Merge branch 'master' into adls-keys

Author: nibaccam

.openpublishing.redirection.json

@@ -39,7 +39,7 @@ Define your application and service architecture, inventory current systems, and
 | Create a migration plan |Planning ahead can make migration go more smoothly. Learn more about [user migration](user-migration.md).|
 | Usability vs. security | Your solution must strike the right balance between application usability and your organization's acceptable level of risk. |
 | Move on-premises dependencies to the cloud | To help ensure a resilient solution, consider moving existing application dependencies to the cloud. |
-| Migrate existing apps to b2clogin.com | The deprecation of login.microsoftonline.com went into effect for all Azure AD B2C tenants on 04 December 2020. [Learn more](b2clogin.md). |
+| Migrate existing apps to b2clogin.com | The deprecation of login.microsoftonline.com will go into effect for all Azure AD B2C tenants on 04 December 2020. [Learn more](b2clogin.md). |
 
 ## Implementation
 
@@ -88,4 +88,4 @@ Stay up to date with the state of the service and find support options.
 |--|--|
 | [Service updates](https://azure.microsoft.com/updates/?product=active-directory-b2c) |  Stay up to date with Azure AD B2C product updates and announcements. |
 | [Microsoft Support](support-options.md) | File a support request for Azure AD B2C technical issues. Billing and subscription management support is provided at no cost. |
-| [Azure status](https://status.azure.com/status) | View the current health status of all Azure services. |
+| [Azure status](https://status.azure.com/status) | View the current health status of all Azure services. |

articles/active-directory-b2c/best-practices.md

@@ -43,3 +43,9 @@ The following tables provide links to samples for applications including iOS, An
 | Sample | Description |
 |--------| ----------- |
 | [javascript-msal-singlepageapp](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp) | A single page application (SPA) calling a Web API. Authentication is done with Azure AD B2C by using MSAL.js. |
+
+## SAML test application
+
+| Sample | Description |
+|--------| ----------- |
+| [saml-sp-tester](https://github.com/azure-ad-b2c/saml-sp-tester/tree/master/source-code) | SAML test application to test Azure AD B2C configured to act as SAML identity provider. |

articles/active-directory-b2c/code-samples.md

@@ -13,7 +13,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 10/03/2019
+ms.date: 04/28/2020
 ms.author: mimart
 ms.reviewer: arvinh
 
@@ -30,7 +30,7 @@ While in quarantine, the frequency of incremental cycles is gradually reduced to
 
 There are three ways to check whether an application is in quarantine:
 
-- In the Azure portal, navigate to **Azure Active Directory** > **Enterprise applications** > <*application name*> > **Provisioning** and scroll to the progress bar at the bottom.  
+- In the Azure portal, navigate to **Azure Active Directory** > **Enterprise applications** > <*application name*> > **Provisioning** and review the progress bar for a quarantine message.   
 
   ![Provisioning status bar showing quarantine status](./media/application-provisioning-quarantine-status/progress-bar-quarantined.png)
 
@@ -48,7 +48,13 @@ There are three ways to check whether an application is in quarantine:
 
 ## Why is my application in quarantine?
 
-A Microsoft Graph request to get the status of the provisioning job shows the following reason for quarantine:
+|Description|Recommended Action|
+|---|---|
+|**SCIM Compliance issue:** An HTTP/404 Not Found response was returned rather than the expected HTTP/200 OK response. In this case the Azure AD provisioning service has made a request to the target application and received an unexpected response.|Check the admin credentials section to see if the application requires specifying the tenant URL and ensure that the URL is correct. If you don't see an issue, please contact the application developer to ensure that their service is SCIM-compliant. https://tools.ietf.org/html/rfc7644#section-3.4.2 |
+|**Invalid credentials:** When attempting to authorize access to the target application we received a response from the target application that indicates the credentials provided are invalid.|Please navigate to the admin credentials section of the provisioning configuration UI and authorize access again with valid credentials. If the application is in the gallery, review the application configuration tutorial for any additional steps required.|
+|**Duplicate roles:** Roles imported from certain applications like Salesforce and Zendesk must be unique. |Navigate to the application [manifest](https://docs.microsoft.com/azure/active-directory/develop/reference-app-manifest) in the Azure portal and remove the duplicate role.|
+
+ A Microsoft Graph request to get the status of the provisioning job shows the following reason for quarantine:
 
 - `EncounteredQuarantineException` indicates that invalid credentials were provided. The provisioning service is unable to establish a connection between the source system and the target system.
 

articles/active-directory/app-provisioning/application-provisioning-quarantine-status.md

@@ -69,7 +69,7 @@ Along with this property, attribute-mappings also support the following attribut
 - **Target attribute** – The user attribute in the target system (example: ServiceNow).
 - **Default value if null (optional)** - The value that will be passed to the target system if the source attribute is null. This value will only be provisioned when a user is created. The "default value when null" will not be provisioned when updating an existing user. If, for example, you want to provision all existing users in the target system with a particular Job Title (when it is null in the source system), you can use the following [expression](../app-provisioning/functions-for-customizing-application-data.md): Switch(IsPresent([jobTitle]), "DefaultValue", "True", [jobTitle]). Make sure to replace the "Default Value" with what you would like to provision when null in the source system. 
 - **Match objects using this attribute** – Whether this mapping should be used to uniquely identify users between the source and target systems. It's typically set on the userPrincipalName or mail attribute in Azure AD, which is typically mapped to a username field in a target application.
-- **Matching precedence** – Multiple matching attributes can be set. When there are multiple, they're evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated.
+- **Matching precedence** – Multiple matching attributes can be set. When there are multiple, they're evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated. While you can set as many matching attributes as you would like, consider whether the attributes you are using as matching attributes are truly unique and need to be matching attributes. Generally customers have 1 or 2 matching attributes in their configuration. 
 - **Apply this mapping**
   - **Always** – Apply this mapping on both user creation and update actions.
   - **Only during creation** - Apply this mapping only on user creation actions.
@@ -312,8 +312,10 @@ Selecting this option will effectively force a resynchronization of all users wh
 - Updating attribute-mappings has an impact on the performance of a synchronization cycle. An update to the attribute-mapping configuration requires all managed objects to be reevaluated.
 - A recommended best practice is to keep the number of consecutive changes to your attribute-mappings at a minimum.
 - Adding a photo attribute to be provisioned to an app is not supported today as you cannot specify the format to sync the photo. You can request the feature on [User Voice](https://feedback.azure.com/forums/169401-azure-active-directory)
-- The attribute IsSoftDeleted is often part of the default mappings for an application. IsSoftdeleted can be true in one of four scenarios (the user is out of scope due to being unassigned from the application, the user is out of scope due to not meeting a scoping filter, the user has been soft deleted in Azure AD, or the property AccountEnabled is set to false on the user). 
-- The Azure AD provisioning service does not support provisioning null values
+- The attribute IsSoftDeleted is often part of the default mappings for an application. IsSoftdeleted can be true in one of four scenarios (the user is out of scope due to being unassigned from the application, the user is out of scope due to not meeting a scoping filter, the user has been soft deleted in Azure AD, or the property AccountEnabled is set to false on the user). It is not recommended to remove the IsSoftDeleted attribute from your attribute mappings.
+- The Azure AD provisioning service does not support provisioning null values.
+- They primary key, typically "ID", should not be included as a target attribute in your attribute mappings. 
+- The role attribute typically needs to be mapped using an expression, rather than a direct mapping. See section above for more details on role mapping. 
 
 ## Next steps
 

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -1,45 +1,43 @@
 ---
-title: Using SCIM, the Microsoft Graph, and the Azure AD provisioning service to provision users and enrich your application with the data it needs | Microsoft Docs
+title: Use SCIM, Microsoft Graph, and Azure AD to provision users and enrich apps with data
 description: Using SCIM and the Microsoft Graph together to provision users and enrich your application with the data it needs .
 services: active-directory
-documentationcenter: ''
 author: msmimart
 manager: CelesteDG
-
-ms.assetid: 
 ms.service: active-directory
 ms.subservice: app-provisioning
 ms.workload: identity
-ms.tgt_pltfrm: na
-ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/06/2020
+ms.date: 04/26/2020
 ms.author: mimart
 ms.reviewer: arvinh
 
-ms.collection: M365-identity-device-management
 ---
 
 
 # Using SCIM and Microsoft Graph together to provision users and enrich your application with the data it needs
 
-**Target audience:** This document is targeted towards developers building applications integrated with Azure AD. For others looking to integrate an existing application such as Zoom, ServiceNow, and DropBox you can skip this and review the application specific [tutorials](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list). 
+**Target audience:** This article is targeted towards developers building applications to be integrated with Azure Active Directory (Azure AD). If you're looking to use applications already integrated with Azure AD, such as Zoom, ServiceNow, and DropBox, you can skip this article and review the application specific [tutorials](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) or review [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/app-provisioning/how-provisioning-works).
 
 **Common scenarios**
 
+Azure AD provides an out of the box service for provisioning and an extensible platform to build your applications on. The decision tree outlines how a developer would use [SCIM](https://aka.ms/scimoverview) and the [Microsoft Graph](https://docs.microsoft.com/graph/overview) to automate provisioning. 
+
 > [!div class="checklist"]
 > * Automatically create users in my application
 > * Automatically remove users from my application when they shouldn't have access anymore
 > * Integrate my application with multiple identity providers for provisioning
-> * Enrich my application with data from Microsoft services such as Sharepoint, Outlook, and Office.
+> * Enrich my application with data from Microsoft services such as Teams, Outlook, and Office.
 > * Automatically create, update, and delete users and groups in Azure AD and Active Directory
 
 ![SCIM Graph decision tree](./media/user-provisioning/scim-graph.png)
 
 ## Scenario 1: Automatically create users in my app
-Today, IT admins manually create user accounts in my application each time someone needs access or periodically upload CSV files. The process is time consuming for customers and slows down adoption of my application. All I need is basic [user](https://docs.microsoft.com/graph/api/resources/user?view=graph-rest-1.0) information such as name, email, and userPrincipalName to create a user. Furthermore, my customers use various IdPs and I don't have the resources to maintain a sync engine and custom integrations with each IdP. 
+Today, IT admins provision users by manually creating user accounts or periodically uploading CSV files into my application. The process is time consuming for customers and slows down adoption of my application. All I need is basic user information such as name, email, and userPrincipalName to create a user. 
 
-**Recommendation**: Support a SCIM compliant [/Users](https://aka.ms/scimreferencecode) endpoint. Your customers will be able to easily use this endpoint to integrate with the Azure AD provisioning service and automatically create user accounts when they need access. You can build the endpoint once and it will be compatible with all IdPs, without having to maintain a sync engine. Check out the example request below for how a user would be created.
+**Recommendation**: 
+* If your customers use various IdPs and you do not want to maintain a sync engine to integrate with each, support a SCIM compliant [/Users](https://aka.ms/scimreferencecode) endpoint. Your customers will be able to easily use this endpoint to integrate with the Azure AD provisioning service and automatically create user accounts when they need access. You can build the endpoint once and it will be compatible with all IdPs. Check out the example request below for how a user would be created using SCIM.
+* If you require user data found on the user object in Azure AD and other data from across Microsoft, consider building a SCIM endpoint for user provisioning and calling into the Microsoft Graph to get the rest of the data. 
 
 ```json
 POST /Users
@@ -93,21 +91,21 @@ My application relies on groups for access to various resources, and customers w
 
 **Recommendation:** Support a SCIM compliant /Groups [endpoint](https://aka.ms/scimreferencecode). The Azure AD provisioning service will take care of creating groups and managing membership updates in your application. 
 
-## Scenario 4: Enrich my app with data from Microsoft services such as Teams, Outlook, and OneDrive.
+## Scenario 4: Enrich my app with data from Microsoft services such as Teams, Outlook, and OneDrive
 My application is built into Microsoft Teams and relies on message data. In addition, we store files for users in OneDrive. How can I enrich my application with the data from these services and across Microsoft?
 
 **Recommendation:** The [Microsoft Graph](https://docs.microsoft.com/graph/) is your entry point to access Microsoft data. Each workload exposes APIs with the data that you need. The Microsoft graph can be used along with [SCIM provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) for the scenarios above. You can use SCIM to provision basic user attributes into your application while calling into graph to get any other data that you need. 
 
-## Scenario 5: Track changes in Microsoft services such as Teams, Outlook, and Azure AD.
+## Scenario 5: Track changes in Microsoft services such as Teams, Outlook, and Azure AD
 I need to be able to track changes to Teams and Outlook messages and react to them in real time. How can I get these changes pushed to my application?
 
-**Recommendation:** The Microsoft Graph provides [change notifications](https://docs.microsoft.com/graph/webhooks) and change tracking for various resources. Note the following limitations of change notifications:
+**Recommendation:** The Microsoft Graph provides [change notifications](https://docs.microsoft.com/graph/webhooks) and [change tracking](https://docs.microsoft.com/graph/delta-query-overview) for various resources. Note the following limitations of change notifications:
 - If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
 - If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
 - Change notifications don't always contain the [resource data](https://docs.microsoft.com/graph/webhooks-with-resource-data)
 For the reasons above, developers often use change notifications along with change tracking for synchronization scenarios. 
 
-## Scenario 6: Provision users and groups in Azure AD.
+## Scenario 6: Provision users and groups in Azure AD
 My application creates information about a user that customers need in Azure AD. This could be an HR application than manages hiring, a communications app that creates phone numbers for users, or some other app that generates data that would be valuable in Azure AD. How do I populate the user record in Azure AD with that data? 
 
 **Recommendation** The Microsoft graph exposes /Users and /Groups endpoints that you can integrate with today to provision users into Azure AD. Please note that Azure Active Directory doesn't support writing those users back into Active Directory. 

articles/active-directory/app-provisioning/scim-graph-scenarios.md

@@ -813,7 +813,7 @@ Requests from Azure Active Directory include an OAuth 2.0 bearer token. Any serv
 
 In the token, the issuer is identified by an iss claim, like `"iss":"https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/"`. In this example, the base address of the claim value, `https://sts.windows.net`, identifies Azure Active Directory as the issuer, while the relative address segment, _cbb1a5ac-f33b-45fa-9bf5-f37db0fed422_, is a unique identifier of the Azure Active Directory tenant for which the token was issued.
 
-The audience for the token will be the application template ID for the application in the gallery, each of the applications registered in a single tenant may receive the same `iss` claim with SCIM requests. The application template ID for each application in the gallery varies, please contact [[email protected]](mailto:[email protected]) for questions around the application template ID for a gallery application. The application template ID for all custom apps is _8adf8e6e-67b2-4cf2-a259-e3dc5476c621_.
+The audience for the token will be the application template ID for the application in the gallery, each of the applications registered in a single tenant may receive the same `iss` claim with SCIM requests. The application template ID for all custom apps is _8adf8e6e-67b2-4cf2-a259-e3dc5476c621_. The token generated by the Azure AD provisioning service should only be used for testing. It should not be used in production environments.
 
 In the sample code, requests are authenticated using the Microsoft.AspNetCore.Authentication.JwtBearer package. The following code enforces that requests to any of the service’s endpoints are authenticated using the bearer token issued by Azure Active Directory for a specified tenant:
 

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -32,6 +32,7 @@ This article details the requirements and the supported scenarios for configurin
 | Azure Information Protection app |![Check mark signifying support for this application][1] |
 | Intune Company Portal |![Check mark signifying support for this application][1] |
 | Microsoft Teams |![Check mark signifying support for this application][1] |
+| Office (mobile) |![Check mark signifying support for this application][1] |
 | OneNote |![Check mark signifying support for this application][1] |
 | OneDrive |![Check mark signifying support for this application][1] |
 | Outlook |![Check mark signifying support for this application][1] |