Merge pull request #243858 from MicrosoftDocs/main

Publish to live, Tuesday 4 AM PST, 7/4

Author: ttorble

articles/active-directory/manage-apps/debug-saml-sso-issues.md

@@ -9,13 +9,13 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: troubleshooting
 ms.workload: identity
-ms.date: 05/27/2022
+ms.date: 06/15/2023
 ms.custom: enterprise-apps
 ---
 
 # Debug SAML-based single sign-on to applications
 
-Learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for applications in Azure Active Directory (Azure AD) that use SAML-based single sign-on.
+In this article, you learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for applications in Azure Active Directory (Azure AD) that use SAML-based single sign-on.
 
 ## Before you begin
 
@@ -33,10 +33,10 @@ To download and install the My Apps Secure Sign-in Extension, use one of the fol
 To test SAML-based single sign-on between Azure AD and a target application:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) as a global administrator or other administrator that is authorized to manage applications.
-1. In the left blade, select **Azure Active Directory**, and then select **Enterprise applications**.
-1. From the list of enterprise applications, select the application for which you want to test single sign-on, and then from the options on the left select **Single sign-on**.
+1. In the left navigation pane, select **Azure Active Directory**, and then select **Enterprise applications**.
+1. From the list of enterprise applications, select the application for which you want to test single sign-on, and then from the options on the left, select **Single sign-on**.
 1. To open the SAML-based single sign-on testing experience, go to **Test single sign-on** (step 5). If the **Test** button is greyed out, you need to fill out and save the required attributes first in the **Basic SAML Configuration** section.
-1. In the **Test single sign-on** blade, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt will ask you to authenticate.
+1. In the **Test single sign-on** page, use your corporate credentials to sign in to the target application. You can sign in as the current user or as a different user. If you sign in as a different user, a prompt asks you to authenticate.
 
     ![Screenshot showing the test SAML SSO page](./media/debug-saml-sso-issues/test-single-sign-on.png)
 
@@ -54,10 +54,10 @@ To debug this error, you need the error message and the SAML request. The My App
 
 ### To resolve the sign-in error with the My Apps Secure Sign-in Extension installed
 
-1. When an error occurs, the extension redirects you back to the Azure AD **Test single sign-on** blade.
-1. On the **Test single sign-on** blade, select **Download the SAML request**.
+1. When an error occurs, the extension redirects you back to the Azure AD **Test single sign-on** page.
+1. On the **Test single sign-on** page, select **Download the SAML request**.
 1. You should see specific resolution guidance based on the error and the values in the SAML request.
-1. You'll see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue isn't due to a misconfiguration on Azure AD.
+1. You see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue isn't due to a misconfiguration on Azure AD.
 
 If no resolution is provided for the sign-in error, we suggest that you use the feedback textbox to inform us.
 
@@ -66,7 +66,7 @@ If no resolution is provided for the sign-in error, we suggest that you use the
 1. Copy the error message at the bottom right corner of the page. The error message includes:
     - A CorrelationID and Timestamp. These values are important when you create a support case with Microsoft because they help the engineers to identify your problem and provide an accurate resolution to your issue.
     - A statement identifying the root cause of the problem.
-1. Go back to Azure AD and find the **Test single sign-on** blade.
+1. Go back to Azure AD and find the **Test single sign-on** page.
 1. In the text box above **Get resolution guidance**, paste the error message.
 1. Select **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you're not using the  My Apps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
 1. Verify that the destination in the SAML request corresponds to the SAML Single Sign-on Service URL obtained from Azure AD.
@@ -75,13 +75,13 @@ If no resolution is provided for the sign-in error, we suggest that you use the
 
 ## Resolve a sign-in error on the application page
 
-You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application doesn't accept the response.
+You might sign in successfully and then see an error on the application's page. This error occurs when Azure AD issued a token to the application, but the application doesn't accept the response.
 
 To resolve the error, follow these steps, or watch this [short video about how to use Azure AD to troubleshoot SAML SSO](https://www.youtube.com/watch?v=poQCJK0WPUk&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0&index=8):
 
 1. If the application is in the Azure AD Gallery, verify that you've followed all the steps for integrating the application with Azure AD. To find the integration instructions for your application, see the [list of SaaS application integration tutorials](../saas-apps/tutorial-list.md).
 1. Retrieve the SAML response.
-    - If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on** blade, select **download the SAML response**.
+    - If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on** page, select **download the SAML response**.
     - If the extension isn't installed, use a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML response.
 1. Notice these elements in the SAML response token:
    - User unique identifier of NameID value and format
@@ -95,4 +95,4 @@ To resolve the error, follow these steps, or watch this [short video about how t
 
 ## Next steps
 
-Now that single sign-on is working to your application, you could [Automate user provisioning and de-provisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/app-based-conditional-access.md).
+Now that single sign-on is working to your application, you could [Automate user provisioning and deprovisioning to SaaS applications](../app-provisioning/user-provisioning.md) or [get started with Conditional Access](../conditional-access/app-based-conditional-access.md).

articles/active-directory/manage-apps/howto-saml-token-encryption.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/21/2022
+ms.date: 06/15/2023
 ms.author: jomondi
 ms.reviewer: alamaral
 ms.collection: M365-identity-device-management
@@ -42,8 +42,8 @@ To configure enterprise application's SAML token encryption, follow these steps:
 
     Create an asymmetric key pair to use for encryption. Or, if the application supplies a public key to use for encryption, follow the application's instructions to download the X.509 certificate.
 
-    The public key should be stored in an X.509 certificate file in .cer format.
-
+    The public key should be stored in an X.509 certificate file in .cer format. You can copy the contents of the certificate file to a text editor and save it as a .cer file. The certificate file should contain only the public key and not the private key.
+    
     If the application uses a key that you create for your instance, follow the instructions provided by your application for installing the private key that the application will use to decrypt tokens from your Azure AD tenant.
 
 1. Add the certificate to the application configuration in Azure AD.
@@ -54,7 +54,9 @@ You can add the public cert to your application configuration within the Azure p
 
 1. Go to the [Azure portal](https://portal.azure.com).
 
-1. Go to the **Azure Active Directory > Enterprise applications** blade and then select the application that you wish to configure token encryption for.
+1. Search for and select the **Azure Active Directory**.
+
+1. Select **Enterprise applications** blade and then select the application that you wish to configure token encryption for.
 
 1. On the application's page, select **Token encryption**.
 
@@ -101,8 +103,6 @@ To configure token encryption, follow these steps:
 
 1. In the application's page, select **Manifest** to edit the [application manifest](../develop/reference-app-manifest.md).
 
-1. Set the value for the `tokenEncryptionKeyId` attribute.
-
     The following example shows an application manifest configured with two encryption certificates, and with the second selected as the active one using the tokenEncryptionKeyId.
 
     ```json
@@ -172,7 +172,7 @@ To configure token encryption, follow these steps:
     }  
     ```
 
-# [PowerShell](#tab/azure-powershell)
+# [Azure AD PowerShell](#tab/azuread-powershell)
 
 1. Use the latest Azure AD PowerShell module to connect to your tenant.
 
@@ -190,7 +190,29 @@ To configure token encryption, follow these steps:
     $app.TokenEncryptionKeyId
     ```
 
+# [Microsoft Graph PowerShell](#tab/msgraph-powershell)
 
+1. Use the Microsoft Graph PowerShell module to connect to your tenant.
+
+1. Set the token encryption settings using the **[Update-MgApplication](/powershell/module/microsoft.graph.applications/update-mgapplication?view=graph-powershell-1.0&preserve-view=true)** command.
+
+    ```powershell
+
+    Update-MgApplication -ApplicationId <ApplicationObjectId> -KeyCredentials "<KeyCredentialsObject>"  -TokenEncryptionKeyId <keyID>
+
+    ```
+
+1. Read the token encryption settings using the following commands.
+
+    ```powershell
+
+    $app=Get-MgApplication -ApplicationId <ApplicationObjectId>
+
+    $app.KeyCredentials
+
+    $app.TokenEncryptionKeyId
+
+    ```
 # [Microsoft Graph](#tab/microsoft-graph)
 
 1. Update the application's `keyCredentials` with an X.509 certificate for encryption. The following example shows a Microsoft Graph JSON payload with a collection of key credentials associated with the application.
@@ -221,7 +243,6 @@ To configure token encryption, follow these steps:
 
 ---
 
-
 ## Next steps
 
 * Find out [How Azure AD uses the SAML protocol](../develop/active-directory-saml-protocol-reference.md)

articles/active-directory/manage-apps/whats-new-docs.md

@@ -1,7 +1,7 @@
 ---
 title: "What's new in Azure Active Directory application management"
 description: "New and updated documentation for the Azure Active Directory application management."
-ms.date: 06/06/2023
+ms.date: 07/04/2023
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: reference
@@ -15,6 +15,21 @@ manager: CelesteDG
 
 Welcome to what's new in Azure Active Directory (Azure AD) application management documentation. This article lists new docs that have been added and those that have had significant updates in the last three months. To learn what's new with the application management service, see [What's new in Azure AD](../fundamentals/whats-new.md).
 
+## June 2023
+
+### Updated articles
+
+- [Manage consent to applications and evaluate consent requests](manage-consent-requests.md)
+- [Plan application migration to Azure Active Directory](migrate-adfs-apps-phases-overview.md)
+- [Tutorial: Configure Secure Hybrid Access with Azure Active Directory and Silverfort](silverfort-integration.md)
+- [Tutorial: Migrate your applications from Okta to Azure Active Directory](migrate-applications-from-okta.md)
+- [Tutorial: Configure Datawiza to enable Azure Active Directory Multi-Factor Authentication and single sign-on to Oracle JD Edwards](datawiza-sso-oracle-jde.md)
+- [Tutorial: Configure Datawiza to enable Azure Active Directory Multi-Factor Authentication and single sign-on to Oracle PeopleSoft](datawiza-sso-oracle-peoplesoft.md)
+- [Tutorial: Configure Cloudflare with Azure Active Directory for secure hybrid access](cloudflare-integration.md)
+- [Configure Datawiza for Azure AD Multi-Factor Authentication and single sign-on to Oracle EBS](datawiza-sso-mfa-oracle-ebs.md)
+- [Tutorial: Configure F5 BIG-IP Access Policy Manager for Kerberos authentication](f5-big-ip-kerberos-advanced.md)
+- [Tutorial: Configure F5 BIG-IP Easy Button for Kerberos single sign-on](f5-big-ip-kerberos-easy-button.md)
+
 ## May 2023
 
 ### New articles
@@ -48,18 +63,3 @@ Welcome to what's new in Azure Active Directory (Azure AD) application managemen
 - [Configure F5 BIG-IP Access Policy Manager for form-based SSO](f5-big-ip-forms-advanced.md)
 - [Tutorial: Configure F5 BIG-IP Easy Button for SSO to Oracle EBS](f5-big-ip-oracle-enterprise-business-suite-easy-button.md)
 - [Tutorial: Configure F5 BIG-IP Access Policy Manager for header-based single sign-on](f5-big-ip-header-advanced.md)
-## March 2023
-
-### Updated articles
-
-- [Move application authentication to Azure Active Directory](migrate-adfs-apps-to-azure.md)
-- [Quickstart: Create and assign a user account](add-application-portal-assign-users.md)
-- [Configure sign-in behavior using Home Realm Discovery](configure-authentication-for-federated-users-portal.md)
-- [Disable auto-acceleration sign-in](prevent-domain-hints-with-home-realm-discovery.md)
-- [Review permissions granted to enterprise applications](manage-application-permissions.md)
-- [Migrate application authentication to Azure Active Directory](migrate-application-authentication-to-azure-active-directory.md)
-- [Configure permission classifications](configure-permission-classifications.md)
-- [Restrict access to a tenant](tenant-restrictions.md)
-- [Tutorial: Migrate Okta sign-on policies to Azure Active Directory Conditional Access](migrate-okta-sign-on-policies-to-azure-active-directory-conditional-access.md)
-- [Delete an enterprise application](delete-application-portal.md)
-- [Restore an enterprise application in Azure AD](restore-application.md)