Merge pull request #179946 from MicrosoftDocs/master

11/15 AM Publish

Author: huypub

.github/workflows/stale.yml

@@ -20,7 +20,7 @@ jobs:
         exempt-pr-labels: keep-open
         operations-per-run: 1200
         ascending: true
-        start-date: '2021-08-10'
+        start-date: '2021-07-29'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

articles/active-directory/develop/custom-rbac-for-developers.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity 
-ms.date: 06/28/2021
+ms.date: 11/15/2021
 ms.custom: template-concept
 ms.author: cchiedo
 ms.reviewer: john.garland, maggie.marxen, ian.bennett, marsma
@@ -19,11 +19,7 @@ ms.reviewer: john.garland, maggie.marxen, ian.bennett, marsma
 
 # Role-based access control for application developers
 
-Role-based access control (RBAC) allows certain users or groups to have specific permissions regarding which resources they have access to, what they can do with those resources, and who manages which resources. This article explains application-specific role-based access control.
-
-> [!NOTE]
-> Application role-based access control differs from [Azure role-based access control](../../role-based-access-control/overview.md) and [Azure AD role-based access control](../roles/custom-overview.md#understand-azure-ad-role-based-access-control). Azure custom roles and built-in roles are both part of Azure RBAC, which helps you manage Azure resources. Azure AD RBAC allows you to manage Azure AD resources.
-
+Role-based access control (RBAC) allows certain users or groups to have specific permissions regarding which resources they have access to, what they can do with those resources, and who manages which resources. Application role-based access control differs from [Azure role-based access control](../../role-based-access-control/overview.md) and [Azure AD role-based access control](../roles/custom-overview.md#understand-azure-ad-role-based-access-control). Azure custom roles and built-in roles are both part of Azure RBAC, which helps you manage Azure resources. Azure AD RBAC allows you to manage Azure AD resources. This article explains application-specific role-based access control.
 
 
 ## What are roles?
@@ -62,8 +58,7 @@ App roles and groups both store information about user assignments in the Azure
 
 Using custom storage allows developers extra customization and control over how to assign roles to users and how to represent them. However, the extra flexibility also introduces more responsibility. For example, there's no mechanism currently available to include this information in tokens returned from Azure AD. If developers maintain role information in a custom data store, they'll need to have the apps retrieve the roles. This is typically done using extensibility points defined in the middleware available to the platform that is being used to develop the application. Furthermore, developers are responsible for properly securing the custom data store.
 
-> [!NOTE]
-> Using [Azure AD B2C Custom policies](../../active-directory-b2c/custom-policy-overview.md) it is possible to interact with custom data stores and to include custom claims within a token.
+Using [Azure AD B2C Custom policies](../../active-directory-b2c/custom-policy-overview.md) it is possible to interact with custom data stores and to include custom claims within a token.
 
 ## Choosing an approach
 
@@ -79,13 +74,10 @@ Although either app roles or groups can be used for authorization, key differenc
 |**Role values are static between Azure AD tenants**|Yes  |No |Depends on the implementation.|
 |**Role values can be used in multiple applications**|No. Unless role configuration is duplicated in each app registration.|Yes |Yes |
 |**Information stored within directory**|Yes  |Yes |No |
-|**Information is delivered via tokens**|Yes (roles claim)  |Yes* (groups claim) |No. Retrieved at runtime via custom code. |
+|**Information is delivered via tokens**|Yes (roles claim)  |Yes (In the case of an overage, *groups claims* may need to be retrieved at runtime) |No. Retrieved at runtime via custom code. |
 |**Lifetime**|Lives in app registration in directory. Removed when the app registration is removed.|Lives in directory. Remain intact even if the app registration is removed. |Lives in custom data store. Not tied to app registration.|
 
 
-> [!NOTE]
-> Yes* - In the case of an overage, *groups claims* may need to be retrieved at runtime.
-
 ## Next steps
 
 - [How to add app roles to your application and receive them in the token](./howto-add-app-roles-in-azure-ad-apps.md).

articles/active-directory/devices/hybrid-azuread-join-managed-domains.md

@@ -128,6 +128,14 @@ If some of your domain-joined devices are Windows down-level devices, you must:
 - Configure seamless SSO
 - Install Microsoft Workplace Join for Windows down-level computers
 
+Windows down-level devices are devices with older operating systems. The following are Windows down-level devices:
+
+- Windows 7
+- Windows 8.1
+- Windows Server 2008 R2
+- Windows Server 2012
+- Windows Server 2012 R2
+
 > [!NOTE]
 > Windows 7 support ended on January 14, 2020. For more information, see [Windows 7 support ended](https://support.microsoft.com/help/4057281/windows-7-support-ended-on-january-14-2020).
 

articles/active-directory/saas-apps/bic-cloud-design-provisioning-tutorial.md

@@ -0,0 +1,149 @@
+---
+title: 'Tutorial: Configure BIC Cloud Design for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to BIC Cloud Design.
+services: active-directory
+documentationcenter: ''
+author: twimmers
+writer: Thwimmer
+manager: beatrizd
+
+ms.assetid: 1aace746-6f6d-4ac4-ad2c-7ba65bb86a72
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: article
+ms.date: 11/15/2021
+ms.author: Thwimmer
+---
+
+# Tutorial: Configure BIC Cloud Design for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both BIC Cloud Design and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [BIC Cloud Design](https://www.gbtec.de/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). 
+
+
+## Capabilities supported
+> [!div class="checklist"]
+> * Create users in BIC Cloud Design.
+> * Remove users in BIC Cloud Design when they do not require access anymore.
+> * Keep user attributes synchronized between Azure AD and BIC Cloud Design.
+> * Provision groups and group memberships in BIC Cloud Design.
+> * [Single sign-on](bic-cloud-design-tutorial.md) to BIC Cloud Design.
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md). 
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). 
+
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and BIC Cloud Design](../app-provisioning/customize-application-attributes.md). 
+
+## Step 2. Configure BIC Cloud Design to support provisioning with Azure AD
+
+To configure BIC Cloud Design to support provisioning with Azure AD - please write an email to [BIC Cloud Design support team](mailto:[email protected]).
+
+## Step 3. Add Contoso from the Azure AD application gallery
+
+Add BIC Cloud Design from the Azure AD application gallery to start managing provisioning to BIC Cloud Design. If you have previously setup BIC Cloud Design for SSO, you can use the same application. However it is recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). 
+
+## Step 4. Define who will be in scope for provisioning 
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+
+* When assigning users and groups to BIC Cloud Design, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles. 
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+
+
+## Step 5. Configure automatic user provisioning to BIC Cloud Design 
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in BIC Cloud Design based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for BIC Cloud Design in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+	![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **BIC Cloud Design**.
+
+	![The Contoso link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+	![Provisioning tab](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+	![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. Under the **Admin Credentials** section, input your BIC Cloud Design Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to BIC Cloud Design. If the connection fails, ensure your BIC Cloud Design account has Admin permissions and try again.
+
+ 	![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+	![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to BIC Cloud Design**.
+
+1. Review the user attributes that are synchronized from Azure AD to BIC Cloud Design in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in BIC Cloud Design for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you will need to ensure that the BIC Cloud Design API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+   |Attribute|Type|Supported for filtering|Required by Real Links|
+   |---|---|---|---|
+    |userName|String|✓|✓
+    |emails[type eq "work"].value|String|✓|✓
+    |active|Boolean||✓
+    |roles[primary eq "True"].value|String||✓
+    |displayName|String||✓
+    |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String||✓
+
+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to BIC Cloud Design**.
+
+1. Review the group attributes that are synchronized from Azure AD to BIC Cloud Design in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in BIC Cloud Design for update operations. Select the **Save** button to commit any changes.
+
+   |Attribute|Type|Supported for filtering|Required by Real Links|
+   |---|---|---|---|
+      |displayName|String|✓|✓
+      |externalId|String||✓
+      |members|Reference|
+
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for BIC Cloud Design, change the **Provisioning Status** to **On** in the **Settings** section.
+
+	![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users and/or groups that you would like to provision to BIC Cloud Design by choosing the desired values in **Scope** in the **Settings** section.
+
+	![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you are ready to provision, click **Save**.
+
+	![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. 
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).  
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)