Merge pull request #90571 from MicrosoftDocs/master

10/03 Publishing

Author: v-alje

.openpublishing.redirection.json

@@ -14630,6 +14630,31 @@
       "redirect_url": "/azure/cognitive-services/Bing-Custom-Search/language-support",
       "redirect_document_id": true
     },
+    {
+      "source_path": "articles/cognitive-services/Bing-Web-Search/paging-webpages.md",
+      "redirect_url": "/azure/cognitive-services/Bing-Web-Search/paging-search-results",
+      "redirect_document_id": true
+    },
+    {
+      "source_path": "articles/cognitive-services/Bing-Custom-Search/page-webpages.md",
+      "redirect_url": "/azure/cognitive-services/Bing-Web-Search/paging-search-results",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Bing-News-Search/paging-news.md",
+      "redirect_url": "/azure/cognitive-services/Bing-Web-Search/paging-search-results",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Bing-Video-Search/paging-videos.md",
+      "redirect_url": "/azure/cognitive-services/Bing-Web-Search/paging-search-results",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cognitive-services/Bing-Image-Search/paging-images.md",
+      "redirect_url": "/azure/cognitive-services/Bing-Web-Search/paging-search-results",
+      "redirect_document_id": false
+    },
     {
       "source_path": "articles/cognitive-services/Bing-Spell-Check/bing-spell-check-supported-languages.md",
       "redirect_url": "/azure/cognitive-services/bing-spell-check/language-support",

articles/active-directory/develop/active-directory-saml-claims-customization.md

@@ -14,7 +14,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 04/03/2019
+ms.date: 10/01/2019
 ms.author: ryanwi
 ms.reviewer: luleon, paulgarn, jeedes
 ms.custom: aaddev
@@ -80,6 +80,20 @@ Select the desired source for the `NameIdentifier` (or NameID) claim. You can se
 
 For more info, see [Table 3: Valid ID values per source](active-directory-claims-mapping.md#table-3-valid-id-values-per-source).
 
+You can also assign any constant (static) value to any claims which you define in Azure AD. Please follow the below steps to assign a constant value:
+
+1. In the [Azure portal](https://portal.azure.com/), on the **User Attributes & Claims** section, click on the **Edit** icon to edit the claims.
+
+1. Click on the required claim which you want to modify.
+
+1. Enter the constant value in the **Source attribute** as per your organization and click **Save**.
+
+    ![Open the User Attributes & Claims section in the Azure portal](./media/active-directory-saml-claims-customization/organization-attribute.png)
+
+1. The constant value will be displayed as below.
+
+    ![Open the User Attributes & Claims section in the Azure portal](./media/active-directory-saml-claims-customization/edit-attributes-claims.png)
+
 ### Special claims - Transformations
 
 You can also use the claims transformations functions.

articles/active-directory/develop/media/active-directory-saml-claims-customization/edit-attributes-claims.png

@@ -23,12 +23,6 @@ Azure Active Directory (Azure AD) simplifies how enterprises manage access to gr
 
 This article describes how a designated reviewer performs an access review for members of a group or users with access to an application.
 
-## Prerequisites
-
-- Azure AD Premium P2
-
-For more information, see [Which users must have licenses?](access-reviews-overview.md#which-users-must-have-licenses).
-
 ## Open the access review
 
 The first step to perform an access review is to find and open the access review.

articles/active-directory/develop/media/active-directory-saml-claims-customization/organization-attribute.png

@@ -0,0 +1,71 @@
+---
+title: Application Provisioning status of Quarantine | Microsoft Docs
+description: When you've configured an application for automatic user provisioning, learn what a provisioning status of Quarantine means and how to clear it.
+services: active-directory
+documentationcenter: ''
+author: msmimart
+manager: CelesteDG
+
+ms.assetid: 
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 10/03/2019
+ms.author: mimart
+ms.reviewer: arvinh
+
+ms.collection: M365-identity-device-management
+---
+
+# Application provisioning in quarantine status
+
+The Azure AD provisioning service monitors the health of your configuration and places unhealthy apps in a "quarantine" state. If most or all of the calls made against the target system consistently fail because of an error, for example invalid admin credentials, the provisioning job is marked as in quarantine.
+
+While in quarantine, the frequency of incremental cycles is gradually reduced to once per day. The provisioning job is removed from quarantine after all errors are fixed and the next sync cycle starts. If the provisioning job stays in quarantine for more than four weeks, the provisioning job is disabled (stops running).
+
+## How do I know if my application is in quarantine?
+
+There are three ways to check whether an application is in quarantine:
+  
+- In the Azure portal, navigate to **Azure Active Directory** > **Enterprise applications** > <*application name*> > **Provisioning** and scroll to the progress bar at the bottom.  
+
+  ![Provisioning status bar showing quarantine status](media/application-provisioning-quarantine-status/progress-bar-quarantined.png)
+
+- Use the Microsoft Graph request [Get synchronizationJob](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-get?view=graph-rest-beta&tabs=http) to programmatically get the status of the provisioning job:
+
+        `GET https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{jobId}/`
+
+- Check your email. When an application is placed in quarantine, a one-time notification email is sent. If the quarantine reason changes, an updated email is sent showing the new reason for quarantine. If you don't see an email:
+
+  - Make sure you have specified a valid **Notification Email** in the provisioning configuration for the application.
+  - Make sure there is no spam filtering on the notification email inbox.
+  - Make sure you have not unsubscribed from emails.
+
+## Why is my application in quarantine?
+
+A Microsoft Graph request to get the status of the provisioning job shows the following reason for quarantine:
+
+- `EncounteredQuarantineException` indicates that invalid credentials were provided. The provisioning service is unable to establish a connection between the source system and the target system.
+
+- `EncounteredEscrowProportionThreshold` indicates that provisioning exceeded the escrow threshold. This condition occurs when more than 60% of provisioning events failed.
+
+- `QuarantineOnDemand` means that we've detected an issue with your application and have manually set it to quarantine.
+
+## How do I get my application out of quarantine?
+
+First, resolve the issue that caused the application to be placed in quarantine.
+
+- Check the application's provisioning settings to make sure you've [entered valid Admin Credentials](configure-automatic-user-provisioning-portal.md#configuring-automatic-user-account-provisioning). Azure AD must be able to establish a trust with the target application. Ensure that you have entered valid credentials and your account has the necessary permissions.
+
+- Review the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to further investigate what errors are causing quarantine and address the error. Access the provisioning logs in the Azure portal by going to **Azure Active Directory** > **Enterprise Apps** > **Provisioning logs (preview)** in the **Activity** section.
+
+After you've resolved the issue, restart the provisioning job. Certain changes to the application's provisioning settings, such as attribute mappings or scoping filters, will automatically restart provisioning for you. The progress bar on the application's **Provisioning** page indicates when provisioning last started. If you need to restart the provisioning job manually, use one of the following methods:  
+
+- Use the Azure portal to restart the provisioning job. On the application's **Provisioning** page under **Settings**, select **Clear state and restart synchronization** and set **Provisioning Status** to **On**. This action fully restarts  the provisioning service, which can take some time. A full initial cycle will run again, which clears escrows, removes the app from quarantine, and clears any watermarks.
+
+- Use Microsoft Graph to [restart the provisioning job](https://docs.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http). You'll have full control over what you restart. You can choose to clear escrows (to restart the escrow counter that accrues toward quarantine status), clear quarantine (to remove the application from quarantine), or clear watermarks. Use the following request:
+ 
+       `POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart`

articles/active-directory/develop/media/active-directory-saml-claims-customization/saml-sso-manage-user-claims.png

@@ -0,0 +1,164 @@
+---
+title: Azure AD Application Proxy frequently asked questions | Microsoft Docs
+description: Learn answers to frequently asked questions (FAQ) about using Azure AD Application Proxy to publish internal, on-premises applications to remote users.  
+services: active-directory
+documentationcenter: ''
+author: msmimart
+manager: CelesteDG
+
+ms.assetid:
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 10/03/2019
+ms.author: mimart
+ms.reviewer: japere
+---
+
+# Active Directory (Azure AD) Application Proxy frequently asked questions
+
+This page answers frequently asked questions about Azure Active Directory (Azure AD) Application Proxy.
+
+## Enabling Azure AD Application Proxy
+
+### What license is required to use Azure AD Application Proxy?
+
+To use Azure AD Application Proxy, you must have an Azure AD Premium P1 or P2 license. For more information about licensing, see [Azure Active Directory Pricing](https://azure.microsoft.com/pricing/details/active-directory/)
+
+### Why is the "Enable Application Proxy button grayed out?
+
+Make sure you have at least an Azure AD Premium P1 or P2 license and an Azure AD Application Proxy Connector installed. After you successfully install your first connector, the Azure AD Application Proxy service will be enabled automatically.
+
+## Connector configuration
+
+### Can Application Proxy Connector services run in a different user context than the default?
+
+No, this scenario isn't supported. The default settings are:
+
+- Microsoft AAD Application Proxy Connector - WAPCSvc - Network Service
+- Microsoft AAD Application Proxy Connector Updater - WAPCUpdaterSvc - NT Authority\System
+
+### My back-end application is hosted on multiple web servers and requires user session persistence (stickiness). How can I achieve session persistence? 
+
+For recommendations, see [High availability and load balancing of your Application Proxy connectors and applications](application-proxy-high-availability-load-balancing.md).
+
+### Can I place a forward proxy device between the connector server(s) and the back-end Application server?
+
+No, this scenario isn't supported. Only the connector and update services can be configured to use a forward proxy for outbound traffic to Azure. See [Work with existing on-premises proxy servers](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers)
+
+### Is SSL termination (SSL/HHTPS inspection or acceleration) on traffic from the connector servers to Azure supported?
+
+The Application Proxy Connector performs certificate-based authentication to Azure. SSL Termination (SSL/HHTPS inspection or acceleration) breaks this authentication method and isn't supported. Traffic from the connector to Azure must bypass any devices that are performing SSL Termination.  
+
+### Should I create a dedicated account to register the connector with Azure AD Application Proxy?
+
+There's no reason to. Any global admin or application administrator account will work. The credentials entered during installation aren't used after the registration process. Instead, a certificate is issued to the connector, which is used for authentication from that point on.
+
+### How can I monitor the performance of the Azure AD Application Proxy connector?
+
+There are Performance Monitor counters that are installed along with the connector. To view them:  
+
+1. Select **Start**, type "Perfmon", and press ENTER.
+2. Select **Performance Monitor** and click the green **+** icon.
+3. Add the **Microsoft AAD Application Proxy Connector** counters you want to monitor.
+
+### Does the Azure AD Application Proxy connector have to be on the same subnet as the resource?
+
+The connector isn't required to be on the same subnet. However, it needs name resolution (DNS, hosts file) to the resource and the necessary network connectivity (routing to the resource, ports open on the resource, etc.). For recommendations, see [Network topology considerations when using Azure Active Directory Application Proxy](application-proxy-network-topology.md).
+
+## Application configuration
+
+### What is the length of the default and "long" back-end timeout? Can the timeout be extended?
+
+The default length is 85 seconds. The "long" setting is 180 seconds. The timeout limit can't be extended.
+
+### How do I change the landing page my application loads?
+
+From the Application Registrations page, you can change the homepage URL to the desired external URL of the landing page. The specified page will load when the application is launched from My Apps or the Office 365 Portal. For configuration steps, see [Set a custom home page for published apps by using Azure AD Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-configure-custom-home-page)
+
+### Can only IIS-based applications be published? What about web applications running on non-Windows web servers? Does the connector have to be installed on a server with IIS installed?
+
+No, there's no IIS requirement for applications that are published. You can publish web applications running on servers other than Windows Server. However, you might not be able to use pre-authentication with a non-Windows Server, depending on if the web server supports Negotiate (Kerberos authentication). IIS isn't required on the server where the connector is installed.
+
+## Integrated Windows Authentication
+
+### When should I use the PrincipalsAllowedToDelegateToAccount method when setting up Kerberos Constrained Delegation (KCD)?
+
+The PrincipalsAllowedToDelegateToAccount method is used when connector servers are in a different domain from the web application service account. It requires the use of Resource-based Constrained Delegation.
+If the connector servers and the web application service account are in the same domain, you can use Active Directory Users and Computers to configure the delegation settings on each of the connector machine accounts, allowing them to delegate to the target SPN.
+
+If the connector servers and the web application service account are in different domains, Resource-based delegation is used. The delegation permissions are configured on the target web server and web application service account. This method of Constrained Delegation is relatively new. The method was introduced in Windows Server 2012, which supports cross-domain delegation by allowing the resource (web service) owner to control which machine and service accounts can delegate to it. There's no UI to assist with this configuration, so you'll need to use PowerShell.
+For more information, see the whitepaper [Understanding Kerberos Constrained Delegation with Application Proxy](http://aka.ms/kcdpaper).
+
+## Pass-through authentication
+
+### Can I use Conditional Access Policies for applications published with pass-through authentication?
+
+Conditional Access Policies are only enforced for successfully pre-authenticated users in Azure AD. Pass-through authentication doesn’t trigger Azure AD authentication, so Conditional Access Policies can't be enforced. With pass-through authentication, MFA policies must be implemented on the on-premises server, if possible, or by enabling pre-authentication with Azure AD Application Proxy.
+
+### Can I publish a web application with client certificate authentication requirement?
+
+No, this scenario isn't supported because Application Proxy will terminate TLS traffic.  
+
+## Remote Desktop Gateway publishing
+
+### How can I publish Remote Desktop Gateway over Azure AD Application Proxy?
+
+Refer to [Publish Remote Desktop with Azure AD Application Proxy](application-proxy-integrate-with-remote-desktop-services.md).
+
+### Can I use Kerberos Constrained Delegation in the Remote Desktop Gateway publishing scenario?
+
+No, this scenario isn't supported.  
+
+### My users don't use Internet Explorer 11 and the pre-authentication scenario doesn’t work for them. Is this expected?
+
+Yes, it’s expected. The pre-authentication scenario requires an ActiveX control, which isn't supported in third-party browsers.
+
+### Is the Remote Desktop Web Client supported?
+
+No, this scenario isn't currently supported. Follow our [UserVoice](https://aka.ms/aadapuservoice) feedback forum for updates on this feature.
+
+### After I configured the pre-authentication scenario, I realized that the user has to authenticate twice: first on the Azure AD sign-in form, and then on the RDWeb sign-in form. Is this expected? How can I reduce this to one sign-in?
+
+Yes, it's expected. If the user’s computer is Azure AD joined, the user signs in to Azure AD automatically. The user needs to provide their credentials only on the RDWeb sign-in form.
+
+## SharePoint publishing
+
+### How can I publish SharePoint over Azure AD Application Proxy?
+
+Refer to [Enable remote access to SharePoint with Azure AD Application Proxy](application-proxy-integrate-with-sharepoint-server.md).
+
+## Active Directory Federation Services (AD FS) publishing 
+
+### Can I use Azure AD Application Proxy as AD FS proxy (like Web Application Proxy)?
+
+No. Azure AD Application Proxy is designed to work with Azure AD and doesn’t fulfill the requirements to act as an AD FS proxy.
+
+## WebSocket
+
+### Does WebSocket support work for applications other than QlikSense?
+
+Currently, WebSocket protocol support is still in public preview and it may not work for other applications. Some customers have had mixed success using WebSocket protocol with other applications. If you test such scenarios, we would love to hear your results. Please send us your feedback at [email protected].
+
+## Link translation
+
+### Does using Link translation affect performance?
+
+Yes. Link translation affects performance. The Application Proxy service scans the application for hardcoded links and replaces them with their respective, published external URLs before presenting them to the user. 
+
+For best performance, we recommend using identical internal and external URLs by configuring [custom domains](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy-configure-custom-domain). If using custom domains isn't possible, you can improve link translation performance by using the My Apps Secure Sign in Extension or Microsoft Edge Browser on mobile. See [Redirect hardcoded links for apps published with Azure AD Application Proxy](application-proxy-configure-hard-coded-link-translation.md).
+
+## Wildcards
+
+### How do I use wildcards to publish two applications with the same custom domain name but with different protocols, one for HTTP and one for HTTPS?
+
+This scenario isn't supported directly. Your options for this scenario are:
+
+1. Publish both the HTTP and HTTPS URLs as separate applications with a wildcard, but give each of them a different custom domain. This configuration will work since they have different external URLS.
+
+2. Publish the HTTPS URL through a wildcard application. Publish the HTTP applications separately using these Application Proxy PowerShell cmdlets:
+   - [Application Proxy Application Management](https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0#application_proxy_application_management)
+   - [Application Proxy Connector Management](https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0#application_proxy_connector_management)