Merge pull request #170061 from MicrosoftDocs/master

8/23 PM Publish

Author: huypub

.github/workflows/stale.yml

@@ -20,7 +20,7 @@ jobs:
         exempt-pr-labels: keep-open
         operations-per-run: 700
         ascending: true
-        start-date: '2020-12-17'
+        start-date: '2021-04-06'
         stale-pr-message: >
           This pull request has been inactive for at least 14 days.
           If you are finished with your changes, don't forget to sign off. See the [contributor guide](https://review.docs.microsoft.com/help/contribute/contribute-how-to-write-pull-request-automation) for instructions.

articles/active-directory-b2c/partner-akamai.md

@@ -18,6 +18,9 @@ ms.subservice: B2C
 
 In this sample tutorial, learn how to enable [Akamai Web Application Firewall (WAF)](https://www.akamai.com/us/en/resources/web-application-firewall.jsp) solution for Azure Active Directory (AD) B2C tenant using custom domains. Akamai WAF helps organization protect their web applications from malicious attacks that aim to exploit vulnerabilities such as SQL injection and Cross site scripting.
 
+>[!NOTE]
+>This feature is in public preview.
+
 Benefits of using Akamai WAF solution:
 
 - An edge platform that allows traffic management to your services.
@@ -104,4 +107,4 @@ Check the following to ensure all traffic to Azure AD B2C is now going through t
 
 - [Configure a custom domain in Azure AD B2C](./custom-domain.md?pivots=b2c-user-flow)
 
-- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)
+- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy&tabs=applications)

articles/active-directory-b2c/partner-azure-web-application-firewall.md

@@ -18,6 +18,9 @@ ms.subservice: B2C
 
 In this sample tutorial, learn how to enable [Azure Web Application Firewall (WAF)](https://azure.microsoft.com/services/web-application-firewall/#overview) solution for Azure Active Directory (AD) B2C tenant with custom domain. Azure WAF provides centralized protection of your web applications from common exploits and vulnerabilities.
 
+>[!NOTE]
+>This feature is in public preview.
+
 ## Prerequisites
 
 To get started, you'll need:

articles/active-directory-b2c/partner-cloudflare.md

@@ -18,6 +18,9 @@ ms.subservice: B2C
 
 In this sample tutorial, learn how to enable [Cloudflare Web Application Firewall (WAF)](https://www.cloudflare.com/waf/) solution for Azure Active Directory (AD) B2C tenant with custom domain. Cloudflare WAF helps organization protect against malicious attacks that aim to exploit vulnerabilities such as SQLi, and XSS.
 
+>[!NOTE]
+>This feature is in public preview.
+
 ## Prerequisites
 
 To get started, you'll need:

articles/active-directory/app-provisioning/media/on-premises-application-provisioning-architecture/ecma-2.png

@@ -38,13 +38,67 @@ There are three primary components to provisioning users into an on-premises app
 
 You don't need to open inbound connections to the corporate network. The provisioning agents only use outbound connections to the provisioning service, which means there's no need to open firewall ports for incoming connections. You also don't need a perimeter (DMZ) network because all connections are outbound and take place over a secure channel.
 
+## ECMA Connector Host architecture
+The ECMA Connector Host has several areas it uses to achieve on-premises provisioning.  The diagram below is a conceptual drawing that presents these individual areas.  The table below describes the areas in more detail.
+
+[![ECMA connector host](.\media\on-premises-application-provisioning-architecture\ecma-2.png)](.\media\on-premises-application-provisioning-architecture\ecma-2.png#lightbox)
+
+
+
+|Area|Description|
+|-----|-----|
+|Endpoints|Responsible for communication and data-transfer with the Azure AD provisioning service|
+|In-memory cache|Used to store the data imported from the on-premises data source|
+|Autosync|Provides asynchronous data synchronization between the ECMA Connector Host and the on-premises data source|
+|Business logic|Used to coordinate all of the ECMA Connector Host activities.  The Autosync time is configurable in the ECMA host. This is in the properties page.|
+
+### About anchor attributes and distinguished names
+The following information is provided to better explain the anchor attributes and the distinguished names, particularly used by the genericSQL connector.
+
+The anchor attribute is a unique attribute of an object type that does not change and represents that object in the ECMA Connector Host in-memory cache.
+
+The distinguished name (DN) is a name that uniquely identifies an object by indicating its current location in the directory hierarchy.  Or in the case of SQL, in the partition. The name is formed by concatenating the anchor attribute a the root of the directory partition. 
+
+When we think of traditional DNs in a traditional format, for say, Active Directory or LDAP, we think of something similar to:
+
+  CN=Lola Jacobson,CN=Users,DC=contoso,DC=com
+
+However, for a data source such as SQL, which is flat, not hierarchical, the DN needs to be either already present in one of the table or created from the information we provide to the ECMA Connector Host.  
+
+This can be achieved by checking **Autogenerated** in the checkbox when configuring the genericSQL connector. When you choose DN to be autogenerated, the ECMA host will generate a DN in an LDAP format: CN=<anchorvalue>,OBJECT=<type>. This also assumes that DN is Anchor is **unchecked** in the Connectivity page. 
+ 
+ [![DN is Anchor unchecked](.\media\on-premises-application-provisioning-architecture\user-2.png)](.\media\on-premises-application-provisioning-architecture\user-2.png#lightbox)
+
+The genericSQL connector expects the DN to be populated using an LDAP format.  The Generic SQL connector is using the LDAP style with the component name "OBJECT=". This allows it to use partitions (each object type is a partition).
+
+Since ECMA Connector Host currently only supports the USER object type, the OBJECT=<type> will be OBJECT=USER.  So the DN for a user with an anchorvalue of ljacobson would be:
+
+  CN=ljacobson,OBJECT=USER
+
+
+### User creation workflow
+
+1.  The Azure AD provisioning service queries the ECMA Connector Host to see if the user exists.  It uses the **matching attribute** as the filter.  This attribute is defined in the Azure AD portal under Enterprise applications -> On-premises provisioning -> provisioning -> attribute matching.  It is denoted by the 1 for matching precedence.
+You can define one or more matching attribute(s) and prioritize them based on the precedence.  Should you want to change the matching attribute you can also do so.
+ [![Matching attribute](.\media\on-premises-application-provisioning-architecture\match-1.png)](.\media\on-premises-application-provisioning-architecture\match-1.png#lightbox)
+
+2.  ECMA Connector Host receives the GET request and queries its internal cache to see if the user exists and has based imported.  This is done using the **query attribute**. The query attribute is defined in the object types page.  
+ [![Query attribute](.\media\on-premises-application-provisioning-architecture\match-2.png)](.\media\on-premises-application-provisioning-architecture\match-2.png#lightbox)
+
+
+3. If the user does not exist, Azure AD will make a POST request to create the user.  The ECMA Connector Host will respond back to Azure AD with the HTTP 201 and provide an ID for the user. This ID is derived from the anchor value defined in the object types page. This anchor will be used by Azure AD to query the ECMA Connector Host for future and subsequent requests. 
+4. If a change happens to the user in Azure AD, then Azure AD will make a GET request to retrieve the user using the anchor from the previous step, rather than the matching attribute in step 1. This allows, for example, the UPN to change without breaking the link between the user in Azuer AD and in the app.  
+
+
 ## Agent best practices
 - Ensure the auto Azure AD Connect Provisioning Agent Auto Update service is running. It's enabled by default when you install the agent. Auto-update is required for Microsoft to support your deployment.
 - Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
 - The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by:
   - Reducing the distance between the two ends of the hop.
   - Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links.
 
+
+
 ## Provisioning agent questions
 Some common questions are answered here.
 
@@ -55,8 +109,8 @@ For the latest GA version of the provisioning agent, see [Azure AD connect provi
 ### How do I know the version of my provisioning agent?
 
  1. Sign in to the Windows server where the provisioning agent is installed.
- 1. Go to **Control Panel** > **Uninstall or Change a Program**.
- 1. Look for the version that corresponds to the entry for **Microsoft Azure AD Connect Provisioning Agent**.
+ 2. Go to **Control Panel** > **Uninstall or Change a Program**.
+ 3. Look for the version that corresponds to the entry for **Microsoft Azure AD Connect Provisioning Agent**.
 
 ### Does Microsoft automatically push provisioning agent updates?
 
@@ -86,14 +140,17 @@ The provisioning agent supports use of outbound proxy. You can configure it by e
 You can also check whether all the required ports are open.
 
 ### How do I uninstall the provisioning agent?
-1. Sign in to the Windows server where the provisioning agent is installed.
-1. Go to **Control Panel** > **Uninstall or Change a Program**.
-1. Uninstall the following programs:
+ 1. Sign in to the Windows server where the provisioning agent is installed.
+ 2. Go to **Control Panel** > **Uninstall or Change a Program**.
+ 3. Uninstall the following programs:
      - Microsoft Azure AD Connect Provisioning Agent
      - Microsoft Azure AD Connect Agent Updater
      - Microsoft Azure AD Connect Provisioning Agent Package
 
 
+
+
+
 ## Next steps
 
 - [App provisioning](user-provisioning.md)