Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/active-directory/develop/access-tokens.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 3/2/2020
+ms.date: 3/27/2020
 ms.author: ryanwi
 ms.reviewer: hirsin
 ms.custom: aaddev, identityplatformtop40, fasttrack-edit
@@ -256,7 +256,7 @@ Refresh tokens can be revoked by the server due to a change in credentials, or d
 | User does SSPR | Revoked | Revoked | Stays alive | Stays alive | Stays alive |
 | Admin resets password | Revoked | Revoked | Stays alive | Stays alive | Stays alive |
 | User revokes their refresh tokens [via PowerShell](https://docs.microsoft.com/powershell/module/azuread/revoke-azureadsignedinuserallrefreshtoken) | Revoked | Revoked | Revoked | Revoked | Revoked |
-| Admin revokes all refresh tokens for the tenant [via PowerShell](https://docs.microsoft.com/powershell/module/azuread/revoke-azureaduserallrefreshtoken) | Revoked | Revoked |Revoked | Revoked | Revoked |
+| Admin revokes all refresh tokens for a user [via PowerShell](https://docs.microsoft.com/powershell/module/azuread/revoke-azureaduserallrefreshtoken) | Revoked | Revoked |Revoked | Revoked | Revoked |
 | Single sign-out ([v1.0](../azuread-dev/v1-protocols-openid-connect-code.md#single-sign-out), [v2.0](v2-protocols-oidc.md#single-sign-out) ) on web | Revoked | Stays alive | Revoked | Stays alive | Stays alive |
 
 > [!NOTE]

articles/active-directory/develop/reference-app-manifest.md

@@ -88,6 +88,9 @@ This risk detection type considers past sign-in locations (IP, Latitude / Longit
 
 Identity Protection detects sign-ins from unfamiliar locations also for basic authentication / legacy protocols. Because these protocols do not have modern familiar features such as client id, there is not enough telemetry to reduce false positives. To reduce the number of detected risk detections, you should move to modern authentication.   
 
+> [!NOTE]
+> If the login username and password do not match, the sign-in will fail and the risk detection does not occur. Sign-in from unfamiliar location risk detections only are triggered on succesful logins.
+
 ### Sign-ins from infected devices
 
 This risk detection type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server. 

articles/active-directory/reports-monitoring/concept-risk-events.md

@@ -12,9 +12,8 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.tgt_pltfrm: na
-ms.devlang: na
 ms.topic: tutorial
-ms.date: 10/24/2019
+ms.date: 03/27/2020
 ms.author: jeedes
 
 ms.collection: M365-identity-device-management
@@ -27,7 +26,7 @@ In this tutorial, you'll learn how to integrate Atlassian Cloud with Azure Activ
 * Enable your users to be automatically signed-in to Atlassian Cloud with their Azure AD accounts.
 * Manage your accounts in one central location - the Azure portal.
 
-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis).
+To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on).
 
 ## Prerequisites
 
@@ -43,7 +42,7 @@ In this tutorial, you configure and test Azure AD SSO in a test environment.
 
 * Atlassian Cloud supports **SP and IDP** initiated SSO
 * Atlassian Cloud supports [Automatic user provisioning and deprovisioning](atlassian-cloud-provisioning-tutorial.md)
-
+* Once you configure Atlassian Cloud you can enforce session control, which protect exfiltration and infiltration of your organization’s sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
 ## Adding Atlassian Cloud from the gallery
 
 To configure the integration of Atlassian Cloud into Azure AD, you need to add Atlassian Cloud from the gallery to your list of managed SaaS apps.
@@ -91,7 +90,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     `https://<instancename>.atlassian.net`
 
     > [!NOTE]
-    > The preceding values are not real. Update these values with the actual identifier and reply URL. You will get these real values from the **Atlassian Cloud SAML Configuration** screen which is explained later in the **Configure Atlassian Cloud Single Sign-On** of tutorial.
+    > The preceding values are not real. Update these values with the actual identifier and reply URL. You will get these real values from the **Atlassian Cloud SAML Configuration** screen which is explained later at step 7 of **Configure Atlassian Cloud SSO** in the tutorial.
 
 1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
 
@@ -221,8 +220,12 @@ When you select the Atlassian Cloud tile in the Access Panel, you should be auto
 
 - [List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
 
-- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+- [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on)
 
 - [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
 
 - [Try Atlassian Cloud with Azure AD](https://aad.portal.azure.com/)
+
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+
+- [How to protect Atlassian Cloud with advanced visibility and controls](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)

articles/active-directory/saas-apps/atlassian-cloud-tutorial.md

@@ -0,0 +1,205 @@
+---
+title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Cisco AnyConnect | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Cisco AnyConnect.
+services: active-directory
+documentationCenter: na
+author: jeevansd
+manager: mtillman
+ms.reviewer: barbkess
+
+ms.assetid: 46f327d0-21fb-4914-be71-9e444f247ebe
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.topic: tutorial
+ms.date: 03/26/2020
+ms.author: jeedes
+
+ms.collection: M365-identity-device-management
+---
+
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Cisco AnyConnect
+
+In this tutorial, you'll learn how to integrate Cisco AnyConnect with Azure Active Directory (Azure AD). When you integrate Cisco AnyConnect with Azure AD, you can:
+
+* Control in Azure AD who has access to Cisco AnyConnect.
+* Enable your users to be automatically signed-in to Cisco AnyConnect with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on).
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Cisco AnyConnect single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Cisco AnyConnect supports **IDP** initiated SSO
+* Once you configure Cisco AnyConnect you can enforce session control, which protect exfiltration and infiltration of your organization’s sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+
+## Adding Cisco AnyConnect from the gallery
+
+To configure the integration of Cisco AnyConnect into Azure AD, you need to add Cisco AnyConnect from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Cisco AnyConnect** in the search box.
+1. Select **Cisco AnyConnect** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD single sign-on for Cisco AnyConnect
+
+Configure and test Azure AD SSO with Cisco AnyConnect using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Cisco AnyConnect.
+
+To configure and test Azure AD SSO with Cisco AnyConnect, complete the following building blocks:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Cisco AnyConnect SSO](#configure-cisco-anyconnect-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Cisco AnyConnect test user](#create-cisco-anyconnect-test-user)** - to have a counterpart of B.Simon in Cisco AnyConnect that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com/), on the **Cisco AnyConnect** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+
+    a. In the **Identifier** text box, type a URL using the following pattern:
+    `< YOUR CISCO ANYCONNECT VPN VALUE >`
+
+    b. In the **Reply URL** text box, type a URL using the following pattern:
+    `< YOUR CISCO ANYCONNECT VPN VALUE >`
+
+    > [!NOTE]
+	> These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Cisco AnyConnect Client support team](https://www.cisco.com/c/en/us/support/index.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate file and save it on your computer.
+
+	![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Cisco AnyConnect** section, copy the appropriate URL(s) based on your requirement.
+
+	![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Cisco AnyConnect.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Cisco AnyConnect**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+
+   ![The "Users and groups" link](common/users-groups-blade.png)
+
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+
+	![The Add User link](common/add-assign-user.png)
+
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Cisco AnyConnect SSO
+
+1. You are going to do this on the CLI first, you might come back through and do an ASDM walk-through at another time.
+
+1. Connect to your VPN Appliance, you are going to be using an ASA running 9.8 code train, and your VPN clients will be 4.6+.
+
+1. First you will create a Trustpoint and import our SAML cert.
+
+   ```
+    config t
+
+    crypto ca trustpoint AzureAD-AC-SAML
+      revocation-check none
+      no id-usage
+      enrollment terminal
+      no ca-check
+    crypto ca authenticate AzureAD-AC-SAML
+    -----BEGIN CERTIFICATE-----
+    …
+    PEM Certificate Text from download goes here
+    …
+    -----END CERTIFICATE-----
+    quit
+   ```
+
+1. The following commands will provision your SAML IdP.
+
+   ```
+    webvpn
+    saml idp https://sts.windows.net/xxxxxxxxxxxxx/ (This is your Azure AD Identifier from the Set up Cisco AnyConnect section in the Azure portal)
+    url sign-in https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxx/saml2 (This is your Login URL from the Set up Cisco AnyConnect section in the Azure portal)
+    url sign-out https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 (This is Logout URL from the Set up Cisco AnyConnect section in the Azure portal)
+    trustpoint idp AzureAD-AC-SAML
+    trustpoint sp (Trustpoint for SAML Requests - you can use your existing external cert here)
+    no force re-authentication
+    no signature
+    base-url https://my.asa.com
+    ```
+
+1. Now you can apply SAML Authentication to a VPN Tunnel Configuration.
+
+    ```
+    tunnel-group AC-SAML webvpn-attributes
+      saml identity-provider https://sts.windows.net/xxxxxxxxxxxxx/
+      authentication saml
+    end
+
+    write mem
+    ```
+
+    > [!NOTE]
+    > There is a feature with the SAML IdP configuration - If you make changes to the IdP config you need to remove the saml identity-provider config from your Tunnel Group and re-apply it for the changes to become effective.
+
+### Create Cisco AnyConnect test user
+
+In this section, you create a user called Britta Simon in Cisco AnyConnect. Work with [Cisco AnyConnect support team](https://www.cisco.com/c/en/us/support/index.html) to add the users in the Cisco AnyConnect platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+
+When you click the Cisco AnyConnect tile in the Access Panel, you should be automatically signed in to the Cisco AnyConnect for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+
+## Additional resources
+
+- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
+
+- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+
+- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+
+- [Try Cisco AnyConnect with Azure AD](https://aad.portal.azure.com/)
+
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+
+- [How to protect Cisco AnyConnect with advanced visibility and controls](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+