MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 26 additions & 531 deletions b/‎.openpublishing.redirection.json
Lines changed: 26 additions & 531 deletions
diff --git a/‎articles/active-directory-domain-services/faqs.md
Lines changed: 4 additions & 0 deletions b/‎articles/active-directory-domain-services/faqs.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎articles/active-directory/b2b/direct-federation.md
Lines changed: 4 additions & 1 deletion b/‎articles/active-directory/b2b/direct-federation.md
Lines changed: 4 additions & 1 deletion
diff --git a/‎articles/active-directory/conditional-access/service-dependencies.md
Lines changed: 3 additions & 0 deletions b/‎articles/active-directory/conditional-access/service-dependencies.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎articles/active-directory/develop/registration-config-how-to.md
Lines changed: 13 additions & 14 deletions b/‎articles/active-directory/develop/registration-config-how-to.md
Lines changed: 13 additions & 14 deletions
diff --git a/‎articles/active-directory/fundamentals/customize-branding.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/fundamentals/customize-branding.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/saas-apps/change-process-management-tutorial.md
Lines changed: 155 additions & 0 deletions b/‎articles/active-directory/saas-apps/change-process-management-tutorial.md
Lines changed: 155 additions & 0 deletions
@@ -87,6 +87,7 @@ Yes. Each Azure AD Domain Services managed domain includes two domain controller
 * [Can I modify or add DNS records in my managed domain?](#can-i-modify-or-add-dns-records-in-my-managed-domain)
 * [What is the password lifetime policy on a managed domain?](#what-is-the-password-lifetime-policy-on-a-managed-domain)
 * [Does Azure AD Domain Services provide AD account lockout protection?](#does-azure-ad-domain-services-provide-ad-account-lockout-protection)
+* [Can I configure Distributed File System (DFS) and replication within Azure AD Domain Services?](#can-i-configure-distributed-file-system-and-replication-within-azure-ad-domain-services)
 
 ### Can I connect to the domain controller for my managed domain using Remote Desktop?
 No. You don't have permissions to connect to domain controllers for the managed domain using Remote Desktop. Members of the *AAD DC Administrators* group can administer the managed domain using AD administration tools such as the Active Directory Administration Center (ADAC) or AD PowerShell. These tools are installed using the *Remote Server Administration Tools* feature on a Windows server joined to the managed domain. For more information, see [Create a management VM to configure and administer an Azure AD Domain Services managed domain](tutorial-create-management-vm.md).
@@ -115,6 +116,9 @@ The default password lifetime on an Azure AD Domain Services managed domain is 9
 ### Does Azure AD Domain Services provide AD account lockout protection?
 Yes. Five invalid password attempts within 2 minutes on the managed domain cause a user account to be locked out for 30 minutes. After 30 minutes, the user account is automatically unlocked. Invalid password attempts on the managed domain don't lock out the user account in Azure AD. The user account is locked out only within your Azure AD Domain Services managed domain. For more information, see [Password and account lockout policies on managed domains](password-policy.md).
 
+### Can I configure Distributed File System and replication within Azure AD Domain Services?
+No. Distributed File System (DFS) and replication aren't available when using Azure AD Domain Services.
+
 ## Billing and availability
 
 * [Is Azure AD Domain Services a paid service?](#is-azure-ad-domain-services-a-paid-service)
 
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 02/27/2019
+ms.date: 05/07/2020
 
 ms.author: mimart
 author: msmimart
@@ -47,10 +47,13 @@ The domain you want to federate with must ***not*** be DNS-verified in Azure AD.
 
 ### Authentication URL
 Direct federation is only allowed for policies where the authentication URL’s domain matches the target domain, or where the authentication URL is one of these allowed identity providers (this list is subject to change):
+
 -	accounts.google.com
 -	pingidentity.com
 -	login.pingone.com
 -	okta.com
+-	oktapreview.com
+-	okta-emea.com
 -	my.salesforce.com
 -	federation.exostar.com
 -	federation.exostartest.com
 
@@ -22,6 +22,9 @@ With Conditional Access policies, you can specify access requirements to website
 
 When you access a site or service directly, the impact of a related policy is typically easy to assess. For example, if you have a policy that requires multi-factor authentication (MFA) for SharePoint Online configured, MFA is enforced for each sign-in to the SharePoint web portal. However, it is not always straight-forward to assess the impact of a policy because there are cloud apps with dependencies to other cloud apps. For example, Microsoft Teams can provide access to resources in SharePoint Online. So, when you access Microsoft Teams in our current scenario, you are also subject to the SharePoint MFA policy. 
 
+> [!TIP]
+> Using the [Office 365 (preview)](concept-conditional-access-cloud-apps.md#office-365-preview) app will target all Office apps to avoid issues with service dependencies in the Office stack.
+
 ## Policy enforcement 
 
 If you have a service dependency configured, the policy may be applied using early-bound or late-bound enforcement. 
 
@@ -1,6 +1,7 @@
 ---
-title: Configure endpoints
-description: How to find the authentication endpoints for a custom application you are developing or registering with Azure AD.
+title: Get the endpoints for an Azure AD app registration
+titleSuffix: Microsoft identity platform
+description: How to find the authentication endpoints for a custom application you're developing or registering with Azure AD.
 services: active-directory
 author: rwike77
 manager: CelesteDG
@@ -10,26 +11,24 @@ ms.subservice: develop
 ms.custom: aaddev 
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 07/15/2019
+ms.date: 05/07/2020
 ms.author: ryanwi
-
 ---
 
-# How to configure endpoints
+# How to discover endpoints
 
 You can find the authentication endpoints for your application in the [Azure portal](https://portal.azure.com).
 
--   Navigate to the [Azure portal](https://portal.azure.com).
-
--   From the left navigation pane, click **Azure Active Directory**.
-
--   Click **App Registrations** and choose **Endpoints**.
+1. Sign in to the [Azure portal](https://portal.azure.com).
+1. Select **Azure Active Directory**.
+1. Under **Manage**, select **App registrations**, and then select **Endpoints** in the top menu.
 
--   This open up the **Endpoints** page, which list all the authentication endpoints for your tenant.
-
--   Use the endpoint specific to the authentication protocol you are using, in conjunction with the application ID to craft the authentication request specific to your application.
+    The **Endpoints** page is displayed, showing the authentication endpoints for your tenant.
+    
+    Use the endpoint that matches the authentication protocol you're using in conjunction with the **Application (client) ID** to craft the authentication request specific to your application.
 
 **National clouds** (for example Azure AD China, Germany, and US Government) have their own app registration portal and Azure AD authentication endpoints. Learn more in the [National clouds overview](authentication-national-cloud.md).
 
 ## Next steps
-[Azure Active Directory developer's guide](https://docs.microsoft.com/azure/active-directory/develop/active-directory-developers-guide)
+
+For more information about endpoints in the different Azure environments, see the [National clouds overview](authentication-national-cloud.md).
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 09/18/2018
+ms.date: 05/07/2020
 ms.author: ajburnle
 ms.reviewer: kexia
 ms.custom: "it-pro, seodec18, fasttrack-edit"
@@ -48,17 +48,17 @@ Your custom branding won't immediately appear when your users go to sites such a
 
         - **Language.** The language is automatically set as your default and can't be changed.
 
-        - **Sign-in page background image.** Select a .png or .jpg image file to appear as the background for your sign-in pages. 
+        - **Sign-in page background image.** Select a .png or .jpg image file to appear as the background for your sign-in pages. The image will be anchored to the center of the browser, and will scale to the size of the viewable space. You can't select an image larger than 1920x1080 pixels in size or that has a file size more than 300 KB.
 
-            The image can't be larger than 1920x1080 pixels in size and must have a file size of less than 300 KB.
+            It's recommended to use images without a strong subject focus, e.g., an opaque white box appears in the center of the screen, and could cover any part of the image depending on the dimensions of the viewable space.
 
         - **Banner logo.** Select a .png or .jpg version of your logo to appear on the sign-in page after the user enters a username and on the **My Apps** portal page.
 
             The image can't be taller than 60 pixels or wider than 280 pixels. We recommend using a transparent image since the background might not match your logo background. We also recommend not adding padding around the image or it might make your logo look small.
 
         - **Username hint.** Type the hint text that appears to users if they forget their username. This text must be Unicode, without links or code, and can't exceed 64 characters. If guests sign in to your app, we suggest not adding this hint.
 
-        - **Sign-in page text.** Type the text that appears on the bottom of the sign-in page. You can use this text to communicate additional information, such as the phone number to your help desk or a legal statement. This text must be Unicode and not exceed 256 characters. We also suggest not including links or HTML tags.
+        - **Sign-in page text.** Type the text that appears on the bottom of the sign-in page. You can use this text to communicate additional information, such as the phone number to your help desk or a legal statement. This text must be Unicode and not exceed 256 characters.
 
     - **Advanced settings**
 
 
@@ -0,0 +1,155 @@
+---
+title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Change Process Management | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Change Process Management.
+services: active-directory
+documentationCenter: na
+author: jeevansd
+manager: mtillman
+ms.reviewer: barbkess
+
+ms.assetid: d1215e3d-44f6-477d-9d94-bec0c9ebdbb0
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.topic: tutorial
+ms.date: 05/07/2020
+ms.author: jeedes
+
+ms.collection: M365-identity-device-management
+---
+
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Change Process Management
+
+In this tutorial, you'll learn how to integrate Change Process Management with Azure Active Directory (Azure AD). When you integrate Change Process Management with Azure AD, you can:
+
+* Control in Azure AD who has access to Change Process Management.
+* Enable your users to be automatically signed-in to Change Process Management with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on).
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Change Process Management single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Change Process Management supports **IDP** initiated SSO
+* Once you configure Change Process Management you can enforce session control, which protect exfiltration and infiltration of your organization’s sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+
+## Adding Change Process Management from the gallery
+
+To configure the integration of Change Process Management into Azure AD, you need to add Change Process Management from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Change Process Management** in the search box.
+1. Select **Change Process Management** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD single sign-on for Change Process Management
+
+Configure and test Azure AD SSO with Change Process Management using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Change Process Management.
+
+To configure and test Azure AD SSO with Change Process Management, complete the following building blocks:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Change Process Management SSO](#configure-change-process-management-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Change Process Management test user](#create-change-process-management-test-user)** - to have a counterpart of B.Simon in Change Process Management that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com/), on the **Change Process Management** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+
+    a. In the **Identifier** text box, type a URL using the following pattern:
+    `https://<hostname>:8443/`
+
+    b. In the **Reply URL** text box, type a URL using the following pattern:
+    `https://<hostname>:8443/changepilot/saml/sso`
+
+	> [!NOTE]
+	> These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Change Process Management Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+	![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Change Process Management** section, copy the appropriate URL(s) based on your requirement.
+
+	![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Change Process Management.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Change Process Management**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+
+   ![The "Users and groups" link](common/users-groups-blade.png)
+
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+
+	![The Add User link](common/add-assign-user.png)
+
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Change Process Management SSO
+
+To configure single sign-on on **Change Process Management** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Change Process Management support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Change Process Management test user
+
+In this section, you create a user called Britta Simon in Change Process Management. Work with [Change Process Management support team](mailto:[email protected]) to add the users in the Change Process Management platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+
+When you click the Change Process Management tile in the Access Panel, you should be automatically signed in to the Change Process Management for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+
+## Additional resources
+
+- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
+
+- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+
+- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+
+- [Try Change Process Management with Azure AD](https://aad.portal.azure.com/)
+
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+
+- [How to protect Change Process Management with advanced visibility and controls](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)