* Helm repository. The steps outlined in this article may not be compatible with previous versions of the Helm chart, NGINX ingress controller, or Kubernetes. For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm].
This article also requires that you are running the Azure CLI version 2.0.64 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
You can also:
[aks-ingress-own-tls]: ingress-own-tls.md [client-source-ip]: concepts-network.md#ingress-controllers [aks-configure-kubenet-networking]: configure-kubenet.md
-[aks-configure-advanced-networking]: configure-azure-cni.md
+[aks-configure-advanced-networking]: configure-azure-cni.md
+[aks-supported versions]: supported-kubernetes-versions.md
aks Ingress Own Tls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-own-tls.md
You can also:
## Before you begin
-This article uses [Helm 3][helm] to install the NGINX ingress controller. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* Helm repository. For upgrade instructions, see the [Helm install docs][helm-install]. For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm].
+This article uses [Helm 3][helm] to install the NGINX ingress controller on a [supported version of Kubernetes][aks-supported versions]. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* Helm repository. The steps outlined in this article may not be compatible with previous versions of the Helm chart, NGINX ingress controller, or Kubernetes.
+
+For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm].
This article also requires that you are running the Azure CLI version 2.0.64 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
aks Ingress Static Ip https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-static-ip.md
You can also:
This article assumes that you have an existing AKS cluster. If you need an AKS cluster, see the AKS quickstart [using the Azure CLI][aks-quickstart-cli] or [using the Azure portal][aks-quickstart-portal].
-This article uses [Helm 3][helm] to install the NGINX ingress controller and cert-manager. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* and *jetstack* Helm repositories. For upgrade instructions, see the [Helm install docs][helm-install]. For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm].
+This article uses [Helm 3][helm] to install the NGINX ingress controller on a [supported version of Kubernetes][aks-supported versions]. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* and *jetstack* Helm repositories. The steps outlined in this article may not be compatible with previous versions of the Helm chart, NGINX ingress controller, or Kubernetes.
+
+For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm]. For upgrade instructions, see the [Helm install docs][helm-install].
This article also requires that you are running the Azure CLI version 2.0.64 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
You can also:
[client-source-ip]: concepts-network.md#ingress-controllers [install-azure-cli]: /cli/azure/install-azure-cli [aks-static-ip]: static-ip.md
+[aks-supported versions]: supported-kubernetes-versions.md
aks Ingress Tls https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/ingress-tls.md
This article assumes that you have an existing AKS cluster. If you need an AKS c
This article also assumes you have [a custom domain][custom-domain] with a [DNS Zone][dns-zone] in the same resource group as your AKS cluster.
-This article uses [Helm 3][helm] to install the NGINX ingress controller and cert-manager. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* and *jetstack* Helm repositories. For upgrade instructions, see the [Helm install docs][helm-install]. For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm].
+This article uses [Helm 3][helm] to install the NGINX ingress controller on a [supported version of Kubernetes][aks-supported versions]. Make sure that you are using the latest release of Helm and have access to the *ingress-nginx* and *jetstack* Helm repositories. The steps outlined in this article may not be compatible with previous versions of the Helm chart, NGINX ingress controller, or Kubernetes.
+
+For more information on configuring and using Helm, see [Install applications with Helm in Azure Kubernetes Service (AKS)][use-helm]. For upgrade instructions, see the [Helm install docs][helm-install].
This article also requires that you are running the Azure CLI version 2.0.64 or later. Run `az --version` to find the version. If you need to install or upgrade, see [Install Azure CLI][azure-cli-install].
You can also:
[aks-quickstart-portal]: kubernetes-walkthrough-portal.md [client-source-ip]: concepts-network.md#ingress-controllers [install-azure-cli]: /cli/azure/install-azure-cli
+[aks-supported versions]: supported-kubernetes-versions.md
aks Operator Best Practices Multi Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/operator-best-practices-multi-region.md
An AKS cluster is deployed into a single region. To protect your system from reg
* AKS continually expands into new regions. * [**Azure paired regions**](../best-practices-availability-paired-regions.md) * For your geographic area, choose two regions paired together.
- * Paired regions coordinate platform updates and prioritize recovery efforts where needed.
+ * AKS platform updates (planned maintenance) are serialized with a delay of at least 24 hours between paired regions.
+ * Recovery efforts for paired regions are prioritized where needed.
* **Service availability** * Decide whether your paired regions should be hot/hot, hot/warm, or hot/cold. * Do you want to run both regions at the same time, with one region *ready* to start serving traffic? Or,
This article focuses on business continuity and disaster recovery considerations
[aks-best-practices-cluster-isolation]: operator-best-practices-cluster-isolation.md [velero]: https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/master/README.md
-[kasten]: https://www.kasten.io/
+[kasten]: https://www.kasten.io/
aks Support Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/support-policies.md
Microsoft and users share responsibility for Kubernetes agent nodes where:
* `Kube-proxy` * Networking tunnels that provide communication paths to the Kubernetes master components * `Kubelet`
- * `Moby` or `ContainerD`
+ * Docker or `containerd`
> [!NOTE] > If an agent node is not operational, AKS might restart individual components or the entire agent node. These restart operations are automated and provide auto-remediation for common issues. If you want to know more about the auto-remediation mechanisms, see [Node Auto-Repair](node-auto-repair.md)
aks Windows Container Cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-container-cli.md
az aks create \
--generate-ssh-keys \ --windows-admin-username $WINDOWS_USERNAME \ --vm-set-type VirtualMachineScaleSets \
+ --kubernetes-version 1.20.2 \
--network-plugin azure ```
az aks nodepool add \
--node-count 1 ```
-The above command creates a new node pool named *npwin* and adds it to the *myAKSCluster*. When creating a node pool to run Windows Server containers, the default value for *node-vm-size* is *Standard_D2s_v3*. If you choose to set the *node-vm-size* parameter, please check the list of [restricted VM sizes][restricted-vm-sizes]. The minimum recommended size is *Standard_D2s_v3*. The above command also uses the default subnet in the default vnet created when running `az aks create`.
+The above command creates a new node pool named *npwin* and adds it to the *myAKSCluster*. The above command also uses the default subnet in the default vnet created when running `az aks create`.
+
+### Add a Windows Server node pool with `containerd` (preview)
+
+Beginning in Kubernetes version 1.20 and greater, you can specify `containerd` as the container runtime for Windows Server 2019 node pools.
++
+You will need the *aks-preview* Azure CLI extension. Install the *aks-preview* Azure CLI extension by using the [az extension add][az-extension-add] command. Or install any available updates by using the [az extension update][az-extension-update] command.
+
+```azurecli-interactive
+# Install the aks-preview extension
+az extension add --name aks-preview
+
+# Update the extension to make sure you have the latest version installed
+az extension update --name aks-preview
+```
+
+Register the `UseCustomizedWindowsContainerRuntime` feature flag using the [az feature register][az-feature-register] command as shown in the following example:
+
+```azurecli
+az feature register --namespace "Microsoft.ContainerService" --name "UseCustomizedWindowsContainerRuntime"
+```
+
+You can check on the registration status using the [az feature list][az-feature-list] command:
+
+```azurecli
+az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/UseCustomizedWindowsContainerRuntime')].{Name:name,State:properties.state}"
+```
+
+When ready, refresh the registration of the Microsoft.ContainerService resource provider using the [az provider register][az-provider-register] command:
+
+```azurecli
+az provider register --namespace Microsoft.ContainerService
+```
+
+Use `az aks nodepool add` command to add an additional node pool that can run Windows Server containers with the `containerd` runtime.
+
+> [!NOTE]
+> If you do not specify the *WindowsContainerRuntime=containerd* custom header, the node pool will use Docker as the container runtime.
+
+```azurecli
+az aks nodepool add \
+ --resource-group myResourceGroup \
+ --cluster-name myAKSCluster \
+ --os-type Windows \
+ --name npwcd \
+ --node-vm-size Standard_D4s_v3 \
+ --kubernetes-version 1.20.2 \
+ --aks-custom-headers WindowsContainerRuntime=containerd \
+ --node-count 1
+```
+
+The above command creates a new Windows Server node pool using `containerd` as the runtime named *npwcd* and adds it to the *myAKSCluster*. The above command also uses the default subnet in the default vnet created when running `az aks create`.
+
+> [!IMPORTANT]
+> When using `containerd` with Windows Server 2019 node pools:
+> - Both the control plane and Windows Server 2019 node pools must use Kubernetes version 1.20 or greater.
+> - Existing Windows Server 2019 node pools using Docker as the container runtime can't be upgraded to use `containerd`. You must create a new node pool.
+> - When creating a node pool to run Windows Server containers, the default value for *node-vm-size* is *Standard_D2s_v3* which was minimum recommended size for Windows Server 2019 node pools prior to Kubernetes 1.20. The minimum recommended size for Windows Server 2019 node pools using `containerd` is *Standard_D4s_v3*. When setting the *node-vm-size* parameter, please check the list of [restricted VM sizes][restricted-vm-sizes].
+> - It is highly recommended that you use [taints or labels][aks-taints] with your Windows Server 2019 node pools running `containerd` and tolerations or node selectors with your deployments to guarantee your workloads are scheduled correctly.
## Connect to the cluster
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
To verify the connection to your cluster, use the [kubectl get][kubectl-get] command to return a list of the cluster nodes. ```console
-kubectl get nodes
+kubectl get nodes -o wide
``` The following example output shows the all the nodes in the cluster. Make sure that the status of all nodes is *Ready*: ```output
-NAME STATUS ROLES AGE VERSION
-aks-nodepool1-12345678-vmssfedcba Ready agent 13m v1.16.9
-aksnpwin987654 Ready agent 108s v1.16.9
+NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
+aks-nodepool1-12345678-vmss000000 Ready agent 34m v1.20.2 10.240.0.4 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure
+aks-nodepool1-12345678-vmss000001 Ready agent 34m v1.20.2 10.240.0.35 <none> Ubuntu 18.04.5 LTS 5.4.0-1046-azure containerd://1.4.4+azure
+aksnpwcd123456 Ready agent 9m6s v1.20.2 10.240.0.97 <none> Windows Server 2019 Datacenter 10.0.17763.1879 containerd://1.4.4+unknown
+aksnpwin987654 Ready agent 25m v1.20.2 10.240.0.66 <none> Windows Server 2019 Datacenter 10.0.17763.1879 docker://19.3.14
```
+> [!NOTE]
+> The container runtime for each node pool is shown under *CONTAINER-RUNTIME*. Notice *aksnpwin987654* begins with `docker://` which means it is using Docker for the container runtime. Notice *aksnpwcd123456* begins with `containerd://` which means it is using `containerd` for the container runtime.
+ ## Run the application A Kubernetes manifest file defines a desired state for the cluster, such as what container images to run. In this article, a manifest is used to create all objects needed to run the ASP.NET sample application in a Windows Server container. This manifest includes a [Kubernetes deployment][kubernetes-deployment] for the ASP.NET sample application and an external [Kubernetes service][kubernetes-service] to access the application from the internet.
To learn more about AKS, and walk through a complete code to deployment example,
[kubernetes-concepts]: concepts-clusters-workloads.md [aks-monitor]: ../azure-monitor/containers/container-insights-onboard.md [aks-tutorial]: ./tutorial-kubernetes-prepare-app.md
+[aks-taints]: use-multiple-node-pools.md#specify-a-taint-label-or-tag-for-a-node-pool
[az-aks-browse]: /cli/azure/aks#az_aks_browse [az-aks-create]: /cli/azure/aks#az_aks_create [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
aks Windows Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/windows-faq.md
If the cluster has Azure Hybrid Benefit enabled, the output of `az vmss show` wi
Yes, you can use the [Kubernetes Web Dashboard][kubernetes-dashboard] to access information about Windows containers, but at this time you can't run *kubectl exec* into a running Windows container directly from the Kubernetes Web Dashboard. For more details on connecting to your running Windows container, see [Connect with RDP to Azure Kubernetes Service (AKS) cluster Windows Server nodes for maintenance or troubleshooting][windows-rdp].
+## How do I change the time zone of a running container?
+
+To change the time zone of a running Windows Server container, connect to the running container with a PowerShell session. For example:
+
+```azurecli-interactive
+kubectl exec -it CONTAINER-NAME ΓÇô- powershell
+```
+
+In the running container, use [Set-TimeZone](/powershell/module/microsoft.powershell.management/set-timezone) to set the time zone of the running container. For example:
+
+```powershell
+Set-TimeZone -Id "Russian Standard Time"
+```
+
+To see the current time zone of the running container or an available list of time zones, use [Get-TimeZone](/powershell/module/microsoft.powershell.management/get-timezone).
+ ## What if I need a feature that's not supported? We work hard to bring all the features you need to Windows in AKS, but if you do encounter gaps, the open-source, upstream [aks-engine][aks-engine] project provides an easy and fully customizable way of running Kubernetes in Azure, including Windows support. Be sure to check out our roadmap of features coming [AKS roadmap][aks-roadmap].
analysis-services Analysis Services Connect Pbi https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-connect-pbi.md
Once you've created a server in Azure, and deployed a tabular model to it, users
4. Select a connection option and then press **Connect**.
- Both **Connect live** and **Import** options are supported. However, we recommended you use live connections because Import mode does have some limitations; most notably, server performance might be impacted during import. Also, if the model is to be refreshed in the Power BI service, the **Allow access from Power BI** setting applies only when choosing **Connect live**.
+ Both **Connect live** and **Import** options are supported. However, we recommended you use live connections because Import mode does have some limitations; most notably, server performance might be impacted during import.
+
+ If you have a Power BI model in [Mixed storage mode](/power-bi/transform-model/desktop-composite-models), the **Connect live** option is replaced by the **[DirectQuery](/power-bi/connect-data/desktop-directquery-datasets-azure-analysis-services)** option. Live connections are also automatically upgraded to DirectQuery if the model is switched from Import to Mixed storage mode.
5. If prompted, enter your login credentials.
Once you've created a server in Azure, and deployed a tabular model to it, users
1. Create a Power BI Desktop file that has a live connection to your model on your server. 2. In [Power BI](https://powerbi.microsoft.com), click **Get Data** > **Files**, and then locate and select your .pbix file.
+## Request Memory Limit
+
+To safeguard the performance of the system, a memory limit is enforced for all queries issued by Power BI reports against Azure Analysis Services, regardless of the [Query Memory Limit](/analysis-services/server-properties/memory-properties?view=azure-analysis-services-current&preserve-view=true) configured on the Azure Analysis Services server. Users should consider simplifying the query or its calculations if the query is too memory intensive.
+
+| | Request Memory limit |
+|--|-|
+| **Live connect from Power BI** | 10 GB |
+| **DirectQuery from Power BI report in Shared workspace** | 1 GB |
+| **DirectQuery from Power BI report in Premium workspace** | 10 GB |
+| **[Power BI Q&A](/power-bi/create-reports/power-bi-tutorial-q-and-a)** | 100 MB |
+ ## See also [Connect to Azure Analysis Services](analysis-services-connect.md) [Client libraries](/analysis-services/client-libraries?view=azure-analysis-services-current&preserve-view=true)
api-management Api Management Dapr Policies https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-dapr-policies.md
This topic provides a reference for Dapr integration API Management policies. Dapr is a portable runtime for building stateless and stateful microservices-based applications with any language or framework. It codifies the common microservice patterns, like service discovery and invocation with build-in retry logic, publish-and-subscribe with at-least-once delivery semantics, or pluggable binding resources to ease composition using external services. Go to [dapr.io](https://dapr.io) for detailed information and instruction on how to get started with Dapr. For information on adding and configuring policies, see [Policies in API Management](api-management-howto-policies.md).
-> [!CAUTION]
-> Policies referenced in this topic are in Public Preview and are subject to [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
- > [!IMPORTANT] > Policies referenced in this topic work only in the [self-hosted version of the API Management gateway](self-hosted-gateway-overview.md) with Dapr support enabled.
api-management Api Management Howto Provision Self Hosted Gateway https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-provision-self-hosted-gateway.md
Now the gateway resource has been provisioned in your API Management instance. Y
* To learn more about the self-hosted gateway, see [Azure API Management self-hosted gateway overview](self-hosted-gateway-overview.md) * Learn more about how to [Deploy a self-hosted gateway to Kubernetes](how-to-deploy-self-hosted-gateway-kubernetes.md)
+- Learn more about how to [Deploy a self-hosted gateway to an Azure Arc enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md)
* Learn more about how to [Deploy a self-hosted gateway to Docker](how-to-deploy-self-hosted-gateway-docker.md)
api-management Api Management Howto Use Azure Monitor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/api-management-howto-use-azure-monitor.md
If you enable collection of GatewayLogs or metrics in a Log Analytics workspace,
:::image type="content" source="media/api-management-howto-use-azure-monitor/logs-menu-item.png" alt-text="Screenshot of Logs item in Monitoring menu":::
-Run queries to view the data. Several [sample queries](../azure-monitor/logs/example-queries.md) are provided, or run your own. For example, the following query retrieves the most recent 24 hours of data from the GatewayLogs table:
+Run queries to view the data. Several [sample queries](../azure-monitor/logs/queries.md) are provided, or run your own. For example, the following query retrieves the most recent 24 hours of data from the GatewayLogs table:
```kusto ApiManagementGatewayLogs
api-management How To Deploy Self Hosted Gateway Azure Arc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-deploy-self-hosted-gateway-azure-arc.md
+
+ Title: Deploy an Azure API Management gateway on Azure Arc
+description: Enable Azure Arc to deploy your self-hosted Azure API Management gateway.
++++ Last updated : 05/25/2021++
+# Deploy an Azure API Management gateway on Azure Arc (preview)
+
+With the integration between Azure API Management and [Azure Arc on Kubernetes](../azure-arc/kubernetes/overview.md), you can deploy the API Management gateway component as an [extension in an Azure Arc enabled Kubernetes cluster](../azure-arc/kubernetes/extensions.md).
+
+Deploying the API Management gateway on an Arc-enabled Kubernetes cluster expands API Management support for hybrid and multi-cloud environments. Enable the deployment using a cluster extension to make managing and applying policies to your Arc-enabled cluster a consistent experience.
++
+> [!NOTE]
+> You can also deploy the self-hosted gateway [directly to Kubernetes](./how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md).
+
+## Prerequisites
+
+* [Connect your Kubernetes cluster](../azure-arc/kubernetes/quickstart-connect-cluster.md) within [a supported Azure Arc region](../azure-arc/kubernetes/overview.md#supported-regions).
+* Install the `k8s-extension` Azure CLI extension:
+
+ ```azurecli
+ az extension add --name k8s-extension
+ ```
+ If you've already installed the `k8s-extension` module, update to the latest version:
+
+ ```azurecli
+ az extension update --name k8s-extension
+ ```
+* [Create an Azure API Management instance](./get-started-create-service-instance.md).
+* [Provision a gateway resource in your Azure API Management instance](./api-management-howto-provision-self-hosted-gateway.md).
+
+## Deploy the API Management gateway extension using Azure CLI
+
+1. In the Azure portal, navigate to your API Management instance.
+1. Select **Gateways** from the side navigation menu.
+1. Select and open your provisioned gateway resource from the list.
+1. In your provisioned gateway resource, click **Deployment** from the side navigation menu.
+1. Make note of the **Token** and **Configuration URL** values for the next step.
+1. In Azure CLI, deploy the gateway extension using the `az k8s-extension create` command. Fill in the `token` and `configuration URL` values.
+ * The following example uses the `service.Type='NodePort'` extension configuration. See more [available extension configurations](#available-extension-configurations).
+
+ ```azurecli
+ az k8s-extension create --cluster-type connectedClusters --cluster-name <cluster-name> \
+ --resource-group <rg-name> --name <extension-name> --extension-type Microsoft.ApiManagement.Gateway \
+ --scope namespace --target-namespace <namespace> \
+ --configuration-settings gateway.endpoint='<Configuration URL>' \
+ --configuration-protected-settings gateway.authKey='<token>' --release-train preview
+ ```
+
+ > [!TIP]
+ > `-protected-` flag for `authKey` is optional, but recommended.
+
+1. Verify deployment status using the following CLI command:
+ ```azurecli
+ az k8s-extension show --cluster-type connectedClusters --cluster-name <cluster-name> --resource-group <rg-name> --name <extension-name>
+ ```
+1. Navigate back to the **Gateways** list to verify the gateway status shows a green check mark with a node count. This status means the deployed self-hosted gateway pods:
+ * Are successfully communicating with the API Management service.
+ * Have a regular "heartbeat".
+
+## Deploy the API Management gateway extension using Azure portal
+
+1. In the Azure portal, navigate to your Azure Arc connected cluster.
+1. In the left menu, select **Extensions (preview)** > **+ Add** > **API Management gateway (preview)**.
+1. Select **Create**.
+1. In the **Install API Management gateway** window, configure the gateway extension:
+ * Select the subscription and resource group for your API Management instance.
+ * In **Gateway details**, select the **API Management instance** and **Gateway name**. Enter a **Namespace** scope for your extension and optionally a number of **Replicas**, if supported in your API Management service tier.
+ * In **Kubernetes configuration**, select the default configuration or a different configuration for your cluster. For options, see [available extension configurations](#available-extension-configurations).
+
+ :::image type="content" source="./media/how-to-deploy-self-hosted-gateway-azure-arc/deploy-gateway-extension-azure-arc.png" alt-text="Screenshot of deploying the extension in Azure portal":::
+
+1. On the **Monitoring** tab, optionally enable monitoring to upload metrics tracking requests to the gateway and backend. If enabled, select an existing **Log Analytics** workspace.
+1. Select **Review + install** and then **Install**.
+
+## Available extension configurations
+
+The following extension configurations are **required**.
+
+| Setting | Description |
+| - | -- |
+| `gateway.endpoint` | The gateway endpoint's Configuration URL. |
+| `gateway.authKey` | Token for access to the gateway. |
+| `service.Type` | Kubernetes service configuration for the gateway: `LoadBalancer`, `NodePort`, or `ClusterIP`. |
+
+### Log Analytics settings
+
+To enable monitoring of the self-hosted gateway, configure the following Log Analytics settings:
+
+| Setting | Description |
+| - | -- |
+| `monitoring.customResourceId` | Azure Resource Manager resource ID for the API Management instance. |
+| `monitoring.workspaceId` | Workspace ID of Log Analytics. |
+| `monitoring.ingestionKey` | Secret with ingestion key from Log Analytics. |
+
+> [!NOTE]
+> If you haven't enabled Log Analytics:
+> 1. Walk through the [Create a Log Analytics workspace](../azure-monitor/logs/quick-create-workspace.md) quickstart.
+> 1. Learn where to find the [Log Analytics agent settings](../azure-monitor/agents/log-analytics-agent.md).
+
+## Next Steps
+
+* To learn more about the self-hosted gateway, see [Azure API Management self-hosted gateway overview](self-hosted-gateway-overview.md).
+* Discover all [Azure Arc enabled Kubernetes extensions](../azure-arc/kubernetes/extensions.md).
+* Learn more about [Azure Arc enabled Kubernetes](../azure-arc/kubernetes/overview.md).
api-management How To Deploy Self Hosted Gateway Azure Kubernetes Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-deploy-self-hosted-gateway-azure-kubernetes-service.md
editor: ''
Previously updated : 04/26/2020 Last updated : 05/25/2021 # Deploy to Azure Kubernetes Service
-This article provides the steps for deploying self-hosted gateway component of Azure API Management to [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/). For deploying self-hosted gateway to a Kubernetes cluster see this[document](how-to-deploy-self-hosted-gateway-kubernetes.md).
+This article provides the steps for deploying self-hosted gateway component of Azure API Management to [Azure Kubernetes Service](https://azure.microsoft.com/services/kubernetes-service/).
+
+> [!NOTE]
+> You can also deploy self-hosted gateway to an [Azure Arc enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md).
## Prerequisites
contosogateway NodePort 10.110.230.87 <none> 80:32504/TCP,443:3004
## Next steps
-* To learn more about the self-hosted gateway, see [Azure API Management self-hosted gateway overview](self-hosted-gateway-overview.md)
-* Learn more about [Azure Kubernetes Service](../aks/intro-kubernetes.md)
-* Learn [how to configure and persist logs in the cloud](how-to-configure-cloud-metrics-logs.md)
-* * Learn [how to configure and persist logs locally](how-to-configure-local-metrics-logs.md)
+* To learn more about the self-hosted gateway, see [Azure API Management self-hosted gateway overview](self-hosted-gateway-overview.md).
+* Learn [how to deploy API Management self-hosted gateway to Azure Arc enabled Kubernetes clusters](how-to-deploy-self-hosted-gateway-azure-arc.md).
+* Learn more about [Azure Kubernetes Service](../aks/intro-kubernetes.md).
+* Learn [how to configure and persist logs in the cloud](how-to-configure-cloud-metrics-logs.md).
+* Learn [how to configure and persist logs locally](how-to-configure-local-metrics-logs.md).
api-management How To Deploy Self Hosted Gateway Kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/how-to-deploy-self-hosted-gateway-kubernetes.md
Previously updated : 04/23/2020 Last updated : 05/25/2021 # Deploy a self-hosted gateway to Kubernetes This article describes the steps for deploying the self-hosted gateway component of Azure API Management to a Kubernetes cluster.
+> [!NOTE]
+> You can also deploy self-hosted gateway to an [Azure Arc enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md) as a [cluster extension](../azure-arc/kubernetes/extensions.md).
+ ## Prerequisites - Complete the following quickstart: [Create an Azure API Management instance](get-started-create-service-instance.md).
Consider [setting up local monitoring](how-to-configure-local-metrics-logs.md) t
## Next steps * To learn more about the self-hosted gateway, see [Self-hosted gateway overview](self-hosted-gateway-overview.md).
+* Learn [how to deploy API Management self-hosted gateway to Azure Arc enabled Kubernetes clusters](how-to-deploy-self-hosted-gateway-azure-arc.md).
api-management Self Hosted Gateway Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/self-hosted-gateway-overview.md
editor: ''
Previously updated : 01/25/2021 Last updated : 05/25/2021
Deploying self-hosted gateways into the same environments where the backend API
## Packaging and features
-The self-hosted gateway is a containerized, functionally equivalent version of the managed gateway deployed to Azure as part of every API Management service. The self-hosted gateway is available as a Linux-based Docker [container](https://aka.ms/apim/sputnik/dhub) from the Microsoft Container Registry. It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer.
+The self-hosted gateway is a containerized, functionally equivalent version of the managed gateway deployed to Azure as part of every API Management service. The self-hosted gateway is available as a Linux-based Docker [container](https://aka.ms/apim/sputnik/dhub) from the Microsoft Container Registry. It can be deployed to Docker, Kubernetes, or any other container orchestration solution running on a server cluster on premises, cloud infrastructure, or for evaluation and development purposes, on a personal computer. You can also deploy the self-hosted gateway as a cluster extension to an [Azure Arc enabled Kubernetes cluster](./how-to-deploy-self-hosted-gateway-azure-arc.md).
The following functionality found in the managed gateways is **not available** in the self-hosted gateways:
When connectivity is restored, each self-hosted gateway affected by the outage w
- [Read a whitepaper for additional background on this topic](https://aka.ms/hybrid-and-multi-cloud-api-management) - [Deploy self-hosted gateway to Docker](how-to-deploy-self-hosted-gateway-docker.md) - [Deploy self-hosted gateway to Kubernetes](how-to-deploy-self-hosted-gateway-kubernetes.md)
+- [Deploy self-hosted gateway to Azure Arc enabled Kubernetes cluster](how-to-deploy-self-hosted-gateway-azure-arc.md)
app-service App Service Authentication How To https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-authentication-how-to.md
The following steps will allow you to manually migrate the application to the V2
```azurecli # For Web Apps az webapp auth show -g <group_name> -n <site_name>-
- # For Azure Functions
- az functionapp auth show -g <group_name> -n <site_name>
``` In the resulting JSON payload, make note of the secret value used for each provider you have configured:
app-service App Service Key Vault References https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-key-vault-references.md
If a version is not specified in the reference, then the app will use the latest
Key Vault references can be used as values for [Application Settings](configure-common.md#configure-app-settings), allowing you to keep secrets in Key Vault instead of the site config. Application Settings are securely encrypted at rest, but if you need secret management capabilities, they should go into Key Vault.
-To use a Key Vault reference for an application setting, set the reference as the value of the setting. Your app can reference the secret through its key as normal. No code changes are required.
+To use a Key Vault reference for an [application setting](configure-common.md#add-or-edit), set the reference as the value of the setting. Your app can reference the secret through its key as normal. No code changes are required.
> [!TIP] > Most application settings using Key Vault references should be marked as slot settings, as you should have separate vaults for each environment.
app-service Configure Common https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-common.md
To edit a setting, click the **Edit** button on the right side.
When finished, click **Update**. Don't forget to click **Save** back in the **Configuration** page. > [!NOTE]
-> In a default Linux container or a custom Linux container, any nested JSON key structure in the app setting name like `ApplicationInsights:InstrumentationKey` needs to be configured in App Service as `ApplicationInsights__InstrumentationKey` for the key name. In other words, any `:` should be replaced by `__` (double underscore).
+> In a default Linux app service or a custom Linux container, any nested JSON key structure in the app setting name like `ApplicationInsights:InstrumentationKey` needs to be configured in App Service as `ApplicationInsights__InstrumentationKey` for the key name. In other words, any `:` should be replaced by `__` (double underscore).
> ### Edit in bulk
app-service Configure Language Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-language-java.md
To deploy .war files to Tomcat, use the `/api/wardeploy/` endpoint to POST your
To deploy .war files to JBoss, use the `/api/wardeploy/` endpoint to POST your archive file. For more information on this API, please see [this documentation](./deploy-zip.md#deploy-war-file).
-To deploy .ear files, [use FTP](deploy-ftp.md).
+To deploy .ear files, [use FTP](deploy-ftp.md). Your .ear application wil be deployed to the context root defined in your application's configuration. For example, if the context root of your app is `<context-root>myapp</context-root>`, then you can browse the site at the `/myapp` path: `http://my-app-name.azurewebsites.net/myapp`. If you want you web app to be served in the root path, ensure that your app sets the context root to the root path: `<context-root>/</context-root>`. For more information, see [Setting the context root of a web application](https://docs.jboss.org/jbossas/guides/webguide/r2/en/html/ch06.html).
::: zone-end
You can interact or debug the Java Key Tool by [opening an SSH connection](confi
## Configure APM platforms
-This section shows how to connect Java applications deployed on Azure App Service on Linux with the NewRelic and AppDynamics application performance monitoring (APM) platforms.
+This section shows how to connect Java applications deployed on Azure App Service with Azure Monitor application insights, NewRelic, and AppDynamics application performance monitoring (APM) platforms.
+
+### Configure Application Insights
+
+Azure Monitor application insights is a cloud native application monitoring service which enables customers to observe failures, bottlenecks, and usage patterns to improve application performance and reduce mean time to resolution (MTTR). With a few clicks or CLI commands, you can enable monitoring for your Node.js or Java apps, auto-collecting logs, metrics, and distributed traces, eliminating the need for including an SDK in your app.
+
+#### Azure Portal
+
+To enable Application Insights from the Azure Portal, go to **Application Insights** on the left-side menu and select **Turn on Application Insights**. By default, a new application insights resource of the same name as your Web App will be used. You can choose to use an existing application insights resource, or change the name. Click **Apply** at the bottom
+
+#### Azure CLI
+
+To enable via the Azure CLI, you will need to create an Application Insights resource and set a couple app settings on the Portal to connect Application Insights to your web app.
+
+1. Enable the Applications Insights extension
+
+ ```bash
+ az extension add -n application-insights
+ ```
+
+2. Create an Application Insights resource using the CLI command below. Replace the placeholders with your desired resource name and group.
+
+ ```bash
+ az monitor app-insights component create --app <resource-name> -g <resource-group> --location westus2 --kind web --application-type web
+ ```
+
+ Note the values for `connectionString` and `instrumentationKey`, you will need these values in the next step.
+
+ > To retrieve a list of other locations, run `az account list-locations`.
+
+
+3. Set the instrumentation key, connection string, and monitoring agent version as app settings on the web app. Replace `<instrumentationKey>` and `<connectionString>` with the values from the previous step.
+
+ ```bash
+ az webapp config appsettings set -n <webapp-name> -g <resource-group> --settings "APPINSIGHTS_INSTRUMENTATIONKEY=<instrumentationKey>" "APPLICATIONINSIGHTS_CONNECTION_STRING=<connectionString>" "ApplicationInsightsAgent_EXTENSION_VERSION=~3" "XDT_MicrosoftApplicationInsights_Mode=default" "XDT_MicrosoftApplicationInsights_Java=1"
+ ```
+
+
+3. Set the instrumentation key, connection string, and monitoring agent version as app settings on the web app. Replace `<instrumentationKey>` and `<connectionString>` with the values from the previous step.
+
+ ```bash
+ az webapp config appsettings set -n <webapp-name> -g <resource-group> --settings "APPINSIGHTS_INSTRUMENTATIONKEY=<instrumentationKey>" "APPLICATIONINSIGHTS_CONNECTION_STRING=<connectionString>" "ApplicationInsightsAgent_EXTENSION_VERSION=~3" "XDT_MicrosoftApplicationInsights_Mode=default"
+ ```
+ ### Configure New Relic
To confirm that the datasource was added to the JBoss server, SSH into your weba
## Choosing a Java runtime version
-App Service allows users to choose the major version of the JVM, such as Java 8 or Java 11, as well as the minor version, such as 1.8.0_232 or 11.0.5. You can also choose to have the minor version automatically updated as new minor versions become available. In most cases, production sites should use pinned minor JVM versions. This will prevent unnanticipated outages during a minor version auto-update.
+App Service allows users to choose the major version of the JVM, such as Java 8 or Java 11, as well as the minor version, such as 1.8.0_232 or 11.0.5. You can also choose to have the minor version automatically updated as new minor versions become available. In most cases, production sites should use pinned minor JVM versions. This will prevent unnanticipated outages during a minor version auto-update. All Java web apps use 64-bit JVMs, this is not configurable.
If you choose to pin the minor version, you will need to periodically update the JVM minor version on the site. To ensure that your application runs on the newer minor version, create a staging slot and increment the minor version on the staging site. Once you have confirmed the application runs correctly on the new minor version, you can swap the staging and production slots.
-## JBoss EAP hardware options
+
+## JBoss EAP App Service Plans
+<a id="jboss-eap-hardware-options"></a>
-JBoss EAP is only available on the Premium and Isolated hardware options. Customers that created a JBoss EAP site on a Free, Shared, Basic, or Standard tier during the public preview should scale up to Premium or Isolated hardware tier to avoid unexpected behavior.
+JBoss EAP is only available on the Premium v3 and Isolated v2 App Service Plan types. Customers that created a JBoss EAP site on a different tier during the public preview should scale up to Premium or Isolated hardware tier to avoid unexpected behavior.
+ ## Java runtime statement of support
app-service Configure Ssl Bindings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-ssl-bindings.md
description: Secure HTTPS access to your custom domain by creating a TLS/SSL bin
tags: buy-ssl-certificates Previously updated : 04/30/2020 Last updated : 05/13/2021
To follow this how-to guide:
- [Add a private certificate to your app](configure-ssl-certificate.md) > [!NOTE]
-> The easiest way to add a private certificate is to [create a free App Service Managed Certificate](configure-ssl-certificate.md#create-a-free-managed-certificate-preview) (Preview).
+> The easiest way to add a private certificate is to [create a free App Service managed certificate](configure-ssl-certificate.md#create-a-free-managed-certificate).
[!INCLUDE [Prepare your web app](../../includes/app-service-ssl-prepare-app.md)]
If your app has no certificate for the selected custom domain, then you have two
- **Import App Service Certificate** - Follow the workflow at [Import an App Service certificate](configure-ssl-certificate.md#import-an-app-service-certificate), then select this option here. > [!NOTE]
-> You can also [Create a free certificate](configure-ssl-certificate.md#create-a-free-managed-certificate-preview) (Preview) or [Import a Key Vault certificate](configure-ssl-certificate.md#import-a-certificate-from-key-vault), but you must do it separately and then return to the **TLS/SSL Binding** dialog.
+> You can also [Create a free certificate](configure-ssl-certificate.md#create-a-free-managed-certificate) or [Import a Key Vault certificate](configure-ssl-certificate.md#import-a-certificate-from-key-vault), but you must do it separately and then return to the **TLS/SSL Binding** dialog.
### Create binding
app-service Configure Ssl Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-ssl-certificate.md
description: Create a free certificate, import an App Service certificate, impor
tags: buy-ssl-certificates Previously updated : 03/02/2021 Last updated : 05/13/2021
The following table lists the options you have for adding certificates in App Se
|Option|Description| |-|-|
-| Create a free App Service Managed Certificate (Preview) | A private certificate that's free of charge and easy to use if you just need to secure your [custom domain](app-service-web-tutorial-custom-domain.md) in App Service. |
+| Create a free App Service managed certificate | A private certificate that's free of charge and easy to use if you just need to secure your [custom domain](app-service-web-tutorial-custom-domain.md) in App Service. |
| Purchase an App Service certificate | A private certificate that's managed by Azure. It combines the simplicity of automated certificate management and the flexibility of renewal and export options. | | Import a certificate from Key Vault | Useful if you use [Azure Key Vault](../key-vault/index.yml) to manage your [PKCS12 certificates](https://wikipedia.org/wiki/PKCS_12). See [Private certificate requirements](#private-certificate-requirements). | | Upload a private certificate | If you already have a private certificate from a third-party provider, you can upload it. See [Private certificate requirements](#private-certificate-requirements). |
The following table lists the options you have for adding certificates in App Se
## Private certificate requirements
-The [free App Service Managed Certificate](#create-a-free-managed-certificate-preview) and the [App Service certificate](#import-an-app-service-certificate) already satisfy the requirements of App Service. If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:
+The [free App Service managed certificate](#create-a-free-managed-certificate) and the [App Service certificate](#import-an-app-service-certificate) already satisfy the requirements of App Service. If you choose to upload or import a private certificate to App Service, your certificate must meet the following requirements:
* Exported as a [password-protected PFX file](https://en.wikipedia.org/w/index.php?title=X.509&section=4#Certificate_filename_extensions), encrypted using triple DES. * Contains private key at least 2048 bits long
To secure a custom domain in a TLS binding, the certificate has additional requi
[!INCLUDE [Prepare your web app](../../includes/app-service-ssl-prepare-app.md)]
-## Create a free managed certificate (Preview)
+## Create a free managed certificate
> [!NOTE] > Before creating a free managed certificate, make sure you have [fulfilled the prerequisites](#prerequisites) for your app.
-The free App Service Managed Certificate is a turn-key solution for securing your custom DNS name in App Service. It's a fully functional TLS/SSL certificate that's managed by App Service and renewed automatically. The free certificate comes with the following limitations:
+The free App Service managed certificate is a turn-key solution for securing your custom DNS name in App Service. It's a fully functional TLS/SSL certificate that's managed by App Service and renewed automatically. The free certificate comes with the following limitations:
-- Does not support wildcard certificates and should not be used as a client certificate.
+- Does not support wildcard certificates.
+- Does not support usage as a client certificate by certificate thumbprint (removal of certificate thumbprint is planned).
- Is not exportable. - Is not supported on App Service Environment (ASE). - Is not supported with root domains that are integrated with Traffic Manager.
+- If a certificate is for a CNAME-mapped domain, the CNAME must be mapped directly to `<app-name>.azurewebsites.net`.
> [!NOTE] > The free certificate is issued by DigiCert. For some top-level domains, you must explicitly allow DigiCert as a certificate issuer by creating a [CAA domain record](https://wikipedia.org/wiki/DNS_Certification_Authority_Authorization) with the value: `0 issue digicert.com`.
app-service Deploy Continuous Deployment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/deploy-continuous-deployment.md
Choose the tab that corresponds to your selection for the steps.
1. If you're deploying from GitHub for the first time, click **Authorize** and follow the authorization prompts. If you want to deploy from a different user's repository, click **Change Account**.
-1. Once you authorize your Azure account with GitHub, select the **Organization**, **Repository**, and **Branch** to configure CI/CD for.
+1. Once you authorize your Azure account with GitHub, select the **Organization**, **Repository**, and **Branch** to configure CI/CD for.
+If you canΓÇÖt find an organization or repository, you may need to enable additional permissions on GitHub. For more information, see [Managing access to your organization's repositories](https://docs.github.com/organizations/managing-access-to-your-organizations-repositories)
1. When GitHub Actions is the chosen build provider, you can select the workflow file you want with the **Runtime stack** and **Version** dropdowns. Azure commits this workflow file into your selected GitHub repository to handle build and deploy tasks. To see the file before saving your changes, click **Preview file**.
app-service Manage Create Arc Environment https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/manage-create-arc-environment.md
+
+ Title: 'Set up Azure Arc for App Service, Functions, and Logic Apps'
+description: For your Azure Arc enabled Kubernetes clusters, learn how to enable App Service apps, function apps, and logic apps.
+ Last updated : 05/03/2021+
+# Set up an Azure Arc enabled Kubernetes cluster to run App Service, Functions, and Logic Apps (Preview)
+
+If you have an [Azure Arc enabled Kubernetes cluster](../azure-arc/kubernetes/overview.md), you can use it to create an [App Service enabled custom location](overview-arc-integration.md) and deploy web apps, function apps, and logic apps to it.
+
+Azure Arc enabled Kubernetes lets you make your on-premises or cloud Kubernetes cluster visible to App Service, Functions, and Logic Apps in Azure. You can create an app and deploy to it just like another Azure region.
+
+## Prerequisites
+
+If you don't have an Azure account, [sign up today](https://azure.microsoft.com/free/?utm_source=campaign&utm_campaign=vscode-tutorial-app-service-extension&mktingSource=vscode-tutorial-app-service-extension) for a free account.
+
+<!-- ## Prerequisites
+
+- Create a Kubernetes cluster in a supported Kubernetes distribution and connect it to Azure Arc in a supported region. See [Public preview limitations](overview-arc-integration.md#public-preview-limitations).
+- [Install Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli), or use the [Azure Cloud Shell](https://docs.microsoft.com/azure/cloud-shell/overview).
+- [Install kubectl](https://kubernetes.io/docs/tasks/tools/). It's also preinstalled in the Azure Cloud Shell.
+
+## Obtain cluster information
+
+Set the following environment variables based on your Kubernetes cluster deployment:
+
+```bash
+staticIp="<public-ip-address-of-the-kubernetes-cluster>"
+aksClusterGroupName="<name-resource-group-with-aks-cluster>"
+groupName="<name-of-resource-group-with-the-arc-connected-cluster>"
+clusterName="<name-of-arc-connected-cluster>"
+geomasterLocation="TODO: Why so many different locations for different resources? Shouldn't we just say create everything in the connected cluster's resource group and location?"
+``` -->
+
+## Add Azure CLI extensions
+
+Launch the Bash environment in [Azure Cloud Shell](../cloud-shell/quickstart.md).
+
+[![Launch Cloud Shell in a new window](../../includes/media/cloud-shell-try-it/hdi-launch-cloud-shell.png)](https://shell.azure.com)
+
+Because these CLI commands are not yet part of the core CLI set, add them with the following commands.
+
+```azurecli-interactive
+az extension add --upgrade --yes --name connectedk8s
+az extension add --upgrade --yes --name k8s-extension
+az extension add --upgrade --yes --name customlocation
+az provider register --namespace Microsoft.ExtendedLocation --wait
+az extension remove --name appservice-kube
+az extension add --yes --source "https://aka.ms/appsvc/appservice_kube-latest-py2.py3-none-any.whl"
+```
+
+## Create a connected cluster
+
+> [!NOTE]
+> As more Kubernetes distributions are validated for App Service Kubernetes environments, see [Quickstart: Connect an existing Kubernetes cluster to Azure Arc](../azure-arc/kubernetes/quickstart-connect-cluster.md) for general instructions on creating an Azure Arc enabled Kubernetes cluster.
+
+<!-- https://github.com/MicrosoftDocs/azure-docs-pr/pull/156618 -->
+
+Because App Service on Arc is currently validated only on [Azure Kubernetes Service](/azure/aks/), create an Azure Arc enabled cluster on Azure Kubernetes Service.
+
+1. Create a cluster in Azure Kubernetes Service with a public IP address. Replace `<group-name>` with the resource group name you want.
+
+ ```azurecli-interactive
+ aksClusterGroupName="<group-name>" # Name of resource group for the AKS cluster
+ aksName="${aksClusterGroupName}-aks" # Name of the AKS cluster
+ resourceLocation="eastus" # "eastus" or "westeurope"
+
+ az group create -g $aksClusterGroupName -l $resourceLocation
+ az aks create --resource-group $aksClusterGroupName --name $aksName --enable-aad --generate-ssh-keys
+ infra_rg=$(az aks show --resource-group $aksClusterGroupName --name $aksName --output tsv --query nodeResourceGroup)
+ az network public-ip create --resource-group $infra_rg --name MyPublicIP --sku STANDARD
+ staticIp=$(az network public-ip show --resource-group $infra_rg --name MyPublicIP --output tsv --query ipAddress)
+ ```
+
+2. Get the [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/) file and test your connection to the cluster. By default, the kubeconfig file is saved to `~/.kube/config`.
+
+ ```azurecli-interactive
+ az aks get-credentials --resource-group $aksClusterGroupName --name $aksName --admin
+
+ kubectl get ns
+ ```
+
+3. Create a resource group to contain your Azure Arc resources. Replace `<group-name>` with the resource group name you want.
+
+ ```azurecli-interactive
+ groupName="<group-name>" # Name of resource group for the connected cluster
+
+ az group create -g $groupName -l $resourceLocation
+ ```
+
+4. Connect the cluster you created to Azure Arc.
+
+ ```azurecli-interactive
+ clusterName="${groupName}-cluster" # Name of the connected cluster resource
+
+ az connectedk8s connect --resource-group $groupName --name $clusterName
+ ```
+
+5. Validate the connection with the following command. It should show the `provisioningState` property as `Succeeded`. If not, run the command again after a minute.
+
+ ```azurecli-interactive
+ az connectedk8s show --resource-group $groupName --name $clusterName
+ ```
+
+## Create a Log Analytics workspace
+
+While a [Log Analytic workspace](../azure-monitor/logs/quick-create-workspace.md) is not required to run App Service in Azure Arc, it's how developers can get application logs for their apps that are running in the Azure Arc enabled Kubernetes cluster.
+
+1. For simplicity, create the workspace now.
+
+ ```azurecli-interactive
+ workspaceName="$groupName-workspace" # Name of the Log Analytics workspace
+
+ az monitor log-analytics workspace create \
+ --resource-group $groupName \
+ --workspace-name $workspaceName
+ ```
+
+2. Run the following commands to get the encoded workspace ID and shared key for an existing Log Analytics workspace. You need them in the next step.
+
+ ```azurecli-interactive
+ logAnalyticsWorkspaceId=$(az monitor log-analytics workspace show \
+ --resource-group $groupName \
+ --workspace-name $workspaceName \
+ --query customerId \
+ --output tsv)
+ logAnalyticsWorkspaceIdEnc=$(printf %s $logAnalyticsWorkspaceId | base64) # Needed for the next step
+ logAnalyticsKey=$(az monitor log-analytics workspace get-shared-keys \
+ --resource-group $groupName \
+ --workspace-name $workspaceName \
+ --query primarySharedKey \
+ --output tsv)
+ logAnalyticsKeyEncWithSpace=$(printf %s $logAnalyticsKey | base64)
+ logAnalyticsKeyEnc=$(echo -n "${logAnalyticsKeyEncWithSpace//[[:space:]]/}") # Needed for the next step
+ ```
+
+## Install the App Service extension
+
+1. Set the following environment variables for the desired name of the [App Service extension](overview-arc-integration.md), the cluster namespace in which resources should be provisioned, and the name for the App Service Kubernetes environment. Choose a unique name for `<kube-environment-name>`, because it will be part of the domain name for app created in the App Service Kubernetes environment.
+
+ ```bash
+ extensionName="appservice-ext" # Name of the App Service extension
+ namespace="appservice-ns" # Namespace in your cluster to install the extension and provision resources
+ kubeEnvironmentName="<kube-environment-name>" # Name of the App Service Kubernetes environment resource
+ ```
+
+2. Install the App Service extension to your Azure Arc connected cluster, with Log Analytics enabled. Again, while Log Analytics is not required, you can't add it to the extension later, so it's easier to do it now.
+
+ ```azurecli-interactive
+ az k8s-extension create \
+ --resource-group $groupName \
+ --name $extensionName \
+ --cluster-type connectedClusters \
+ --cluster-name $clusterName \
+ --extension-type 'Microsoft.Web.Appservice' \
+ --release-train stable \
+ --auto-upgrade-minor-version true \
+ --scope cluster \
+ --release-namespace '${namespace}' \
+ --configuration-settings "Microsoft.CustomLocation.ServiceAccount=default" \
+ --configuration-settings "appsNamespace=${namespace}" \
+ --configuration-settings "clusterName=${kubeEnvironmentName}" \
+ --configuration-settings "loadBalancerIp=${staticIp}" \
+ --configuration-settings "keda.enabled=true" \
+ --configuration-settings "buildService.storageClassName=default" \
+ --configuration-settings "buildService.storageAccessMode=ReadWriteOnce" \
+ --configuration-settings "customConfigMap=${namespace}/kube-environment-config" \
+ --configuration-settings "envoy.annotations.service.beta.kubernetes.io/azure-load-balancer-resource-group=${aksClusterGroupName}" \
+ --configuration-settings "logProcessor.appLogs.destination=log-analytics" \
+ --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.customerId=${logAnalyticsWorkspaceIdEnc}" \
+ --configuration-protected-settings "logProcessor.appLogs.logAnalyticsConfig.sharedKey=${logAnalyticsKeyEnc}"
+ ```
+
+ > [!NOTE]
+ > To install the extension without Log Analytics integration, remove the last three `--configuration-settings` parameters from the command.
+ >
+
+ The following table describes the various `--configuration-settings` parameters when running the command:
+
+ | Parameter | Description |
+ | - | - |
+ | `Microsoft.CustomLocation.ServiceAccount` | The service account that should be created for the custom location that will be created. It is recommended that this be set to the value `default`. |
+ | `appsNamespace` | The namespace to provision the app definitions and pods. Must match that of the extension release namespace. |
+ | `clusterName` | The name of the App Service Kubernetes environment that will be created against this extension. |
+ | `loadBalancerIp` | The public IP of the Kubernetes cluster. App Service apps receive traffic on this IP address. Also informs default DNS mapping. |
+ | `keda.enabled` | Whether [KEDA](https://keda.sh/) should be installed on the Kubernetes cluster. Accepts `true` or `false`. |
+ | `buildService.storageClassName` | The [name of the storage class](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class) for the build service to store build artifacts. A value like `default` specifies a class named `default`, and not [any class that is marked as default](https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/). |
+ | `buildService.storageAccessMode` | The [access mode](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) to use with the named storage class above. Accepts `ReadWriteOnce` or `ReadWriteMany`. |
+ | `customConfigMap` | The name of the config map that will be set by the App Service Kubernetes environment. Currently, it must be `<namespace>/kube-environment-config`, replacing `<namespace>` with the value of `appsNamespace` above. |
+ | `envoy.annotations.service.beta.kubernetes.io/azure-load-balancer-resource-group` | The name of the resource group in which the Azure Kubernetes Service cluster resides. Valid and required only when the underlying cluster is Azure Kubernetes Service. |
+ | `logProcessor.appLogs.destination` | Optional. Accepts `log-analytics`. |
+ | `logProcessor.appLogs.logAnalyticsConfig.customerId` | Required only when `logProcessor.appLogs.destination` is set to `log-analytics`. The base64-encoded Log analytics workspace ID. This parameter should be configured as a protected setting. |
+ | `logProcessor.appLogs.logAnalyticsConfig.sharedKey` | Required only when `logProcessor.appLogs.destination` is set to `log-analytics`. The base64-encoded Log analytics workspace shared key. This parameter should be configured as a protected setting. |
+ | | |
+
+3. Save the `id` property of the App Service extension for later.
+
+ ```azurecli-interactive
+ extensionId=$(az k8s-extension show \
+ --cluster-type connectedClusters \
+ --cluster-name $clusterName \
+ --resource-group $groupName \
+ --name $extensionName \
+ --query id \
+ --output tsv)
+ ```
+
+4. Wait for the extension to fully install before proceeding. You can have your terminal session wait until this complete by running the following command:
+
+ ```azurecli-interactive
+ az resource wait --ids $extensionId --custom "properties.installState!='Pending'" --api-version "2020-07-01-preview"
+ ```
+
+You can use `kubectl` to see the pods that have been created in your Kubernetes cluster:
+
+```bash
+kubectl get pods -n ${namespace}
+```
+
+You can learn more about these pods and their role in the system from [Pods created by the App Service extension](overview-arc-integration.md#pods-created-by-the-app-service-extension).
+
+## Create a custom location
+
+The [custom location](../azure-arc/kubernetes/custom-locations.md) in Azure is used to assign the App Service Kubernetes environment.
+
+<!-- https://github.com/MicrosoftDocs/azure-docs-pr/pull/156618 -->
+
+1. Set the following environment variables for the desired name of the custom location and for the ID of the Azure Arc connected cluster.
+
+ ```bash
+ customLocationName="my-custom-location" # Name of the custom location
+
+ connectedClusterId=$(az connectedk8s show --resource-group $groupName --name $clusterName --query id --output tsv)
+ ```
+
+3. Create the custom location:
+
+ ```azurecli-interactive
+ az customlocation create \
+ --resource-group $groupName \
+ --name $customLocationName \
+ --host-resource-id $connectedClusterId \
+ --namespace ${namespace} \
+ --cluster-extension-ids $extensionId
+ ```
+
+ <!-- --kubeconfig ~/.kube/config # needed for non-Azure -->
+
+4. Validate that the custom location is successfully created with the following command. The output should show the `provisioningState` property as `Succeeded`. If not, run it again after a minute.
+
+ ```azurecli-interactive
+ az customlocation show \
+ --resource-group $groupName \
+ --name $customLocationName
+ ```
+
+5. Save the custom location ID for the next step.
+
+ ```azurecli-interactive
+ customLocationId=$(az customlocation show \
+ --resource-group $groupName \
+ --name $customLocationName \
+ --query id \
+ --output tsv)
+ ```
+
+## Create the App Service Kubernetes environment
+
+Before you can start creating apps on the custom location, you need an [App Service Kubernetes environment](overview-arc-integration.md#app-service-kubernetes-environment).
+
+1. Create the App Service Kubernetes environment:
+
+ ```azurecli-interactive
+ az appservice kube create \
+ --resource-group $groupName \
+ --name $kubeEnvironmentName \
+ --custom-location $customLocationId \
+ --static-ip "$staticIp"
+ ```
+
+2. Validate that the App Service Kubernetes environment is successfully created with the following command. The output should show the `provisioningState` property as `Succeeded`. If not, run it again after a minute.
+
+ ```azurecli-interactive
+ az appservice kube show \
+ --resource-group $groupName \
+ --name $kubeEnvironmentName
+ ```
+
+
+## Next steps
+
+- [Quickstart: Create a web app on Azure Arc](quickstart-arc.md)
+- [Create your first function on Azure Arc](../azure-functions/create-first-function-arc-cli.md)
+- [Create your first logic app on Azure Arc](../logic-apps/azure-arc-enabled-logic-apps-create-deploy-workflows.md)
app-service Networking Features https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/networking-features.md
There are two main deployment types for Azure App Service:
The features you use will depend on whether you're in the multitenant service or in an ASE.
+> [!NOTE]
+> Networking features are not available for [apps deployed in Azure Arc](overview-arc-integration.md).
+ ## Multitenant App Service networking features Azure App Service is a distributed system. The roles that handle incoming HTTP or HTTPS requests are called *front ends*. The roles that host the customer workload are called *workers*. All the roles in an App Service deployment exist in a multitenant network. Because there are many different customers in the same App Service scale unit, you can't connect the App Service network directly to your network.
app-service Overview Arc Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-arc-integration.md
+
+ Title: 'App Service on Azure Arc'
+description: An introduction to App Service integration with Azure Arc for Azure operators.
+ Last updated : 05/03/2021++
+# App Service, Functions, and Logic Apps on Azure Arc (Preview)
+
+You can run App Service, Functions, and Logic Apps an Azure Arc enabled Kubernetes cluster. The Kubernetes cluster can be on-premises or hosted in a third-party cloud. This approach lets app developers take advantage of the features of App Service. At the same time, it lets their IT administrators maintain corporate compliance by hosting the App Service apps on internal infrastructure. It also lets other IT operators safeguard their prior investments in other cloud providers by running App Service on existing Kubernetes clusters.
+
+> [!NOTE]
+> To learn how to set up your Kubernetes cluster for App Service, Functions, and Logic Apps, see [Create an App Service Kubernetes environment (Preview)](manage-create-arc-environment.md).
+
+In most cases, app developers need to know nothing more than how to deploy to the correct Azure region that represents the deployed Kubernetes environment. For operators who provide the environment and maintain the underlying Kubernetes infrastructure, you need to be aware of the following Azure resources:
+
+- The connected cluster, which is an Azure projection of your Kubernetes infrastructure. For more information, see [What is Azure Arc enabled Kubernetes?](../azure-arc/kubernetes/overview.md).
+- A cluster extension, which is a sub-resource of the connected cluster resource. The App Service extension [installs the required pods into your connected cluster](#pods-created-by-the-app-service-extension). For more information about cluster extensions, see [Cluster extensions on Azure Arc enabled Kubernetes](../azure-arc/kubernetes/conceptual-extensions.md).
+- A custom location, which bundles together a group of extensions and maps them to a namespace for created resources. For more information, see [Custom locations on top of Azure Arc enabled Kubernetes](../azure-arc/kubernetes/conceptual-custom-locations.md).
+- An App Service Kubernetes environment, which enables configuration common across apps but not related to cluster operations. Conceptually, it's deployed into the custom location resource, and app developers create apps into this environment. This is described in greater detail in [App Service Kubernetes environment](#app-service-kubernetes-environment).
+
+## Public preview limitations
+
+The following public preview limitations apply to App Service Kubernetes environments. They will be updated when additional distributions are validated and more regions are supported.
+
+| Limitation | Details |
+||-|
+| Supported Azure regions | East US, West Europe |
+| Validated Kubernetes distributions | Azure Kubernetes Service |
+| Feature: Networking | [Not available (rely on cluster networking)](#are-networking-features-supported) |
+| Feature: Managed identities | [Not available](#are-managed-identities-supported) |
+| Feature: Key vault references | Not available (depends on managed identities) |
+| Feature: Pull images from ACR with managed identity | Not available (depends on managed identities) |
+| Feature: In-portal editing for Functions and Logic Apps | Not available |
+| Feature: FTP publishing | Not available |
+| Logs | Log Analytics must be configured with cluster extension; not per-site |
+
+## Pods created by the App Service extension
+
+When the App Service extension is installed on the Arc-enabled Kubernetes cluster, you see several pods created in the release namespace that was specified. These pods enable your Kubernetes cluster to be an extension of the `Microsoft.Web` resource provider in Azure and support the management and operation of your apps. Optionally, you can choose to have the extension install [KEDA](https://keda.sh/) for event-driven scaling.
+ <!-- You can only have one installation of KEDA on the cluster. If you have one already, you must disable this behavior during installation of the cluster extension `TODO`. -->
+
+The following table describes the role of each pod that is created by default:
+
+| Pod | Description |
+||--|
+| `<extensionName>-k8se-app-controller` | The core operator pod that creates resources on the cluster and maintains the state of components. |
+| `<extensionName>-k8se-envoy` | A front-end proxy layer for all data-plane requests. It routes the inbound traffic to the correct apps. |
+| `<extensionName>-k8se-activator` | An alternative routing destination to help with apps that have scaled to zero while the system gets the first instance available. |
+| `<extensionName>-k8se-build-service` | Supports deployment operations and serves the [Advanced tools feature](resources-kudu.md). |
+| `<extensionName>-k8se-http-scaler` | Monitors inbound request volume in order to provide scaling information to [KEDA](https://keda.sh). |
+| `<extensionName>-k8se-img-cacher` | Pulls placeholder and app images into a local cache on the node. |
+| `<extensionName>-k8se-log-processor` | Gathers logs from apps and other components and sends them to Log Analytics. |
+| `placeholder-azure-functions-*` | Used to speed up cold starts for Azure Functions. |
+
+## App Service Kubernetes environment
+
+The App Service Kubernetes environment resource is required before apps may be created. It enables configuration common to apps in the custom location, such as the default DNS suffix.
+
+Only one Kubernetes environment resource may created in a custom location. In most cases, a developer who creates and deploys apps doesn't need to be directly aware of the resource. It can be directly inferred from the provided custom location ID. However, when defining Azure Resource Manager templates, any plan resource needs to reference the resource ID of the environment directly. The custom location values of the plan and the specified environment must match.
+
+## FAQ for App Service, Functions, and Logic Apps on Azure Arc (Preview)
+
+- [How much does it cost?](#how-much-does-it-cost)
+- [Are both Windows and Linux apps supported?](#are-both-windows-and-linux-apps-supported)
+- [Which built-in application stacks are supported?](#which-built-in-application-stacks-are-supported)
+- [Are all app deployment types supported?](#are-all-app-deployment-types-supported)
+- [Which App Service features are supported?](#which-app-service-features-are-supported)
+- [Are networking features supported?](#are-networking-features-supported)
+- [Are managed identities supported?](#are-managed-identities-supported)
+- [What logs are collected?](#what-logs-are-collected)
+
+### How much does it cost?
+
+App Service on Azure Arc is free during the public preview.
+
+### Are both Windows and Linux apps supported?
+
+Only Linux-based apps are supported, both code and custom containers. Windows apps are not supported.
+
+### Which built-in application stacks are supported?
+
+All built-in Linux stacks are supported.
+
+### Are all app deployment types supported?
+
+FTP deployment is not supported. Currently `az webapp up` is also not supported. Other deployment methods are supported, including Git, ZIP, CI/CD, Visual Studio, and Visual Studio Code.
+
+### Which App Service features are supported?
+
+During the preview period, certain App Service features are being validated. When they're supported, their left navigation options in the Azure portal will be activated. Features that are not yet supported remain grayed out.
+
+### Are networking features supported?
+
+No. Networking features such as hybrid connections, Virtual Network integration, or IP restrictions, are not supported. Networking should be handled directly in the networking rules in the Kubernetes cluster itself.
+
+### Are managed identities supported?
+
+No. Apps cannot be assigned managed identities when running in Azure Arc. If your app needs an identity for working with another Azure resource, consider using an [application service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) instead.
+
+### What logs are collected?
+
+Logs for both system components and your applications are written to standard output. Both log types can be collected for analysis using standard Kubernetes tools. You can also configure the App Service cluster extension with a [Log Analytics workspace](../azure-monitor/logs/log-analytics-overview.md), and it will send all logs to that workspace.
+
+By default, logs from system components are sent to the Azure team. Application logs are not sent. You can prevent these logs from being transferred by setting `logProcessor.enabled=false` as an extension configuration setting. This will also disable forwarding of application to your Log Analytics workspace. Disabling the log processor may impact time needed for any support cases, and you will be asked to collect logs from standard output through some other means.
+
+## Next steps
+
+[Create an App Service Kubernetes environment (Preview)](manage-create-arc-environment.md)
app-service Overview Authentication Authorization https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-authentication-authorization.md
For [Azure Functions](../azure-functions/functions-overview.md), `ClaimsPrincipa
For more information, see [Access user claims](app-service-authentication-how-to.md#access-user-claims).
-At this time, ASP.NET Core does not currently support populating the current user with the Authentication/Authorization feature. However, some [3rd party, open source middleware components](https://github.com/MaximRouiller/MaximeRouiller.Azure.AppService.EasyAuth) do exist to help fill this gap.
+For .NET Core, [Microsoft.Identity.Web](https://www.nuget.org/packages/Microsoft.Identity.Web/) supports populating the current user with the Authentication/Authorization feature. To learn more, you can read about it on the [Microsoft.Identity.Web wiki](https://github.com/AzureAD/microsoft-identity-web/wiki/1.2.0#integration-with-azure-app-services-authentication-of-web-apps-running-with-microsoftidentityweb), or see it demonstrated in [this tutorial for a web app accessing Microsoft Graph](/azure/app-service/scenario-secure-app-access-microsoft-graph-as-user?tabs=command-line#install-client-library-packages).
#### Token store
app-service Overview Managed Identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/overview-managed-identity.md
This topic shows you how to create a managed identity for App Service and Azure
> [!Important] > Managed identities for App Service and Azure Functions won't behave as expected if your app is migrated across subscriptions/tenants. The app needs to obtain a new identity, which is done by disabling and re-enabling the feature. See [Removing an identity](#remove) below. Downstream resources also need to have access policies updated to use the new identity.
+> [!NOTE]
+> Managed identities are not available for [apps deployed in Azure Arc](overview-arc-integration.md).
+ [!INCLUDE [app-service-managed-identities](../../includes/app-service-managed-identities.md)] ## Add a system-assigned identity
app-service Quickstart Arc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-arc.md
+
+ Title: 'Quickstart: Create a web app on Azure Arc'
+description: Get started with App Service on Azure Arc deploying your first web app.
+ Last updated : 05/11/2021++
+# Create an App Service app on Azure Arc (Preview)
+
+In this quickstart, you create an [App Service app to an Azure Arc enabled Kubernetes cluster](overview-arc-integration.md) (Preview). This scenario supports Linux apps only, and you can use a built-in language stack or a custom container.
+
+## Prerequisites
+
+- [Set up your Azure Arc enabled Kubernetes to run App Service](manage-create-arc-environment.md).
++
+## 1. Create a resource group
+
+Run the following command.
+
+```azurecli-interactive
+az group create --name myResourceGroup --location eastus
+```
+
+<!-- ## 2. Create an App Service plan
+
+Run the following command and replace `<environment-name>` with the name of the App Service Kubernetes environment (see [Prerequisites](#prerequisites)).
+
+```azurecli-interactive
+az appservice plan create --resource-group myResourceGroup --name myAppServicePlan --custom-location <environment-name> --kube-sku K1
+```
+
+Currently does not work
+
+-->
+
+## 2. Get the custom location
+++
+## 3. Create an app
+
+The following example creates a Node.js app. Replace `<app-name>` with a name that's unique within your cluster (valid characters are `a-z`, `0-9`, and `-`). To see all supported runtimes, run [`az webapp list-runtimes --linux`](/cli/azure/webapp).
+
+```azurecli-interactive
+ az webapp create \
+ --resource-group myResourceGroup \
+ --name <app-name> \
+ --custom-location $customLocationId \
+ --runtime 'NODE|12-lts'
+```
+
+## 4. Deploy some code
+
+> [!NOTE]
+> `az webapp up` is not supported during the public preview.
+
+Get a sample Node.js app using Git and deploy it using [ZIP deploy](deploy-zip.md). Replace `<app-name>` with your web app name.
+
+```azurecli-interactive
+git clone https://github.com/Azure-Samples/nodejs-docs-hello-world
+cd nodejs-docs-hello-world
+zip -r package.zip .
+az webapp deployment source config-zip --resource-group myResourceGroup --name <app-name> --src package.zip
+```
+
+## 5. Get diagnostic logs using Log Analytics
+
+> [!NOTE]
+> To use Log Analytics, you should've previously enabled it when [installing the App Service extension](manage-create-arc-environment.md#install-the-app-service-extension). If you installed the extension without Log Analytics, skip this step.
+
+Navigate to the [Log Analytics workspace that's configured with your App Service extension](manage-create-arc-environment.md#install-the-app-service-extension), then click Logs in the left navigation. Run the following sample query to show logs over the past 72 hours. Replace `<app-name>` with your web app name.
+
+```kusto
+let StartTime = ago(72h);
+let EndTime = now();
+AppServiceConsoleLogs_CL
+| where TimeGenerated between (StartTime .. EndTime)
+| where AppName_s =~ "<app-name>"
+```
+
+The application logs for all the apps hosted in your Kubernetes cluster are logged to the Log Analytics workspace in the custom log table named `AppServiceConsoleLogs_CL`.
+
+**Log_s** contains application logs for a given App Service and **AppName_s** contains the App Service app name. In addition to logs you write via your application code, the Log_s column also contains logs on container startup, shutdown, and Function Apps.
+
+You can learn more about log queries in [getting started with Kusto](../azure-monitor/logs/get-started-queries.md).
+
+## (Optional) Deploy a custom container
+
+To create a custom container app, run [az webapp create](/cli/azure/webapp#az_webapp_create) with `--deployment-container-image-name`. For a private repository, add `--docker-registry-server-user` and `--docker-registry-server-password`.
+
+For example, try:
+
+```azurecli-interactive
+az webapp create
+ --resource-group myResourceGroup \
+ --name <app-name> \
+ --custom-location $customLocationId \
+ --deployment-container-image-name mcr.microsoft.com/appsvc/node:12-lts
+```
+
+<!-- `TODO: currently gets an error but the app is successfully created: "Error occurred in request., RetryError: HTTPSConnectionPool(host='management.azure.com', port=443): Max retries exceeded with url: /subscriptions/62f3ac8c-ca8d-407b-abd8-04c5496b2221/resourceGroups/myResourceGroup/providers/Microsoft.Web/sites/cephalin-arctest4/config/appsettings?api-version=2020-12-01 (Caused by ResponseError('too many 500 error responses',))"` -->
+
+To update the image after the app is create, see [Change the Docker image of a custom container](configure-custom-container.md?pivots=container-linux#change-the-docker-image-of-a-custom-container)
+
+## Next steps
+
+- [Configure an ASP.NET Core app](configure-language-dotnetcore.md?pivots=platform-linux)
+- [Configure a Node.js app](configure-language-nodejs.md?pivots=platform-linux)
+- [Configure a PHP app](configure-language-php.md?pivots=platform-linux)
+- [Configure a Linux Python app](configure-language-python.md)
+- [Configure a Java app](configure-language-java.md?pivots=platform-linux)
+- [Configure a Linux Ruby app](configure-language-ruby.md)
+- [Configure a custom container](configure-custom-container.md?pivots=container-linux)
app-service Tutorial Java Spring Cosmosdb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-java-spring-cosmosdb.md
The name of Cosmos DB must use only lower case letters. Note down the `documentE
4. Get your Azure Cosmos DB key to connect to the app. Keep the `primaryMasterKey`, `documentEndpoint` nearby as you'll need them in the next step. ```azurecli
- az cosmosdb list-keys -g <your-azure-group-name> -n <your-azure-COSMOSDB-name>
+ az cosmosdb keys list -g <your-azure-group-name> -n <your-azure-COSMOSDB-name>
``` ## Configure the TODO app properties
Open the `pom.xml` file in the `initial/spring-boot-todo` directory and add the
<resourceGroup>${RESOURCEGROUP_NAME}</resourceGroup> <appName>${WEBAPP_NAME}</appName> <region>${REGION}</region>-
+ <pricingTier>P1V2</princingTier>
<!-- Java Runtime Stack for Web App on Linux--> <runtime> <os>linux</os>
- <javaVersion>jre8</javaVersion>
- <webContainer>jre8</webContainer>
+ <javaVersion>Java 8</javaVersion>
+ <webContainer>Java SE</webContainer>
</runtime> <deployment> <resources>
az appservice plan update --number-of-workers 2 \
## Clean up resources
-If you don't need these resources for another tutorial (see [Next steps](#next)), you can delete them by running the following command in the Cloud Shell: 
-  
+If you don't need these resources for another tutorial (see [Next steps](#next)), you can delete them by running the following command in the Cloud Shell:
```azurecli
-az group delete --name <your-azure-group-name>
+az group delete --name <your-azure-group-name> --yes
``` <a name="next"></a>
application-gateway Self Signed Certificates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/self-signed-certificates.md
Create your root CA certificate using OpenSSL.
### Create the root key
-1. Sign in to your computer where OpenSSL is installed and run the following command. This creates a password protected key.
+1. Sign in to your computer where OpenSSL is installed and run the following command. This creates an encrypted key.
``` openssl ecparam -out contoso.key -name prime256v1 -genkey ```
-1. At the prompt, type a strong password. For example, at least nine characters, using upper case, lower case, numbers, and symbols.
-
+
### Create a Root Certificate and self-sign it 1. Use the following commands to generate the csr and the certificate. ``` openssl req -new -sha256 -key contoso.key -out contoso.csr-
+ ```
+
+ ```
openssl x509 -req -sha256 -days 365 -in contoso.csr -signkey contoso.key -out contoso.crt ``` The previous commands create the root certificate. You'll use this to sign your server certificate.
applied-ai-services Applied Ai Services Customer Spotlight Use Cases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/applied-ai-services/applied-ai-services-customer-spotlight-use-cases.md
+
+ Title: Customer spotlight on use cases
+
+description: Customer spotlight on use cases
++++ Last updated : 05/13/2021+++
+# Customer spotlight on use cases
+
+Customers are already using Applied AI Services to add AI horsepower to their business scenarios.
+
+| Partner | Description | Customer story |
+||-|-|
+| <center>![Progressive_Logo](./media/logo-progressive-02.png) | **Progressive helps customers make smarter insurance decisions with Bot Service and Cognitive Search.** <br>"One of the great things about Bot Service is that, out of the box, we could use it to quickly put together the basic framework for our bot." *-Matt White, Marketing Manager, Personal Lines Acquisition Experience, Progressive Insurance* | [Read the story](https://customers.microsoft.com/story/789698-progressive-insurance-cognitive-services-insurance) |
+| <center>![Wix Logo](./media/wix-logo-01.png) | **WIX deploys smart search across 150 million websites with Cognitive Search** <br> ΓÇ£We really benefitted from choosing Azure Cognitive Search because we could go to market faster than we had with other products. We donΓÇÖt have to manage infrastructure, and our developers can spend time on higher-value tasks.ΓÇ¥*-Giedrius Gra┼╛evi─ìius: Project Manager for Search, Wix* | [Read the story](https://customers.microsoft.com/story/764974-wix-partner-professional-services-azure-cognitive-search) |
+| <center>![Chevron logo](./media/chevron-01.png) | **Chevron uses Form Recognizer to extract volumes of data from unstructured reports**<br>ΓÇ£We only have a finite amount of time to extract data, and oftentimes the data thatΓÇÖs left behind is valuable. With this new technology, we're able to extract everything and then decide what we can use to improve our performance.ΓÇ¥*-Diane Cillis, Engineering Technologist, Chevron Canada* | [Read the story](https://customers.microsoft.com/story/chevron-mining-oil-gas-azure-cognitive-services) |
++
+## See also
+* [What are Applied AI Services?](what-are-applied-ai-services.md)
+* [Why use Applied AI Services?](why-applied-ai-services.md)
+
+ΓÇïΓÇï
applied-ai-services What Are Applied Ai Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/applied-ai-services/what-are-applied-ai-services.md
+
+ Title: What are Azure Applied AI Services?
+
+description: Applied AI Services description.
+keywords: applied ai services, artifical intelligence, applied ai, ai services, cognitive search, applied ai features
+++++ Last updated : 05/04/2021+++
+# What are Azure Applied AI Services?
+
+Azure Applied AI Services are high-level services focused on empowering developers to quickly unlock the value of data by applying AI into their key business scenarios. Built on top of the AI APIs of Azure Cognitive Services, Azure Applied AI Services are optimized for critical tasks ranging from monitoring and diagnosing metric anomalies, mining knowledge from documents, enhancing the customer experience through transcription analysis, boosting literacy in the classroom, document understanding and more. Previously, companies would have to orchestrate multiple AI skills, add business logic, and create a UI to go from development to deployment for their scenario ΓÇô all of which would consume time, expertise, and resources ΓÇô these ΓÇ£scenario specificΓÇ¥ services provide developers these benefits ΓÇ£out of the boxΓÇ¥.ΓÇï
+
+## Azure Form Recognizer
+
+Enabling organizations in all industries to consume information hidden within documents to increase productivity, automate business process and generate knowledge and insights. Azure Form Recognizer is a service that lets you build automated data processing software using machine learning technology. Identify and extract text, key/value pairs, selection marks, tables, and structure from your documents. The service outputs structured data that includes the relationships in the original file, bounding boxes, confidence and more. You quickly get accurate results that are tailored to your specific content without heavy manual intervention or extensive data science expertise. Use Form Recognizer to automate data entry in your applications and enrich your documents' search capabilities. Azure Form Recognizer is built using OCR, Text Analytics and Custom Text from Azure Cognitive Services.
+
+Form Recognizer is composed of custom document processing models, prebuilt models for invoices, receipts, IDs and business cards, and the layout model.
+
+[Learn more about Azure Form Recognizer](../cognitive-services/form-recognizer/index.yml)ΓÇïΓÇï
+
+## Azure Metrics Advisor
+
+Protecting organizationΓÇÖs growth by enabling them to make the right decision based on intelligence from metrics of businesses, services and physical assets. Azure Metrics Advisor uses AI to perform data monitoring and anomaly detection in time series data. The service automates the process of applying models to your data, and provides a set of APIs and a web-based workspace for data ingestion, anomaly detection, and diagnostics - without needing to know machine learning. Developers can build AIOps, predicative maintenance, and business monitoring applications on top of the service. Azure Metrics Advisor is built using Anomaly Detector from Azure Cognitive Services.ΓÇï
+
+[Learn more about Azure Metrics Advisor](../cognitive-services/metrics-advisor/index.yml)
+
+## Azure Cognitive Search
+
+Unlock valuable information lying latent in all your content in order to perform an action or make decisions. Azure Cognitive Search is the only cloud search service with built-in AI capabilities that enrich all types of information to help you identify and explore relevant content at scale. Use cognitive skills for vision, language, and speech, or use custom machine learning models to uncover insights from all types of content. Azure Cognitive Search also offers semantic search capability, which uses advanced machine learning techniques to understand user intent and contextually rank the most relevant search results. Spend more time innovating and less time maintaining a complex cloud search solution. Azure Cognitive Search is built using Computer Vision and Text Analytics from Azure Cognitive Services.
+
+[Learn more about Azure Cognitive Search](../search/index.yml)ΓÇïΓÇï
+
+## Azure Immersive Reader
+
+Enhance reading comprehension and achievement with AI. Azure Immersive Reader is an inclusively designed tool that implements proven techniques to improve reading comprehension for new readers, language learners, and people with learning differences such as dyslexia. With the Immersive Reader client library, you can leverage the same technology used in Microsoft Word and Microsoft OneNote to improve your web applications. Azure Immersive Reader is built using Translation and Text to Speech from Azure Cognitive Services.
+
+[Learn more about Azure Immersive Reader](../cognitive-services/immersive-reader/index.yml)
+
+## Azure Bot Service
+
+Enable rapid creation of customizable, sophisticated, conversational experiences with pre-built conversational components enabling business value right out of the box. Azure Bot Service Composer is an open-source visual authoring canvas for developers and multidisciplinary teams to build bots. Composer integrates language understanding services such as LUIS and QnA Maker and allows sophisticated composition of bot replies using language generation. Azure Bot Service is built using Speech/Telephony, LUIS, and QnA Maker from Azure Cognitive Services.
+
+[Learn more about Azure Bot Service](https://docs.microsoft.com/composer/)ΓÇï
+
+## Azure Video Analyzer
+
+Enabling businesses to build automated apps powered by video intelligence without being a video or AI expert. Azure Video Analyzer is a service for building AI-based video solutions and applications. You can generate real-time business insights from video streams, processing data near the source and applying the AI of your choice. Record videos of interest on the edge or in the cloud and combine them with other data to power your business decisions. Azure Video Analyzer is built using Spatial Analysis from Azure Cognitive Services. Azure Video Analyzer for Media is built using Face, Speech, Translation, Text analytics, Custom vision, and textual content moderation from Azure Cognitive Services.
+
+[Learn more about Azure Video Analytics](https://aka.ms/video-analyzer-hub)ΓÇïΓÇï
+
+## Certifications and compliance
+
+Applied AI Services has been awarded certifications such as CSA STAR Certification, FedRAMP Moderate, and HIPAA BAA. You can [download](https://aka.ms/applied-ai-download-certifications "download") certifications for your own audits and security reviews.
+
+To understand privacy and data management, go to the [Trust Center](https://servicetrust.microsoft.com/ "Trust Center").
+
+## Support
+
+Applied AI Services provides several support options to help you move forward with creating intelligent applications. Applied AI Services also has a strong community of developers that can help answer your specific questions. For a full list of options available to you, see:
+
+- [Submit Feedback on UserVoice](https://aka.ms/AppliedAIUserVoice)
+- [Ask Questions on Microsoft Q&A](https://aka.ms/AppliedAIMSFTQandA)
+- [Troubleshoot on StackOverflow](https://aka.ms/AppliedAIStackOverflow)
applied-ai-services Why Applied Ai Services https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/applied-ai-services/why-applied-ai-services.md
+
+ Title: Why Azure Applied AI Services?
+
+description: Why Applied AI Services description.
+++++ Last updated : 05/05/2021+++
+# Why Azure Applied AI Services?
+
+Azure Applied AI Services reduces the time developers need to modernize business processes from months to days. These services help you accelerate time to value for specific business scenarios through a combination of Azure Cognitive Services, task-specific AI, and business logic. ΓÇï
+
+Each Azure Applied AI service addresses a common need and generates new opportunities across organizations such as analyzing conversations for improved customer experiences, automating document processing for operational productivity, understanding the root cause of anomalies for protecting your organizationΓÇÖs growth, and extracting insights from content ranging from documents to videos.
+
+By building on top of the AI models from Azure Cognitive Services as well as providing task-specific AI models and built-in business logic, Azure Applied AI Services enable developers to quickly deploy common scenarios versus building from scratch.
+
+## Benefits ΓÇïΓÇï
+- Modernize business process ΓÇô Use task-specific AI to solve your scenario
+- Accelerate development ΓÇô Go live with your AI solutions quickly
+- Run responsibly anywhere ΓÇô Enterprise-grade responsible and secure services from the cloud to the edge
+
+
+## What is the difference between Applied AI Services and Cognitive Services?
+
+Both Applied AI Services and Cognitive Services are designed to help developers create intelligent apps. Cognitive Services provides general purpose AI services that serve as the core engine for Applied AI Services.
+
+Applied AI Services builds on top of Cognitive Services while also adding task-specific AI and business logic to optimize for specific use cases so that developers spend less time designing solutions or setting up pipelines.
+
+If there isnΓÇÖt an Applied AI Service available to meet a specific use case, developers can also build their own solutions from scratch, using Cognitive Services as building blocks.
automation Automation Hrw Run Runbooks https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-hrw-run-runbooks.md
Title: Run Azure Automation runbooks on a Hybrid Runbook Worker
description: This article describes how to run runbooks on machines in your local datacenter or other cloud provider with the Hybrid Runbook Worker. Previously updated : 03/10/2021 Last updated : 05/24/2021
To help troubleshoot issues with your runbooks running on a hybrid runbook worke
* If your runbooks aren't completing successfully, review the troubleshooting guide for [runbook execution failures](troubleshoot/hybrid-runbook-worker.md#runbook-execution-fails). * For more information on PowerShell, including language reference and learning modules, see [PowerShell Docs](/powershell/scripting/overview).
+* Learn about [using Azure Policy to manage runbook execution](enforce-job-execution-hybrid-worker.md) with Hybrid Runbook Workers.
* For a PowerShell cmdlet reference, see [Az.Automation](/powershell/module/az.automation).
automation Enforce Job Execution Hybrid Worker https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/enforce-job-execution-hybrid-worker.md
+
+ Title: Enforce job execution on Azure Automation Hybrid Runbook Worker
+description: This article tells how to use a custom Azure Policy definition to enforce job execution on an Azure Automation Hybrid Runbook Worker.
++ Last updated : 05/24/2021+++
+# Use Azure Policy to enforce job execution on Hybrid Runbook Worker
+
+Starting a runbook on a Hybrid Runbook Worker uses a **Run on** option that allows you to specify the name of a Hybrid Runbook Worker group when initiating from the Azure portal, with the Azure PowerShell, or REST API. When a group is specified, one of the workers in that group retrieves and runs the runbook. If your runbook does not specify this option, Azure Automation runs the runbook in the Azure sandbox.
+
+Anyone in your organization who is a member of the [Automation Job Operator](automation-role-based-access-control.md#automation-job-operator) or higher can create runbook jobs. To manage runbook execution targeting a Hybrid Runbook Worker group in your Automation account, you can use [Azure Policy](../governance/policy/overview.md). This helps to enforce organizational standards and ensure your automation jobs are controlled and managed by those designated, and anyone cannot execute a runbook on an Azure sandbox, only on Hybrid Runbook workers.
+
+A custom Azure Policy definition is included in this article to help you control these activities using the following Automation REST API operations. Specifically:
+
+* [Create job](/rest/api/automation/job/create)
+* [Create job schedule](/rest/api/automation/jobschedule/create)
+* [Create webhook](/rest/api/automation/webhook/createorupdate)
+
+This policy is based on the `runOn` property. The policy validates the value of the property, which should contain the name of an existing Hybrid Runbook Worker group. If the value is null, it is interpreted as the create request for the job, job schedule, or webhook is intended for the Azure sandbox, and the request is denied.
+
+## Permissions required
+
+You need to be a member of the [Owner](../role-based-access-control/built-in-roles.md#owner) role at the subscription-level for permission to Azure Policy resources.
+
+## Create and assign the policy definition
+
+Here we compose the policy rule and then assign it to either a management group or subscription, and optionally specify a resource group in the subscription. If you aren't yet familiar with the policy language, reference [policy definition structure](../governance/policy/concepts/definition-structure.md) for how to structure the policy definition.
+
+1. Use the following JSON snippet to create a JSON file with the name AuditAutomationHRWJobExecution.json.
+
+ ```json
+ {
+ "properties": {
+ "displayName": "Enforce job execution on Automation Hybrid Runbook Worker",
+ "description": "Enforce job execution on Hybrid Runbook Workers in your Automation account.",
+ "mode": "all",
+ "parameters": {
+ "effectType": {
+ "type": "string",
+ "defaultValue": "Deny",
+ "allowedValues": [
+ "Deny",
+ "Disabled"
+ ],
+ "metadata": {
+ "displayName": "Effect",
+ "description": "Enable or disable execution of the policy"
+ }
+ }
+ },
+ "policyRule": {
+ "if": {
+ "anyOf": [
+ {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Automation/automationAccounts/jobs"
+ },
+ {
+ "value": "[length(field('Microsoft.Automation/automationAccounts/jobs/runOn'))]",
+ "less": 1
+ }
+ ]
+ },
+ {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Automation/automationAccounts/webhooks"
+ },
+ {
+ "value": "[length(field('Microsoft.Automation/automationAccounts/webhooks/runOn'))]",
+ "less": 1
+ }
+ ]
+ },
+ {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "Microsoft.Automation/automationAccounts/jobSchedules"
+ },
+ {
+ "value": "[length(field('Microsoft.Automation/automationAccounts/jobSchedules/runOn'))]",
+ "less": 1
+ }
+ ]
+ }
+ ]
+ },
+ "then": {
+ "effect": "[parameters('effectType')]"
+ }
+ }
+ }
+ }
+ ```
+
+2. Run the following Azure PowerShell or Azure CLI command to create a policy definition using the AuditAutomationHRWJobExecution.json file.
+
+ # [Azure CLI](#tab/azure-cli)
+
+ ```azurecli
+ az policy definition create --name 'audit-enforce-jobs-on-automation-hybrid-runbook-workers' --display-name 'Audit Enforce Jobs on Automation Hybrid Runbook Workers' --description 'This policy enforces job execution on Automation account user Hybrid Runbook Workers.' --rules 'AuditAutomationHRWJobExecution.json' --mode All
+ ```
+
+ The command creates a policy definition named **Audit Enforce Jobs on Automation Hybrid Runbook Workers**. For more information about other parameters that you can use, see [az policy definition create](/cli/azure/policy/definition#az_policy_definition_create).
+
+ When called without location parameters, `az policy definition create` defaults to saving the policy definition in the selected subscription of the sessions context. To save the definition to a different location, use the following parameters:
+
+ * **subscription** - Save to a different subscription. Requires a *GUID* value for the subscription ID or a *string* value for the subscription name.
+ * **management-group** - Save to a management group. Requires a *string* value.
+
+ # [PowerShell](#tab/azure-powershell)
+
+ ```azurepowershell
+ New-AzPolicyDefinition -Name 'audit-enforce-jobs-on-automation-hybrid-runbook-workers' -DisplayName 'Audit Enforce Jobs on Automation Hybrid Runbook Workers' -Policy 'AuditAutomationHRWJobExecution.json'
+ ```
+
+ The command creates a policy definition named **Audit Enforce Jobs on Automation Hybrid Runbook Workers**. For more information about other parameters that you can use, see [New-AzPolicyDefinition](/powershell/module/az.resources/new-azpolicydefinition).
+
+ When called without location parameters, `New-AzPolicyDefinition` defaults to saving the policy definition in the selected subscription of the sessions context. To save the definition to a different location, use the following parameters:
+
+ * **SubscriptionId** - Save to a different subscription. Requires a *GUID* value.
+ * **ManagementGroupName** - Save to a management group. Requires a *string* value.
+
+
+
+3. After you create your policy definition, you can create a policy assignment by running the following commands:
+
+ # [Azure CLI](#tab/azure-cli)
+
+ ```azurecli
+ az policy assignment create --name '<name>' --scope '<scope>' --policy '<policy definition ID>'
+ ```
+
+ The **scope** parameter on `az policy assignment create` works with management group,
+ subscription, resource group, or a single resource. The parameter uses a full resource path. The
+ pattern for **scope** for each container is as follows. Replace `{rName}`, `{rgName}`, `{subId}`,
+ and `{mgName}` with your resource name, resource group name, subscription ID, and management
+ group name, respectively. `{rType}` would be replaced with the **resource type** of the resource,
+ such as `Microsoft.Compute/virtualMachines` for a VM.
+
+ - Resource - `/subscriptions/{subID}/resourceGroups/{rgName}/providers/{rType}/{rName}`
+ - Resource group - `/subscriptions/{subID}/resourceGroups/{rgName}`
+ - Subscription - `/subscriptions/{subID}`
+ - Management group - `/providers/Microsoft.Management/managementGroups/{mgName}`
+
+ You can get the Azure Policy Definition ID by using PowerShell with the following command:
+
+ ```azurecli
+ az policy definition show --name 'Audit Enforce Jobs on Automation Hybrid Runbook Workers'
+ ```
+
+ The policy definition ID for the policy definition that you created should resemble the following
+ example:
+
+ ```output
+ "/subscription/<subscriptionId>/providers/Microsoft.Authorization/policyDefinitions/Audit Enforce Jobs on Automation Hybrid Runbook Workers"
+ ```
+
+ # [PowerShell](#tab/azure-powershell)
+
+ ```azurepowershell
+ $rgName = Get-AzResourceGroup -Name 'ContosoRG'
+ $Policy = Get-AzPolicyDefinition -Name 'audit-enforce-jobs-on-automation-hybrid-runbook-workers'
+ New-AzPolicyAssignment -Name 'audit-enforce-jobs-on-automation-hybrid-runbook-workers' -PolicyDefinition $Policy -Scope $rg.ResourceId
+ ```
+
+ Replace _ContosoRG_ with the name of your intended resource group.
+
+ The **Scope** parameter on `New-AzPolicyAssignment` works with management group, subscription,
+ resource group, or a single resource. The parameter uses a full resource path, which the
+ **ResourceId** property on `Get-AzResourceGroup` returns. The pattern for **Scope** for each
+ container is as follows. Replace `{rName}`, `{rgName}`, `{subId}`, and `{mgName}` with your
+ resource name, resource group name, subscription ID, and management group name, respectively.
+ `{rType}` would be replaced with the **resource type** of the resource, such as
+ `Microsoft.Compute/virtualMachines` for a VM.
+
+ - Resource - `/subscriptions/{subID}/resourceGroups/{rgName}/providers/{rType}/{rName}`
+ - Resource group - `/subscriptions/{subId}/resourceGroups/{rgName}`
+ - Subscription - `/subscriptions/{subId}`
+ - Management group - `/providers/Microsoft.Management/managementGroups/{mgName}`
+
+
+
+4. Sign in to the [Azure portal](https://portal.azure.com).
+5. Launch the Azure Policy service in the Azure portal by selecting **All services**, then searching for and selecting **Policy**.
+6. Select **Compliance** in the left side of the page. Then locate the policy assignment you created.
+
+ :::image type="content" source="./media/enforce-job-execution-hybrid-worker/azure-policy-dashboard-policy-status.png" alt-text="Screenshot of Azure Policy dashboard.":::
+
+When one of the Automation REST operations are executed without reference to a Hybrid Runbook Worker in the request body, a 403 response code is returned with an error similar to the following example indicating the operation attempted execution on an Azure sandbox:
+
+```rest
+{
+ "error": {
+ "code": "RequestDisallowedByPolicy",
+ "target": "Start_VMS",
+ "message": "Resource 'Start_VMS' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Enforce Jobs on Automation Hybrid Runbook Workers\",\"id\":\"/subscriptions/75475e1e-9643-4f3d-859e-055f4c31b458/resourceGroups/MAIC-RG/providers/Microsoft.Authorization/policyAssignments/fd5e2cb3842d4eefbc857917\"},\"policyDefinition\":{\"name\":\"Enforce Jobs on Automation Hybrid Runbook Workers\",\"id\":\"/subscriptions/75475e1e-9643-4f3d-859e-055f4c31b458/providers/Microsoft.Authorization/policyDefinitions/4fdffd35-fd9f-458e-9779-94fe33401bfc\"}}]'.",
+ "additionalInfo": [
+ {
+ "type": "PolicyViolation",
+ "info": {
+ "policyDefinitionDisplayName": "Enforce Jobs on Automation Hybrid Runbook Workers",
+ "evaluationDetails": {
+ "evaluatedExpressions": [
+ {
+ "result": "True",
+ "expressionKind": "Field",
+ "expression": "type",
+ "path": "type",
+ "expressionValue": "Microsoft.Automation/automationAccounts/jobs",
+ "targetValue": "Microsoft.Automation/automationAccounts/jobs",
+ "operator": "Equals"
+ },
+ {
+ "result": "True",
+ "expressionKind": "Value",
+ "expression": "[length(field('Microsoft.Automation/automationAccounts/jobs/runOn'))]",
+ "expressionValue": 0,
+ "targetValue": 1,
+ "operator": "Less"
+ }
+ ]
+ },
+ "policyDefinitionId": "/subscriptions/75475e1e-9643-4f3d-859e-055f4c31b458/providers/Microsoft.Authorization/policyDefinitions/4fdffd35-fd9f-458e-9779-94fe33401bfc",
+ "policyDefinitionName": "4fdffd35-fd9f-458e-9779-94fe33401bfc",
+ "policyDefinitionEffect": "Deny",
+ "policyAssignmentId": "/subscriptions/75475e1e-9643-4f3d-859e-055f4c31b458/resourceGroups/MAIC-RG/providers/Microsoft.Authorization/policyAssignments/fd5e2cb3842d4eefbc857917",
+ "policyAssignmentName": "fd5e2cb3842d4eefbc857917",
+ "policyAssignmentDisplayName": "Enforce Jobs on Automation Hybrid Runbook Workers",
+ "policyAssignmentScope": "/subscriptions/75475e1e-9643-4f3d-859e-055f4c31b458/resourceGroups/MAIC-RG",
+ "policyAssignmentParameters": {}
+ }
+ }
+ ]
+ }
+}
+```
+
+The attempted operation is also logged in the Automation account's Activity Log, similar to the following example.
++
+## Next steps
+
+To work with runbooks, see [Manage runbooks in Azure Automation](manage-runbooks.md).
automation Desired State Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/troubleshoot/desired-state-configuration.md
This error is normally caused by a firewall, the machine being behind a proxy se
Verify that your machine has access to the proper endpoints for DSC and try again. For a list of ports and addresses needed, see [Network planning](../automation-dsc-overview.md#network-planning).
-## <a name="unauthorized"><a/>Scenario: Status reports return the response code Unauthorized
+## <a name="unauthorized"></a>Scenario: Status reports return the response code Unauthorized
### Issue
automation Enable From Template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/update-management/enable-from-template.md
You can use an [Azure Resource Manager template](../../azure-resource-manager/te
* Adds sample Automation runbooks to the account. * Enables the Update Management feature.
-The template does not automate enabling Update Management on one or more Azure or non-Azure VMs.
- If you already have a Log Analytics workspace and Automation account deployed in a supported region in your subscription, they are not linked. Using this template successfully creates the link and deploys Update Management. >[!NOTE]
azure-app-configuration Enable Dynamic Configuration Aspnet Core https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/enable-dynamic-configuration-aspnet-core.md
# Tutorial: Use dynamic configuration in an ASP.NET Core app
-ASP.NET Core has a pluggable configuration system that can read configuration data from a variety of sources. It can handle changes dynamically without causing an application to restart. ASP.NET Core supports the binding of configuration settings to strongly typed .NET classes. It injects them into your code by using the various `IOptions<T>` patterns. One of these patterns, specifically `IOptionsSnapshot<T>`, automatically reloads the application's configuration when the underlying data changes. You can inject `IOptionsSnapshot<T>` into controllers in your application to access the most recent configuration stored in Azure App Configuration.
-
-You also can set up the App Configuration ASP.NET Core client library to refresh a set of configuration settings dynamically using a middleware. The configuration settings get updated with the configuration store each time as long as the web app receives requests.
-
-App Configuration automatically caches each setting to avoid too many calls to the configuration store. The refresh operation waits until the cached value of a setting expires to update that setting, even when its value changes in the configuration store. The default cache expiration time is 30 seconds. You can override this expiration time, if necessary.
+ASP.NET Core has a pluggable configuration system that can read configuration data from a variety of sources. It can handle changes dynamically without causing an application to restart. ASP.NET Core supports the binding of configuration settings to strongly typed .NET classes. It injects them into your code by using `IOptionsSnapshot<T>`, which automatically reloads the application's configuration when the underlying data changes.
This tutorial shows how you can implement dynamic configuration updates in your code. It builds on the web app introduced in the quickstarts. Before you continue, finish [Create an ASP.NET Core app with App Configuration](./quickstart-aspnet-core-app.md) first.
Before you continue, finish [Create an ASP.NET Core app with App Configuration](
## Add a sentinel key
-A *sentinel key* is a special key used to signal when configuration has changed. Your app monitors the sentinel key for changes. When a change is detected, you refresh all configuration values. This approach reduces the overall number of requests made by your app to App Configuration, compared to monitoring all keys for changes.
+A *sentinel key* is a special key that you update after you complete the change of all other keys. Your application monitors the sentinel key. When a change is detected, your application refreshes all configuration values. This approach helps to ensure the consistency of configuration in your application and reduces the overall number of requests made to App Configuration, compared to monitoring all keys for changes.
1. In the Azure portal, select **Configuration Explorer > Create > Key-value**. 1. For **Key**, enter *TestApp:Settings:Sentinel*. For **Value**, enter 1. Leave **Label** and **Content type** blank. 1. Select **Apply**. > [!NOTE]
-> If you aren't using a sentinel key, you need to manually register every key you want to watch.
+> If you aren't using a sentinel key, you need to manually register every key you want to monitor.
## Reload data from App Configuration
A *sentinel key* is a special key used to signal when configuration has changed.
```
- The `ConfigureRefresh` method is used to specify the settings used to update the configuration data with the App Configuration store when a refresh operation is triggered. The `refreshAll` parameter to the `Register` method indicates that all configuration values should be refreshed if the sentinel key changes.
-
- Also, the `SetCacheExpiration` method overrides the default cache expiration time of 30 seconds, specifying a time of 5 minutes instead. This reduces the number of requests made to App Configuration.
+ In the `ConfigureRefresh` method, you register keys within your App Configuration store that you want to monitor for changes. The `refreshAll` parameter to the `Register` method indicates that all configuration values should be refreshed if the registered key changes. The `SetCacheExpiration` method specifies the minimum time that must elapse before a new request is made to App Configuration to check for any configuration changes. In this example, you override the default expiration time of 30 seconds specifying a time of 5 minutes instead. This reduces the potential number of requests made to your App Configuration store.
> [!NOTE]
- > For testing purposes, you may want to lower the cache expiration time.
+ > For testing purposes, you may want to lower the cache refresh expiration time.
- To actually trigger a refresh operation, you'll need to configure a refresh middleware for the application to refresh the configuration data when any change occurs. You'll see how to do this in a later step.
+ To actually trigger a configuration refresh, you'll use the App Configuration middleware. You'll see how to do this in a later step.
-2. Add a *Settings.cs* file in the Controllers directory that defines and implements a new `Settings` class. Replace the namespace with the name of your project.
+1. Add a *Settings.cs* file in the Controllers directory that defines and implements a new `Settings` class. Replace the namespace with the name of your project.
```csharp namespace TestAppConfig
A *sentinel key* is a special key used to signal when configuration has changed.
} ```
-3. Open *Startup.cs*, and use `IServiceCollection.Configure<T>` in the `ConfigureServices` method to bind configuration data to the `Settings` class.
+1. Open *Startup.cs*, and update the `ConfigureServices` method. Call `Configure<Settings>` to bind configuration data to the `Settings` class. Call `AddAzureAppConfiguration` to add App Configuration components to the service collection of your application.
#### [.NET 5.x](#tab/core5x)
A *sentinel key* is a special key used to signal when configuration has changed.
} ```
- > [!Tip]
- > To learn more about the options pattern when reading configuration values, see [Options Patterns in ASP.NET Core](/aspnet/core/fundamentals/configuration/options).
-
-4. Update the `Configure` method, adding the `UseAzureAppConfiguration` middleware to allow the configuration settings registered for refresh to be updated while the ASP.NET Core web app continues to receive requests.
+1. Update the `Configure` method, and add a call to `UseAzureAppConfiguration`. It enables your application to use the App Configuration middleware to handle the configuration updates for you automatically.
#### [.NET 5.x](#tab/core5x)
A *sentinel key* is a special key used to signal when configuration has changed.
```
- The middleware uses the refresh configuration specified in the `AddAzureAppConfiguration` method in `Program.cs` to trigger a refresh for each request received by the ASP.NET Core web app. For each request, a refresh operation is triggered and the client library checks if the cached value for the registered configuration setting has expired. If it's expired, it's refreshed.
- > [!NOTE]
- > To ensure the configuration is refreshed, add the middleware as early as appropriate to your request pipeline so it will not be short-circuited by another middleware in your application.
+ > The App Configuration middleware monitors the sentinel key or any other keys you registered for refreshing in the `ConfigureRefresh` call in the previous step. The middleware is triggered upon every incoming request to your application. However, the middleware will only send requests to check the value in App Configuration when the cache expiration time you set has passed. When a change is detected, it will either update all the configuration if the sentinel key is used or update the registered keys' values only.
+ > - If a request to App Configuration for change detection fails, your application will continue to use the cached configuration. Another check will be made when the configured cache expiration time has passed again, and there are new incoming requests to your application.
+ > - The configuration refresh happens asynchronously to the processing of your application incoming requests. It will not block or slow down the incoming request that triggered the refresh. The request that triggered the refresh may not get the updated configuration values, but subsequent requests will do.
+ > - To ensure the middleware is triggered, call `app.UseAzureAppConfiguration()` as early as appropriate in your request pipeline so another middleware will not short-circuit it in your application.
## Use the latest configuration data
A *sentinel key* is a special key used to signal when configuration has changed.
2. Update the `HomeController` class to receive `Settings` through dependency injection, and make use of its values.
- #### [.NET 5.x](#tab/core5x)
+ #### [.NET 5.x](#tab/core5x)
-```csharp
+ ```csharp
public class HomeController : Controller { private readonly Settings _settings;
A *sentinel key* is a special key used to signal when configuration has changed.
// ... }
-```
-#### [.NET Core 3.x](#tab/core3x)
+ ```
+ #### [.NET Core 3.x](#tab/core3x)
-```csharp
+ ```csharp
public class HomeController : Controller { private readonly Settings _settings;
A *sentinel key* is a special key used to signal when configuration has changed.
// ... }
-```
-#### [.NET Core 2.x](#tab/core2x)
+ ```
+ #### [.NET Core 2.x](#tab/core2x)
-```csharp
+ ```csharp
public class HomeController : Controller { private readonly Settings _settings;
A *sentinel key* is a special key used to signal when configuration has changed.
return View(); } }
-```
---
+ ```
+
+ > [!Tip]
+ > To learn more about the options pattern when reading configuration values, see [Options Patterns in ASP.NET Core](/aspnet/core/fundamentals/configuration/options).
3. Open *Index.cshtml* in the Views > Home directory, and replace its content with the following script:
A *sentinel key* is a special key used to signal when configuration has changed.
1. Sign in to the [Azure portal](https://portal.azure.com). Select **All resources**, and select the App Configuration store instance that you created in the quickstart.
-1. Select **Configuration Explorer**, and update the values of the following keys:
+1. Select **Configuration Explorer**, and update the values of the following keys. Remember to update the sentinel key at last.
| Key | Value | |||
A *sentinel key* is a special key used to signal when configuration has changed.
| TestApp:Settings:Message | Data from Azure App Configuration - now with live updates! | | TestApp:Settings:Sentinel | 2 |
-1. Refresh the browser page to see the new configuration settings. You may need to refresh more than once for the changes to be reflected, or change your automatic refresh rate to less than 5 minutes.
+1. Refresh the browser page to see the new configuration settings. You may need to refresh more than once for the changes to be reflected, or change your cache expiration time to less than 5 minutes.
![Launching updated quickstart app locally](./media/quickstarts/aspnet-core-app-launch-local-after.png)
azure-app-configuration Howto Disable Access Key Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/howto-disable-access-key-authentication.md
+
+ Title: Disable access key authentication for an Azure App Configuration instance (preview)
+
+description: Learn how to disable access key authentication for an Azure App Configuration instance (preview)
++++ Last updated : 5/14/2021++
+# Disable access key authentication for an Azure App Configuration instance (preview)
+
+Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Azure Active Directory (Azure AD) credentials, or by using an access key. Of these two types of authentication schemes, Azure AD provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Azure AD to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.
+
+When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Azure AD will succeed. For more information about using Azure AD, see [Authorize access to Azure App Configuration using Azure Active Directory](./concept-enable-rbac.md).
+
+## Disable access key authentication
+
+Disabling access key authentication will delete all access keys. If any running applications are using access keys for authentication they will begin to fail once access key authentication is disabled. Enabling access key authentication again will generate a new set of access keys and any applications attempting to use the old access keys will still fail.
+
+> [!WARNING]
+> If any clients are currently accessing data in your Azure App Configuration resource with access keys, then Microsoft recommends that you migrate those clients to [Azure AD](./concept-enable-rbac.md) before disabling access key authentication.
+> Additionally, it is recommended to read the [limitations](#limitations) section below to verify the limitations won't affect the intended usage of the resource.
+
+# [Azure portal](#tab/portal)
+
+To disallow access key authentication for an Azure App Configuration resource in the Azure portal, follow these steps:
+
+1. Navigate to your Azure App Configuration resource in the Azure portal.
+2. Locate the **Access keys** setting under **Settings**.
+
+ :::image type="content" border="true" source="./media/access-keys-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::
+
+3. Set the **Enable access keys** toggle to **Disabled**.
+
+ :::image type="content" border="true" source="./media/disable-access-keys.png" alt-text="Screenshot showing how to disable access key authentication for Azure App Configuration":::
+
+# [Azure CLI](#tab/azure-cli)
+
+The capability to disable access key authentication using the Azure CLI is in development.
+++
+### Verify that access key authentication is disabled
+
+To verify that access key authentication is no longer permitted, a request can be made to list the access keys for the Azure App Configuration resource. If access key authentication is disabled there will be no access keys and the list operation will return an empty list.
+
+# [Azure portal](#tab/portal)
+
+To verify access key authentication is disabled for an Azure App Configuration resource in the Azure portal, follow these steps:
+
+1. Navigate to your Azure App Configuration resource in the Azure portal.
+2. Locate the **Access keys** setting under **Settings**.
+
+ :::image type="content" border="true" source="./media/access-keys-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade":::
+
+3. Verify there are no access keys displayed and **Enable access keys** is toggled to **Disabled**.
+
+ :::image type="content" border="true" source="./media/access-keys-disabled-portal.png" alt-text="Screenshot showing access keys being disabled for an Azure App Configuration resource":::
+
+# [Azure CLI](#tab/azure-cli)
+
+To verify access key authentication is disabled for an Azure App Configuration resource in the Azure portal, use the following command. The command will list the access keys for an Azure App Configuration resource and if access key authentication is disabled the list will be empty.
+
+```azurecli-interactive
+az appconfig credential list \
+ --name <app-configuration-name> \
+ --resource-group <resource-group>
+```
+
+If access key authentication is disabled then an empty list will be returned.
+
+```
+C:\Users\User>az appconfig credential list -g <resource-group> -n <app-configuration-name>
+[]
+```
+++
+## Permissions for allowing or disallowing access key authentication
+
+To modify the state of access key authentication for an Azure App Configuration resource, a user must have permissions to create and manage Azure App Configuration resources. Azure role-based access control (Azure RBAC) roles that provide these permissions include the **Microsoft.AppConfiguration/configurationStores/write** or **Microsoft.AppConfiguration/configurationStores/\*** action. Built-in roles with this action include:
+
+- The Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role
+- The Azure Resource Manager [Contributor](../role-based-access-control/built-in-roles.md#contributor) role
+
+These roles do not provide access to data in an Azure App Configuration resource via Azure Active Directory (Azure AD). However, they include the **Microsoft.AppConfiguration/configurationStores/listKeys/action** action permission, which grants access to the resource's access keys. With this permission, a user can use the access keys to access all the data in the resource.
+
+Role assignments must be scoped to the level of the Azure App Configuration resource or higher to permit a user to allow or disallow access key authentication for the resource. For more information about role scope, see [Understand scope for Azure RBAC](../role-based-access-control/scope-overview.md).
+
+Be careful to restrict assignment of these roles only to those who require the ability to create an App Configuration resource or update its properties. Use the principle of least privilege to ensure that users have the fewest permissions that they need to accomplish their tasks. For more information about managing access with Azure RBAC, see [Best practices for Azure RBAC](../role-based-access-control/best-practices.md).
+
+> [!NOTE]
+> The classic subscription administrator roles Service Administrator and Co-Administrator include the equivalent of the Azure Resource Manager [Owner](../role-based-access-control/built-in-roles.md#owner) role. The **Owner** role includes all actions, so a user with one of these administrative roles can also create and manage App Configuration resources. For more information, see [Classic subscription administrator roles, Azure roles, and Azure AD administrator roles](../role-based-access-control/rbac-and-directory-admin-roles.md#classic-subscription-administrator-roles).
+
+## Limitations
+
+The capability to disable access key authentication is available as a preview. The following limitations are currently in place.
+
+### ARM template access
+
+When access key authentication is disabled, the capability to read/write key-values in an [ARM template](./quickstart-resource-manager.md) will be disabled as well. This is because access to the Microsoft.AppConfiguration/configurationStores/keyValues resource used in ARM templates requires an Azure Resource Manager role, such as contributor or owner. When access key authentication is disabled, access to the resource requires one of the Azure App Configuration [data plane roles](concept-enable-rbac.md), therefore ARM template access is rejected.
+
+## Next steps
+
+- [Use customer-managed keys to encrypt your App Configuration data](concept-customer-managed-keys.md)
+- [Using private endpoints for Azure App Configuration](concept-private-endpoint.md)
azure-app-configuration Quickstart Resource Manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/quickstart-resource-manager.md
Two Azure resources are defined in the template:
> az appconfig update -g MyResourceGroup -n MyAppConfiguration --enable-public-network true > ```
+> [!NOTE]
+> There is a limitation where key-value data access inside an ARM template is disabled if access key authentication is disabled. See [disable access key authentication](./howto-disable-access-key-authentication.md#limitations) for more details.
+ ## Deploy the template Select the following image to sign in to Azure and open a template. The template creates an App Configuration store with two key-values inside.
azure-arc Conceptual Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/conceptual-custom-locations.md
Title: "Custom Locations - Azure Arc enabled Kubernetes" Previously updated : 04/05/2021 Last updated : 05/25/2021
azure-arc Custom Locations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/custom-locations.md
Title: "Custom locations on Azure Arc enabled Kubernetes"
+ Title: "Create and manage custom locations on Azure Arc enabled Kubernetes"
Previously updated : 04/05/2021 Last updated : 05/25/2021
description: "Use custom locations to deploy Azure PaaS services on Azure Arc enabled Kubernetes clusters"
-# Custom locations on Azure Arc enabled Kubernetes
+# Create and manage custom locations on Azure Arc enabled Kubernetes
As an Azure location extension, *Custom Locations* provides a way for tenant administrators to use their Azure Arc enabled Kubernetes clusters as target locations for deploying Azure services instances. Azure resources examples include Azure Arc enabled SQL Managed Instance and Azure Arc enabled PostgreSQL Hyperscale. Similar to Azure locations, end users within the tenant with access to Custom Locations can deploy resources there using their company's private compute.
+In this article, you learn how to:
+> [!div class="checklist"]
+> * Enable custom locations on your Azure Arc enabled Kubernetes cluster.
+> * Deploy the Azure service cluster extension of the Azure service instance on your cluster.
+> * Create a custom location on your Azure Arc enabled Kubernetes cluster.
+ A conceptual overview of this feature is available in [Custom locations - Azure Arc enabled Kubernetes](conceptual-custom-locations.md) article. [!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
A conceptual overview of this feature is available in [Custom locations - Azure
- [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0. -- `connectedk8s` (version >= 1.1.0), `k8s-extension` (version >= 0.2.0), and `customlocation` (version >= 0.1.0) Azure CLI extensions. Install these Azure CLI extensions by running the following commands:
+- Install the following Azure CLI extensions:
+ - `connectedk8s` (version 1.1.0 or later)
+ - `k8s-extension` (version 0.2.0 or later)
+ - `customlocation` (version 0.1.0 or later)
```azurecli az extension add --name connectedk8s
A conceptual overview of this feature is available in [Custom locations - Azure
az extension add --name customlocation ```
- If the `connectedk8s`, `k8s-extension` and `customlocation` extensions are already installed, you can update them to the latest version using the following command:
+ If you've previously installed the `connectedk8s`, `k8s-extension`, and `customlocation` extensions, update to the latest version using the following command:
```azurecli az extension update --name connectedk8s
A conceptual overview of this feature is available in [Custom locations - Azure
az extension update --name customlocation ``` -- Provider registration is complete for `Microsoft.ExtendedLocation`.
+- Verify completed provider registration for `Microsoft.ExtendedLocation`.
1. Enter the following commands: ```azurecli
A conceptual overview of this feature is available in [Custom locations - Azure
az provider show -n Microsoft.ExtendedLocation -o table ```
+- Verify you have an existing [Azure Arc enabled Kubernetes connected cluster](quickstart-connect-cluster.md).
+ - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version 1.1.0 or later.
+ >[!NOTE] >**Supported regions for custom locations:** >* East US
az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --featur
## Create custom location
-1. Create an Azure Arc enabled Kubernetes cluster.
- - If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).
- - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version >= 1.1.0.
+1. Deploy the Azure service cluster extension of the Azure service instance you eventually want on your cluster:
-1. Deploy the cluster extension of the Azure service whose instance you eventually want on top of the custom location:
+ * Azure Arc enabled Data Services
+
+ ```azurecli
+ az k8s-extension create --name <extensionInstanceName> --extension-type microsoft.arcdataservices --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace arc --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper
+ ```
+ > [!NOTE]
+ > Outbound proxy without authentication and outbound proxy with basic authentication are supported by the Arc enabled Data Services cluster extension. Outbound proxy that expects trusted certificates is currently not supported.
- ```azurecli
- az k8s-extension create --name <extensionInstanceName> --extension-type microsoft.arcdataservices --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace arc --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper
- ```
- > [!NOTE]
- > Outbound proxy without authentication and outbound proxy with basic authentication are supported by the Arc enabled Data Services cluster extension. Outbound proxy that expects trusted certificates is currently not supported.
+ * [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md)
+
+ ```azurecli
+ az k8s-extension create --name <extensionInstanceName> --extension-type 'Microsoft.Web.Appservice' --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace appservice-ns --configuration-settings "Microsoft.CustomLocation.ServiceAccount=default" --configuration-settings "appsNamespace=appservice-ns"
+ ```
+
+ * [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview)
+
+ ```azurecli
+ az k8s-extension create --name <extensionInstanceName> --extension-type Microsoft.EventGrid --cluster-type connectedClusters -c <clusterName> -g <resourceGroupName> --scope cluster --release-namespace eventgrid-ext --configuration-protected-settings-file protected-settings-extension.json --configuration-settings-file settings-extension.json
+ ```
1. Get the Azure Resource Manager identifier of the Azure Arc enabled Kubernetes cluster, referenced in later steps as `connectedClusterId`:
az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --featur
## Next steps
-> [!div class="nextstepaction"]
-> Securely connect to the cluster using [Cluster Connect](cluster-connect.md)
+- Securely connect to the cluster using [Cluster Connect](cluster-connect.md).
+- Continue with [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) for end-to-end instructions on installing extensions, creating custom locations, and creating the App Service Kubernetes environment.
+- Create an Event Grid topic and an event subscription for [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview).
+- Learn more about currently available [Azure Arc enabled Kubernetes extensions](extensions.md#currently-available-extensions).
+
azure-arc Extensions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/extensions.md
Title: "Azure Arc enabled Kubernetes cluster extensions" Previously updated : 04/05/2021 Last updated : 05/25/2021 description: "Deploy and manage lifecycle of extensions on Azure Arc enabled Kubernetes"
-# Kubernetes cluster extensions
+# Deploy and manage Azure Arc enabled Kubernetes cluster extensions
The Kubernetes extensions feature enables the following on Azure Arc enabled Kubernetes clusters: * Azure Resource Manager-based deployment of cluster extension. * Lifecycle management of extension Helm charts.
+In this article, you learn:
+> [!div class="checklist"]
+> * Current available Azure Arc enabled Kubernetes cluster extensions.
+> * How to create extension instances.
+> * Required and optional parameters.
+> * How to view, list, update, and delete extension instances.
+ A conceptual overview of this feature is available in [Cluster extensions - Azure Arc enabled Kubernetes](conceptual-extensions.md) article. [!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
A conceptual overview of this feature is available in [Cluster extensions - Azur
| | -- | | [Azure Monitor](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json) | Provides visibility into the performance of workloads deployed on the Kubernetes cluster. Collects memory and CPU utilization metrics from controllers, nodes, and containers. | | [Azure Defender](../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json) | Gathers information related to security like audit log data from the Kubernetes cluster. Provides recommendations and threat alerts based on gathered data. |
+| [Azure Arc enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md) | Deploys Open Service Mesh on the cluster and enables capabilities like mTLS security, fine grained access control, traffic shifting, monitoring with Azure Monitor or with open source add-ons of Prometheus and Grafana, tracing with Jaeger, integration with external certification management solution. |
+| [Azure Arc enabled Data Services](../../azure-arc/kubernetes/custom-locations.md#create-custom-location) | Makes it possible for you to run Azure data services on-prem, at the edge, and in public clouds using Kubernetes and the infrastructure of your choice. |
+| [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md) | Allows you to provision an App Service Kubernetes environment on top of Azure Arc enabled Kubernetes clusters. |
+| [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview) | Create and manage event grid resources such as topics and event subscriptions on top of Azure Arc enabled Kubernetes clusters. |
+| [Azure API Management on Azure Arc](/azure/api-management/how-to-deploy-self-hosted-gateway-azure-arc) | Deploy and manage API Management gateway on Azure Arc enabled Kubernetes clusters. |
## Usage of cluster extensions
az k8s-extension create --name azuremonitor-containers --extension-type Microso
> [!NOTE] > * The service is unable to retain sensitive information for more than 48 hours. If Azure Arc enabled Kubernetes agents don't have network connectivity for more than 48 hours and cannot determine whether to create an extension on the cluster, then the extension transitions to `Failed` state. Once in `Failed` state, you will need to run `k8s-extension create` again to create a fresh extension Azure resource.
-> * * Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](../../azure-monitor/containers/container-insights-optout-hybrid.md).
+> * Azure Monitor for containers is a singleton extension (only one required per cluster). You'll need to clean up any previous Helm chart installations of Azure Monitor for containers (without extensions) before installing the same via extensions. Follow the instructions for [deleting the Helm chart before running `az k8s-extension create`](../../azure-monitor/containers/container-insights-optout-hybrid.md).
**Required parameters**
az k8s-extension delete --name azuremonitor-containers --cluster-name <clusterNa
>[!NOTE] > The Azure resource representing this extension gets deleted immediately. The Helm release on the cluster associated with this extension is only deleted when the agents running on the Kubernetes cluster have network connectivity and can reach out to Azure services again to fetch the desired state. - ## Next steps Learn more about the cluster extensions currently available for Azure Arc enabled Kubernetes:+ > [!div class="nextstepaction"] > [Azure Monitor](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json)
-> [Azure Defender](../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json)
+> [Azure Defender](../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json)
+> [Azure Arc enabled Open Service Mesh](tutorial-arc-enabled-open-service-mesh.md)
+>
+> [!div class="nextstepaction"]
+> [Azure Defender](../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json)
+>
+> [!div class="nextstepaction"]
+> [Azure App Service on Azure Arc](../../app-service/overview-arc-integration.md)
+>
+> [!div class="nextstepaction"]
+> [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview)
+>
+> [!div class="nextstepaction"]
+> [Azure API Management on Azure Arc](/azure/api-management/how-to-deploy-self-hosted-gateway-azure-arc)
azure-arc Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/overview.md
Title: "Overview of Azure Arc enabled Kubernetes"
# Previously updated : 03/03/2021 Last updated : 05/25/2021
Azure Arc enabled Kubernetes supports the following scenarios:
* Apply policies using Azure Policy for Kubernetes.
+* Create [custom locations](./custom-locations.md) as target locations for deploying Azure Arc enabled Data Services, [App Services on Azure Arc](../../app-service/overview-arc-integration.md) (including web, function, and logic apps) and [Event Grid on Kubernetes](/azure/event-grid/kubernetes/overview).
+ [!INCLUDE [azure-lighthouse-supported-service](../../../includes/azure-lighthouse-supported-service.md)] ## Supported regions
azure-arc Quickstart Connect Cluster https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/quickstart-connect-cluster.md
- Title: 'Quickstart: Connect an existing Kubernetes cluster to Azure Arc'
-description: "In this quickstart, learn how to connect an Azure Arc enabled Kubernetes cluster."
---- Previously updated : 03/03/2021-
-keywords: "Kubernetes, Arc, Azure, cluster"
--
-# Quickstart: Connect an existing Kubernetes cluster to Azure Arc
-
-In this quickstart, we'll reap the benefits of Azure Arc enabled Kubernetes and connect an existing Kubernetes cluster to Azure Arc. For a conceptual take on connecting clusters to Azure Arc, see the [Azure Arc enabled Kubernetes Agent Architecture article](./conceptual-agent-architecture.md).
---
-* An up-and-running Kubernetes cluster. If you don't have one, you can create a cluster using one of these options:
- * [Kubernetes in Docker (KIND)](https://kind.sigs.k8s.io/)
- * Create a Kubernetes cluster using Docker for [Mac](https://docs.docker.com/docker-for-mac/#kubernetes) or [Windows](https://docs.docker.com/docker-for-windows/#kubernetes)
- * Self-managed Kubernetes cluster using [Cluster API](https://cluster-api.sigs.k8s.io/user/quick-start.html)
- * If you want to connect a OpenShift cluster to Azure Arc, you need to execute the following command just once on your cluster before running `az connectedk8s connect`:
-
- ```console
- oc adm policy add-scc-to-user privileged system:serviceaccount:azure-arc:azure-arc-kube-aad-proxy-sa
- ```
-
- >[!NOTE]
- > The cluster needs to have at least one node of operating system and architecture type `linux/amd64`. Clusters with only `linux/arm64` nodes aren't yet supported.
-
-* A `kubeconfig` file and context pointing to your cluster.
-* 'Read' and 'Write' permissions on the Azure Arc enabled Kubernetes resource type (`Microsoft.Kubernetes/connectedClusters`).
-
-* Install the [latest release of Helm 3](https://helm.sh/docs/intro/install).
-
-* [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0
-* Install the `connectedk8s` Azure CLI extension of version >= 1.0.0:
-
- ```azurecli
- az extension add --name connectedk8s
- ```
-
->[!TIP]
-> If the `connectedk8s` extension is already installed, update it to the latest version using the following command - `az extension update --name connectedk8s`
-
->[!NOTE]
->The list of regions supported by Azure Arc enabled Kubernetes can be found [here](https://azure.microsoft.com/global-infrastructure/services/?products=azure-arc).
-
->[!NOTE]
-> If you want to use custom locations on the cluster, then use East US or West Europe regions for connecting your cluster as custom locations is only available in these regions as of now. All other Azure Arc enabled Kubernetes features are available in all regions listed above.
-
-## Meet network requirements
-
->[!IMPORTANT]
->Azure Arc agents require the following protocols/ports/outbound URLs to function:
->* TCP on port 443: `https://:443`
->* TCP on port 9418: `git://:9418`
-
-| Endpoint (DNS) | Description |
-| -- | - |
-| `https://management.azure.com` | Required for the agent to connect to Azure and register the cluster. |
-| `https://<region>.dp.kubernetesconfiguration.azure.com` | Data plane endpoint for the agent to push status and fetch configuration information. |
-| `https://login.microsoftonline.com` | Required to fetch and update Azure Resource Manager tokens. |
-| `https://mcr.microsoft.com` | Required to pull container images for Azure Arc agents. |
-| `https://eus.his.arc.azure.com`, `https://weu.his.arc.azure.com`, `https://wcus.his.arc.azure.com`, `https://scus.his.arc.azure.com`, `https://sea.his.arc.azure.com`, `https://uks.his.arc.azure.com`, `https://wus2.his.arc.azure.com`, `https://ae.his.arc.azure.com`, `https://eus2.his.arc.azure.com`, `https://ne.his.arc.azure.com` | Required to pull system-assigned Managed Service Identity (MSI) certificates. |
-
-## Register providers for Azure Arc enabled Kubernetes
-
-1. Enter the following commands:
- ```azurecli
- az provider register --namespace Microsoft.Kubernetes
- az provider register --namespace Microsoft.KubernetesConfiguration
- az provider register --namespace Microsoft.ExtendedLocation
- ```
-2. Monitor the registration process. Registration may take up to 10 minutes.
- ```azurecli
- az provider show -n Microsoft.Kubernetes -o table
- az provider show -n Microsoft.KubernetesConfiguration -o table
- az provider show -n Microsoft.ExtendedLocation -o table
- ```
-
-## Create a resource group
-
-Create a resource group:
-
-```console
-az group create --name AzureArcTest -l EastUS -o table
-```
-
-```output
-Location Name
--
-eastus AzureArcTest
-```
-
-## Connect an existing Kubernetes cluster
-
-1. Connect your Kubernetes cluster to Azure Arc using the following command:
- ```console
- az connectedk8s connect --name AzureArcTest1 --resource-group AzureArcTest
- ```
-
- ```output
- Helm release deployment succeeded
-
- {
- "aadProfile": {
- "clientAppId": "",
- "serverAppId": "",
- "tenantId": ""
- },
- "agentPublicKeyCertificate": "xxxxxxxxxxxxxxxxxxx",
- "agentVersion": null,
- "connectivityStatus": "Connecting",
- "distribution": "gke",
- "id": "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/AzureArcTest/providers/Microsoft.Kubernetes/connectedClusters/AzureArcTest1",
- "identity": {
- "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
- "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
- "type": "SystemAssigned"
- },
- "infrastructure": "gcp",
- "kubernetesVersion": null,
- "lastConnectivityTime": null,
- "location": "eastus",
- "managedIdentityCertificateExpirationTime": null,
- "name": "AzureArcTest1",
- "offering": null,
- "provisioningState": "Succeeded",
- "resourceGroup": "AzureArcTest",