Merge pull request #152070 from MicrosoftDocs/master

3/25 AM Publish

Author: huypub

articles/active-directory-b2c/identity-provider-apple-id.md

@@ -192,7 +192,7 @@ You can define an Apple ID as a claims provider by adding it to the **ClaimsProv
             <Item Key="response_types">code</Item>
             <Item Key="external_user_identity_claim_id">sub</Item>
             <Item Key="response_mode">form_post</Item>
-            <Item Key="ReadBodyClaimsOnIdpRedirect">user.firstName user.lastName user.email</Item>
+            <Item Key="ReadBodyClaimsOnIdpRedirect">user.name.firstName user.name.lastName user.email</Item>
             <Item Key="client_id">You Apple ID</Item>
             <Item Key="UsePolicyInRedirectUri">false</Item>
           </Metadata>

articles/active-directory/manage-apps/my-apps-deployment-plan.md

@@ -69,31 +69,19 @@ Administrators can configure:
 
 ## Plan consent configuration
 
-There are two types of consent: user consent and consent for apps accessing data.
-
-![Screen shot of consent configuration](./media/my-apps-deployment-plan/my-apps-consent.png)
-
 ### User consent for applications 
 
-Users or administrators must consent to any application’s terms of use and privacy policies. You must decide if users or only administrators can consent to applications. **We recommend that if your business rules allow, you use administrator consent to maintain control of the applications in your tenant**.
-
-To use administrator consent, you must be a global administrator of the organization, and the applications must be either:
-
-* Registered in your organization.
+Before a user can sign in to an application and the application can access your organization's data, a user or an admin must grant the application permissions. You can configure whether user consent is allowed, and under which conditions. **Microsoft recommends you only allow user consent for applications from verified publishers.**
 
-* Registered in another Azure AD organization and previously consented to by at least one user.
-
-If you want to allow users to consent, you must decide if you want them to consent to any app, or only under specific circumstances.
-
-For more information, see [Configure the way end users consent to an application in Azure Active Directory.](../manage-apps/configure-user-consent.md)
+For more information, see [Configure how end-users consent to applications](../manage-apps/configure-user-consent.md)
 
 ### Group owner consent for apps accessing data
 
-Determine if owners of the Azure AD security groups or M365 groups are able to consent to applications to access data for the groups they own. You can disallow, allow all group owners, or allow only a subset of group owners.
+Group and team owners can authorize applications, such as applications published by third-party vendors, to access your organization's data associated with a group. See [Resource-specific consent in Microsoft Teams](https://docs.microsoft.com/microsoftteams/resource-specific-consent) to learn more. 
 
-For more information, see [Configure group consent permissions](../manage-apps/configure-user-consent-groups.md).
+You can configure whether you'd like to allow or disable this feature.
 
-Then, configure your [User and group owner consent settings](https://portal.azure.com/) in the Azure portal.
+For more information, see [Configure group consent permissions](../manage-apps/configure-user-consent-groups.md).
 
 ### Plan communications
 

articles/active-directory/saas-apps/olfeo-saas-provisioning-tutorial.md

@@ -0,0 +1,159 @@
+---
+title: 'Tutorial: Configure Olfeo SAAS for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Olfeo SAAS.
+services: active-directory
+documentationcenter: ''
+author: Zhchia
+writer: Zhchia
+manager: beatrizd
+
+ms.assetid: 5f6b0320-dfe7-451c-8cd8-6ba7f2e40434
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: article
+ms.date: 02/26/2021
+ms.author: Zhchia
+---
+
+# Tutorial: Configure Olfeo SAAS for automatic user provisioning
+
+This tutorial describes the steps you need to do in both Olfeo SAAS and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Olfeo SAAS](https://www.olfeo.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../manage-apps/user-provisioning.md). 
+
+
+## Capabilities Supported
+> [!div class="checklist"]
+> * Create users in Olfeo SAAS
+> * Remove users in Olfeo SAAS when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Olfeo SAAS
+> * Provision groups and group memberships in Olfeo SAAS
+> * [Single sign-on](olfeo-saas-tutorial.md) to Olfeo SAAS (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md) 
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator). 
+* A [Olfeo SAAS tenant](https://www.olfeo.com/).
+* A user account in Olfeo SAAS with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and Olfeo SAAS](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure Olfeo SAAS to support provisioning with Azure AD
+
+1. Login to Olfeo SAAS admin console. 
+1. Navigate to **Configuration > Annuaires**.
+1. Create a new directory and then name it.
+1. Select **Azure** provider and then click on **Cr�er** to save the new directory. 
+1. Navigate to the **Synchronisation** tab to see the **Tenant URL** and the **Jeton secret**. These values will be copied and pasted in the **Tenant URL** and **Secret Token** fields in the Provisioning tab of your Olfeo SAAS application in the Azure portal.
+
+## Step 3. Add Olfeo SAAS from the Azure AD application gallery
+
+Add Olfeo SAAS from the Azure AD application gallery to start managing provisioning to Olfeo SAAS. If you have previously setup Olfeo SAAS for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-gallery-app.md). 
+
+## Step 4. Define who will be in scope for provisioning 
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+
+* When assigning users and groups to Olfeo SAAS, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles. 
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+
+
+## Step 5. Configure automatic user provisioning to Olfeo SAAS 
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Olfeo SAAS app based on user and group assignments in Azure AD.
+
+### To configure automatic user provisioning for Olfeo SAAS in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+	![Enterprise applications blade](common/enterprise-applications.png)
+
+1. In the applications list, select **Olfeo SAAS**.
+
+	![The Olfeo SAAS link in the Applications list](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+	![Provisioning tab](common/provisioning.png)
+
+1.  Set the **Provisioning Mode** to **Automatic**.
+
+	![Provisioning tab automatic](common/provisioning-automatic.png)
+
+1. In the **Admin Credentials** section, enter your Olfeo SAAS **Tenant URL** and **Secret token** information. Select **Test Connection** to ensure that Azure AD can connect to Olfeo SAAS. If the connection fails, ensure that your Olfeo SAAS account has admin permissions and try again.
+
+ 	![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications. Select the **Send an email notification when a failure occurs** check box.
+
+	![Notification Email](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. In the **Mappings** section, select **Synchronize Azure Active Directory Users to Olfeo SAAS**.
+
+1. Review the user attributes that are synchronized from Azure AD to Olfeo SAAS in the **Attribute Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Olfeo SAAS for update operations. If you change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Olfeo SAAS API supports filtering users based on that attribute. Select **Save** to commit any changes.
+
+   |Attribute|Type|Supported for filtering|
+   |---|---|---|
+   |userName|String|✓|
+   |displayName|String|
+   |active|Boolean|
+   |emails[type eq "work"].value|String|
+   |preferredLanguage|String|
+   |name.givenName|String|
+   |name.familyName|String|
+   |name.formatted|String|
+   |externalId|String|  
+
+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Olfeo SAAS**.
+
+1. Review the group attributes that are synchronized from Azure AD to Olfeo SAAS in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Olfeo SAAS for update operations. Select the **Save** button to commit any changes.
+
+      |Attribute|Type|Supported for filtering|
+      |---|---|---|
+      |displayName|String|✓|
+      |externalId|String|
+      |members|Reference|
+
+1. To configure scoping filters, see the instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for Olfeo SAAS, change **Provisioning Status** to **On** in the **Settings** section.
+
+	![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+1. Define the users or groups that you want to provision to Olfeo SAAS by selecting the desired values in **Scope** in the **Settings** section.
+
+	![Provisioning Scope](common/provisioning-scope.png)
+
+1. When you're ready to provision, select **Save**.
+
+	![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to do than next cycles, which occur about every 40 minutes as long as the Azure AD provisioning service is running.
+
+## Step 6. Monitor your deployment
+
+After you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users were provisioned successfully or unsuccessfully.
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion.
+* If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. To learn more about quarantine states, see [Application provisioning status of quarantine](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for enterprise apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)

articles/active-directory/saas-apps/toc.yml

@@ -2277,6 +2277,8 @@
         href: netsuite-provisioning-tutorial.md
       - name: OfficeSpace Software
         href: officespace-software-provisioning-tutorial.md
+      - name: Olfeo SAAS
+        href: olfeo-saas-provisioning-tutorial.md
       - name: OpenText Directory Services
         href: open-text-directory-services-provisioning-tutorial.md
       - name: Oracle Cloud Infrastructure Console

articles/aks/kubernetes-walkthrough-portal.md

@@ -136,55 +136,80 @@ Two Kubernetes Services are also created:
           app: azure-vote-back
       template:
         metadata:
-          name: azure-vote-back
-        spec:
-          ports:
-          - port: 6379
-          selector:
+          labels:
             app: azure-vote-back
-        ---
-        apiVersion: apps/v1
-        kind: Deployment
-        metadata:
-          name: azure-vote-front
         spec:
-          replicas: 1
-          selector:
-            matchLabels:
-              app: azure-vote-front
-          template:
-            metadata:
-              labels:
-                app: azure-vote-front
-            spec:
-              nodeSelector:
-                "beta.kubernetes.io/os": linux
-              containers:
-              - name: azure-vote-front
-                image: mcr.microsoft.com/azuredocs/azure-vote-front:v1
-                resources:
-                  requests:
-                    cpu: 100m
-                    memory: 128Mi
-                  limits:
-                    cpu: 250m
-                    memory: 256Mi
-                ports:
-                - containerPort: 80
-                env:
-                - name: REDIS
-                  value: "azure-vote-back"
-        ---
-        apiVersion: v1
-        kind: Service
+          nodeSelector:
+            "beta.kubernetes.io/os": linux
+          containers:
+          - name: azure-vote-back
+            image: mcr.microsoft.com/oss/bitnami/redis:6.0.8
+            env:
+            - name: ALLOW_EMPTY_PASSWORD
+              value: "yes"
+            resources:
+              requests:
+                cpu: 100m
+                memory: 128Mi
+              limits:
+                cpu: 250m
+                memory: 256Mi
+            ports:
+            - containerPort: 6379
+              name: redis
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: azure-vote-back
+    spec:
+      ports:
+      - port: 6379
+      selector:
+        app: azure-vote-back
+    ---
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: azure-vote-front
+    spec:
+      replicas: 1
+      selector:
+        matchLabels:
+          app: azure-vote-front
+      template:
         metadata:
-          name: azure-vote-front
-        spec:
-          type: LoadBalancer
-          ports:
-          - port: 80
-          selector:
+          labels:
             app: azure-vote-front
+        spec:
+          nodeSelector:
+            "beta.kubernetes.io/os": linux
+          containers:
+          - name: azure-vote-front
+            image: mcr.microsoft.com/azuredocs/azure-vote-front:v1
+            resources:
+              requests:
+                cpu: 100m
+                memory: 128Mi
+              limits:
+                cpu: 250m
+                memory: 256Mi
+            ports:
+            - containerPort: 80
+            env:
+            - name: REDIS
+              value: "azure-vote-back"
+    ---
+    apiVersion: v1
+    kind: Service
+    metadata:
+      name: azure-vote-front
+    spec:
+      type: LoadBalancer
+      ports:
+      - port: 80
+      selector:
+        app: azure-vote-front
     ```
 
 1. Deploy the application using the `kubectl apply` command and specify the name of your YAML manifest:

articles/aks/use-pod-security-policies.md

@@ -16,7 +16,7 @@ ms.date: 02/12/2021
 > It is highly recommended to begin testing scenarios with Azure Policy for AKS, which offers built-in policies to secure pods and built-in initiatives which map to pod security policies. To migrate from pod security policy, you need to take the following actions on a cluster.
 > 
 > 1. [Disable pod security policy](#clean-up-resources) on the cluster
-> 1. Enable the [Azure Policy Add-on][kubernetes-policy-reference]
+> 1. Enable the [Azure Policy Add-on][azure-policy-add-on]
 > 1. Enable the desired Azure policies from [available built-in policies][policy-samples]
 > 1. Review [behavior changes between pod security policy and Azure Policy](#behavior-changes-between-pod-security-policy-and-azure-policy)
 
@@ -457,7 +457,6 @@ For more information about limiting pod network traffic, see [Secure traffic bet
 [kubectl-logs]: https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs
 [terms-of-use]: https://azure.microsoft.com/support/legal/preview-supplemental-terms/
 [kubernetes-policy-reference]: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#policy-reference
-
 <!-- LINKS - internal -->
 [aks-quickstart-cli]: kubernetes-walkthrough.md
 [aks-quickstart-portal]: kubernetes-walkthrough-portal.md
@@ -474,3 +473,4 @@ For more information about limiting pod network traffic, see [Secure traffic bet
 [az-extension-add]: /cli/azure/extension#az-extension-add
 [az-extension-update]: /cli/azure/extension#az-extension-update
 [policy-samples]: ./policy-reference.md#microsoftcontainerservice
+[azure-policy-add-on]: ../governance/policy/concepts/policy-for-kubernetes.md

articles/automation/shared-resources/schedules.md

@@ -118,7 +118,7 @@ New-AzAutomationSchedule -AutomationAccountName "TestAzureAuto" -Name "1st, 15th
 
 ## Create a schedule with a Resource Manager template
 
-In this example, we use an Automation Resource Manager (ARM) template that creates a new job schedule. For general information about this template to manage Automation job schedules, see [Microsoft.Automation automationAccounts/jobSchedules template reference](/templates/microsoft.automation/automationaccounts/jobschedules#quickstart-templates).
+In this example, we use an Automation Resource Manager (ARM) template that creates a new job schedule. For general information about this template to manage Automation job schedules, see [Microsoft.Automation automationAccounts/jobSchedules template reference](/azure/templates/microsoft.automation/2015-10-31/automationaccounts/jobschedules#quickstart-templates).
 
 Copy this template file into a text editor: