Merge pull request #115279 from MicrosoftDocs/release-build-mm-b2x-docs

Release build mm b2x docs

Author: SyntaxC4

articles/active-directory/b2b/add-users-administrator.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 05/11/2020
+ms.date: 05/19/2020
 
 ms.author: mimart
 author: msmimart

articles/active-directory/b2b/auditing-and-reporting.md

@@ -20,7 +20,7 @@ ms.collection: M365-identity-device-management
 With guest users, you have auditing capabilities similar to with member users. 
 
 ## Access reviews
-You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Azure Active Directory** under **Organizational Relationships** > **Access reviews** (or **External Identities** > **Access reviews** ). You can also search for "access reviews" from **All services** in the Azure portal. To learn how to use access reviews, see [Manage guest access with Azure AD access reviews](../governance/manage-guest-access-with-access-reviews.md).
+You can use access reviews to periodically verify whether guest users still need access to your resources. The **Access reviews** feature is available in **Azure Active Directory** under **External Identities** > **Access reviews**. You can also search for "access reviews" from **All services** in the Azure portal. To learn how to use access reviews, see [Manage guest access with Azure AD access reviews](../governance/manage-guest-access-with-access-reviews.md).
 
 ## Audit logs
 

articles/active-directory/b2b/compare-with-b2c.md

@@ -1,13 +1,13 @@
 ---
 
-title: Compare B2B collaboration and B2C - Azure Active Directory | Microsoft Docs
-description: What is the difference between Azure Active Directory B2B collaboration and Azure AD B2C?
+title: Compare External Identities - Azure Active Directory | Microsoft Docs
+description: Azure AD External Identities allow people outside your organization to access your apps and resources using their own identity. Compare solutions for External Identities, including Azure Active Directory B2B collaboration and Azure AD B2C.
 
 services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: overview
-ms.date: 07/22/2019
+ms.date: 05/19/2020
 
 ms.author: mimart
 author: msmimart
@@ -17,31 +17,37 @@ ms.reviewer: elisolMS
 ms.collection: M365-identity-device-management
 ---
 
-# Compare B2B collaboration and B2C in Azure Active Directory
+# Compare solutions for External Identities in Azure Active Directory
 
-Both Azure Active Directory (Azure AD) B2B collaboration and Azure AD B2C allow you to work with external users in Azure AD. But how do they compare?
+With  External Identities in Azure AD, you can allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. Your partners, distributors, suppliers, vendors, and other guest users can "bring their own identities." Whether they're part of Azure AD or another IT-managed system, or have an unmanaged social identity like Google or Facebook, they can use their own credentials to sign in. The identity provider manages the external user’s identity, and you manage access to your apps with Azure AD to keep your resources protected. 
 
-**Azure AD B2B** is for businesses that want to securely share files and resources with external users so they can collaborate. An Azure admin sets up B2B in the Azure portal, and Azure AD takes care of federation between your business and your external partner. Users sign in to the shared resources using a simple invitation and redemption process with their work or school account, or any email account.
- 
-**Azure AD B2C** is primarily for businesses and developers that create customer-facing apps. With Azure AD B2C, developers can use Azure AD as the full-featured identity system for their application, while letting customers sign in with an identity they already have established (like Facebook or Gmail).
+## External Identities scenarios
 
-The table below gives a detailed comparison.
+Azure AD External Identities focuses less on a user's relationship to your organization and more on the way an individual wants to sign in to your apps and resources. Within this framework, Azure AD supports a variety of scenarios from business-to-business (B2B) collaboration to app development for customers and consumers (business-to-consumer, or B2C).
 
+- **Share apps with external users (B2B collaboration)**. Invite external users into your own tenant as "guest" users that you can assign permissions to (for authorization) while allowing them to use their existing credentials (for authentication). Users sign in to the shared resources using a simple invitation and redemption process with their work account, school account, or any email account. And now with the availability of Self-service sign-up user flows (Preview), you can also provide a sign-in experience for your external users through the application you want to share. You can configure user flow settings to control how the user signs up for the application and that allows them to use their work account, school account, or any social identity (like Google or Facebook) they want to use.  For more information, see the [Azure AD B2B documentation](index.yml).
 
-B2B collaboration capabilities |	 Azure AD B2C stand-alone offering
--------- | --------
-Intended for: Organizations that want to be able to authenticate users from a partner organization, regardless of identity provider. | Intended for: Inviting customers of your mobile and web apps, whether individuals, institutional or organizational customers into your Azure AD.
-Identities supported: Employees with work or school accounts, partners with work or school accounts, or any email address. Soon to support direct federation.  | Identities supported: Consumer users with local application accounts (any email address or user name) or any supported social identity with direct federation.
-External users are managed in the same directory as employees, but annotated specially. They can be managed the same way as employees, they can be added to the same groups, and so on  | External users are managed in the application directory. They're managed separately from the organization’s employee and partner directory (if any).
-Single sign-on (SSO) to all Azure AD-connected apps is supported. For example, you can provide access to Office 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.  |  SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Office 365 or to other Microsoft SaaS apps is not supported.
-Partner lifecycle: Managed by the host/inviting organization.  | Customer lifecycle: Self-serve or managed by the application.
-Security policy and compliance: Managed by the host/inviting organization (for example, with [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/b2b/conditional-access)).  | Security policy and compliance: Managed by the application.
-Branding: Host/inviting organization’s brand is used.  |	Branding: Managed by application. Typically tends to be product branded, with the organization fading into the background.
-More info: [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md)  | More info: [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](https://docs.microsoft.com/azure/active-directory-b2c/)
+- **Develop apps intended for other Azure AD tenants (single-tenant or multi-tenant)**. When developing applications for Azure AD, you can target users from a single organization (single tenant), or users from any organization that already has an Azure AD tenant (called multi-tenant applications). These multi-tenant applications are registered once by yourself in your own Azure AD, but can then be used by any Azure AD user from any organization without any additional work on your part.
 
+- **Develop white-labeled apps for consumers and customers (Azure AD B2C)**. If you're a business or developer creating customer-facing apps, you can scale to consumers, customers, or citizens by using an Azure AD B2C. Developers can use Azure AD as the full-featured identity system for their application, while letting customers sign in with an identity they already have established (like Facebook or Gmail). With Azure AD B2C, you can completely customize and control how customers sign up, sign in, and manage their profiles when using your applications. For more information, see the [Azure AD B2C documentation](https://docs.microsoft.com/azure/active-directory-b2c/).
+
+The table below gives a detailed comparison of the various scenarios you can enable with Azure AD External Identities.
+
+| Multi-tenant applications  | External user collaboration (B2B) | Apps for consumers or customers (B2C)  |
+| ---- | --- | --- |
+| Primary scenario: Enterprise Software-as-a-Service (SaaS) | Primary scenario: Collaboration using Microsoft applications (Office 365, Teams, ...) or your own collaboration software.  | Primary scenario: Transactional applications using custom developed applications.   |
+| Intended for: Organizations that want to provide software to many enterprise customers.    | Intended for: Organizations that want to be able to authenticate users from a partner organization, regardless of identity provider.    | Intended for: Inviting customers of your mobile and web apps, whether individuals, institutional or organizational customers into an Azure AD directory separate from your own organization's directory. |
+| Identities supported: Employees with Azure AD accounts. | Identities supported: Employees with work or school accounts, partners with work or school accounts, or any email address. Soon to support direct federation.      | Identities supported: Consumer users with local application accounts (any email address or user name) or any supported social identity with direct federation.       |
+| External users are managed in their own directory, isolated from the directory where the application was registered.    | External users are managed in the same directory as employees, but annotated specially. They can be managed the same way as employees, they can be added to the same groups, and so on.    | External users are managed in the application directory. They're managed separately from the organization's employee and partner directory (if any).  |
+| Single sign-on: SSO to all Azure AD-connected apps is supported.          | Single sign-on: SSO to all Azure AD-connected apps is supported. For example, you can provide access to Office 365 or on-premises apps, and to other SaaS apps such as Salesforce or Workday.    | Single sign-on: SSO to customer owned apps within the Azure AD B2C tenants is supported. SSO to Office 365 or to other Microsoft SaaS apps is not supported.    |
+| Customer lifecycle: Managed by the user's home organization.      | Partner lifecycle: Managed by the host/inviting organization.    | Customer lifecycle: Self-serve or managed by the application.      |
+| Security policy and compliance: Managed by the host/inviting organization (for example, with [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/b2b/conditional-access)).           | Security policy and compliance: Managed by the host/inviting organization (for example, with [Conditional Access policies](https://docs.microsoft.com/azure/active-directory/b2b/conditional-access)). | Security policy and compliance: Managed by the application.        |
+| Branding: Host/inviting organization's brand is used.   | Branding: Host/inviting organization's brand is used.    | Branding: Managed by application. Typically tends to be product branded, with the organization fading into the background.   |
+| More info: [Manage identity in multi-tenant applications](https://docs.microsoft.com/azure/architecture/multitenant-identity/), [How-to Guide](https://docs.microsoft.com/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant) | More info: [Blog post](https://blogs.technet.microsoft.com/enterprisemobility/2017/02/01/azure-ad-b2b-new-updates-make-cross-business-collab-easy/), [Documentation](what-is-b2b.md)                   | More info: [Product page](https://azure.microsoft.com/services/active-directory-b2c/), [Documentation](https://docs.microsoft.com/azure/active-directory-b2c/)       |
+
+Secure and manage customers and partners beyond your organizational boundaries with Azure AD External Identities.
 
 ### Next steps
 
 - [What is Azure AD B2B collaboration?](what-is-b2b.md)
-- [B2B collaboration user properties](user-properties.md)
-
+- [About Azure AD B2C](https://docs.microsoft.com/azure/active-directory-b2c/overview)

articles/active-directory/b2b/delegate-invitations.md

@@ -35,7 +35,7 @@ By default, all users, including guests, can invite guest users.
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as a tenant administrator.
 2. Select **Azure Active Directory**.
-3. Select **Organizational Relationships** > **Settings** (or select **External Identities** > **External collaboration settings**).
+3. Select **External Identities** > **External collaboration settings**.
 6. On the **External collaboration settings** page, choose the policies you want to enable.
 
    ![External collaboration settings](./media/delegate-invitations/control-who-to-invite.png)

articles/active-directory/b2b/direct-federation.md

@@ -143,7 +143,7 @@ Next, you'll configure federation with the identity provider configured in step
 ### To configure direct federation in the Azure AD portal
 
 1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**. 
-2. Select **Organizational Relationships** > **All identity providers** (or **External Identities** > **All identity providers**).
+2. Select **External Identities** > **All identity providers**.
 3. Select , and then select **New SAML/WS-Fed IdP**.
 
     ![Screenshot showing button for adding a new SAML or WS-Fed IdP](media/direct-federation/new-saml-wsfed-idp.png)
@@ -191,7 +191,7 @@ Now test your direct federation setup by inviting a new B2B guest user. For deta
 ## How do I edit a direct federation relationship?
 
 1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**. 
-2. Select **Organizational Relationships** (or **External Identities**).
+2. Select **External Identities**.
 3. Select **All identity providers**
 4. Under **SAML/WS-Fed identity providers**, select the provider.
 5. In the identity provider details pane, update the values.
@@ -203,7 +203,7 @@ You can remove your direct federation setup. If you do, direct federation guest
 To remove direct federation with an identity provider in the Azure AD portal:
 
 1. Go to the [Azure portal](https://portal.azure.com/). In the left pane, select **Azure Active Directory**. 
-2. Select **Organizational Relationships** (or **External Identities**).
+2. Select **External Identities**.
 3. Select **All identity providers**.
 4. Select the identity provider, and then select **Delete**. 
 5. Select **Yes** to confirm deletion. 

articles/active-directory/b2b/facebook-federation.md

@@ -0,0 +1,69 @@
+---
+
+title: Add Facebook as an identity provider - Azure AD
+description: Federate with Facebook to enable external users (guests) to sign in to your Azure AD apps with their own Facebook accounts.
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: B2B
+ms.topic: conceptual
+ms.date: 05/19/2020
+
+ms.author: mimart
+author: msmimart
+manager: celestedg
+ms.reviewer: mal
+ms.custom: "it-pro, seo-update-azuread-jan"
+ms.collection: M365-identity-device-management
+---
+
+# Add Facebook as an identity provider for External Identities
+
+You can add Facebook to your self-service sign-up user flows (Preview) so that users can sign in to your applications using their own Facebook accounts. To allow users to sign in using Facebook, you'll first need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. After you add Facebook as an identity provider, set up a user flow for the application and select Facebook as one of the sign-in options.
+
+## Create an app in the Facebook developers console
+
+To use a Facebook account as an [identity provider](identity-providers.md), you need to create an application in the Facebook developers console. If you don't already have a Facebook account, you can sign up at [https://www.facebook.com/](https://www.facebook.com).
+
+> [!NOTE]  
+> Use the following URLs in the steps 9 and 16 below.
+> - For **Site URL** enter `https://login.microsoftonline.com`.
+> - For **Valid OAuth redirect URIs**, enter `https://login.microsoftonline.com/te/<tenant-id>/oauth2/authresp`. You can find your `<tenant-ID>` in the Azure Active Directory Overview blade.
+
+
+1. Sign in to [Facebook for developers](https://developers.facebook.com/) with your Facebook account credentials.
+2. If you have not already done so, you need to register as a Facebook developer. To do this, select **Get Started** on the upper-right corner of the page, accept Facebook's policies, and complete the registration steps.
+3. Select **My Apps** and then **Create App**.
+4. Enter a **Display Name** and a valid **Contact Email**.
+5. Select **Create App ID**. This may require you to accept Facebook platform policies and complete an online security check.
+6. Select **Settings** > **Basic**.
+7. Choose a **Category**, for example Business and Pages. This value is required by Facebook, but not used for Azure AD.
+8. At the bottom of the page, select **Add Platform**, and then select **Website**.
+9. In **Site URL**, enter the appropriate URL (noted above).
+10. In **Privacy Policy URL**, enter the URL for the page where you maintain privacy information for your application, for example `http://www.contoso.com`.
+11. Select **Save Changes**.
+12. At the top of the page, copy the value of **App ID**.
+13. Select **Show** and copy the value of **App Secret**. You use both of them to configure Facebook as an identity provider in your tenant. **App Secret** is an important security credential.
+14. Select the plus sign next to **PRODUCTS**, and then select **Set up** under **Facebook Login**.
+15. Under **Facebook Login**, select **Settings**.
+16. In **Valid OAuth redirect URIs**, enter the appropriate URL (noted above).
+17. Select **Save Changes** at the bottom of the page.
+18. To make your Facebook application available to Azure AD, select the Status selector at the top right of the page and turn it **On** to make the Application public, and then select **Switch Mode**. At this point the Status should change from **Development** to **Live**.
+	
+## Configure a Facebook account as an identity provider
+
+1. Sign in to the [Azure portal](https://portal.azure.com) as the global administrator of your Azure AD tenant.
+2. Under **Azure services**, select **Azure Active Directory**.
+3. In the left menu, select **External Identities**.
+4. Select **All identity providers**, then select **Facebook**.
+5. For the **Client ID**, enter the **App ID** of the Facebook application that you created earlier.
+6. For the **Client secret**, enter the **App Secret** that you recorded.
+
+   ![Screenshot showing the Add social identity provider page](media/facebook-federation/add-social-identity-provider-page.png)
+
+7. Select **Save**.
+
+## Next steps
+
+- [Invite external users for collaboration](add-users-administrator.md)
+- [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)