Merge pull request #225171 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

.openpublishing.redirection.healthcare-apis.json

@@ -586,7 +586,11 @@
         "redirect_document_id": false
     },
     {   "source_path_from_root": "/articles/healthcare-apis/iot/iot-data-flow.md",
-        "redirect_url": "/azure/healthcare-apis/iot/data-flow",
+        "redirect_url": "/azure/healthcare-apis/iot/understand-service",
+        "redirect_document_id": false
+    },
+    {   "source_path_from_root": "/articles/healthcare-apis/iot/data-flow.md",
+        "redirect_url": "/azure/healthcare-apis/iot/understand-service",
         "redirect_document_id": false
     },
     {   "source_path_from_root": "/articles/healthcare-apis/iot/how-to-use-device-mappings.md",

articles/active-directory-b2c/TOC.yml

@@ -541,6 +541,8 @@
           href: partner-datawiza.md
         - name: F5
           href: partner-f5.md
+        - name: Grit 
+          href: partner-grit-app-proxy.md
         - name: Ping Identity
           href: partner-ping-identity.md
         - name: Strata
@@ -572,6 +574,8 @@
         items:
         - name: Grit IEF editor 
           href: partner-grit-editor.md
+        - name: Grit biometric authentication
+          href: partner-grit-authentication.md
   # Automate
   - name: Automate 
     items:

articles/active-directory-b2c/media/partner-grit-app-proxy/grit-app-proxy-architecture.png

@@ -9,7 +9,7 @@ manager: CelesteDG
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/14/2022
+ms.date: 1/25/2023
 ms.author: kengaderdus
 ms.subservice: B2C
 ---
@@ -79,6 +79,7 @@ Microsoft partners with the following ISVs to provide secure hybrid access to on
 | ![Screenshot of an Akamai logo.](./media/partner-gallery/akamai-logo.png) | [Akamai](./partner-akamai-secure-hybrid-access.md) provides a Zero Trust Network Access (ZTNA) solution that enables secure remote access to modern and legacy applications that reside in private datacenters.  |
 | ![Screenshot of a Datawiza logo](./media/partner-gallery/datawiza-logo.png) | [Datawiza](./partner-datawiza.md) enables SSO and granular access control for your applications and extends Azure AD B2C to protect on-premises legacy applications.  |
 | ![Screenshot of a F5 logo](./media/partner-gallery/f5-logo.png) | [F5](./partner-f5.md) enables legacy applications to securely expose to the internet through BIG-IP security combined with Azure AD B2C pre-authentication, Conditional Access (CA) and SSO.  |
+| ![Screenshot of a Grit logo](./media/partner-gallery/grit-logo.png) | [Grit's app proxy](./partner-grit-app-proxy.md) enables migrating a legacy application using header-based authentication to Azure AD B2C with no application code change. |
 | ![Screenshot of a Ping logo](./media/partner-gallery/ping-logo.png) | [Ping Identity](./partner-ping-identity.md) enables secure hybrid access to on-premises legacy applications across multiple clouds. |
 | ![Screenshot of a strata logo](./media/partner-gallery/strata-logo.png) | [Strata](./partner-strata.md) provides secure hybrid access to on-premises applications by enforcing consistent access policies, keeping identities in sync, and making it simple to transition applications from legacy identity systems to standards-based authentication and access control provided by Azure AD B2C. |
 | ![Screenshot of a zscaler logo](./media/partner-gallery/zscaler-logo.png) | [Zscaler](./partner-zscaler.md) delivers policy-based, secure access to private applications and assets without the cost, hassle, or security risks of a VPN. |
@@ -110,6 +111,7 @@ Microsoft partners with the following ISVs for tools that can help with implemen
 | ISV partner | Description and integration walkthroughs |
 |:-------------------------|:--------------|
 | ![Screenshot of a grit ief editor logo.](./media/partner-gallery/grit-logo.png) | [Grit Visual Identity Experience Framework Editor](./partner-grit-editor.md) provides a low code/no code experience for developers to create sophisticated authentication user journeys. The tool comes with integrated debugger and templates for the most used scenarios.|
+| ![Screenshot of a grit biometric authentication logo.](./media/partner-gallery/grit-logo.png) | [Grit biometric authentication](./partner-grit-authentication.md) provides users the option to sign in using finger print, face ID or [Windows Hello](https://support.microsoft.com/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0) for enhanced security. 
 
 ## Additional information
 

articles/active-directory-b2c/media/partner-grit-app-proxy/proxy-configuration.png

@@ -0,0 +1,129 @@
+---
+title: Migrate applications to Azure AD B2C with Grit's app proxy 
+titleSuffix: Azure AD B2C
+description: Learn how Grit's app proxy can migrate your applications to Azure AD B2C with no code change
+services: active-directory-b2c
+author: gargi-sinha
+manager: martinco
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 1/25/2023
+ms.author: gasinh
+ms.reviewer: kengaderdus
+ms.subservice: B2C 
+---
+
+# Migrate applications using header-based authentication to Azure Active Directory B2C with Grit's app proxy
+
+In this sample tutorial, learn how to migrate a legacy application using header-based authentication to Azure Active Directory B2C (Azure AD B2C) with [Grit's app proxy](https://www.gritiam.com/appProxy.html).
+
+Benefits of using Grit's app proxy are as follows:
+
+- No application code change and easy deployment resulting in faster ROI
+
+- Enables users to use modern authentication experiences such as Multi-Factor authentication, biometrics, and password-less resulting in enhanced security.
+
+- Significant savings on the license cost of the legacy authentication solution
+
+## Prerequisites
+
+To get started, you'll need:
+
+- License to Grit’s app proxy. Contact [Grit support](mailto:[email protected]) for license details. For this tutorial, you don't need a license.
+
+- An Azure subscription. If you don't have one, get a [free account](https://azure.microsoft.com/free/).
+
+- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
+
+## Scenario description
+
+Grit integration includes the following components:
+
+- **Azure AD B2C**: The authorization server to verify user credentials - Authenticated users access on-premises applications using a local account stored in the Azure AD B2C directory.
+
+- **Grit app proxy**: The service that passes identity to applications through HTTP headers.
+
+- **Web application**: The legacy application to which user requests access.
+
+The following architecture diagram shows the implementation.
+
+   ![Screenshot shows the architecture diagram of the implementation.](./media/partner-grit-app-proxy/grit-app-proxy-architecture.png)
+
+1. The user requests access to an on-premises application.
+
+2. Grit app proxy receives the request through [Azure Web Application Firewall (WAF)](https://azure.microsoft.com/products/web-application-firewall/) and sends it to the application.
+
+3. Grit app proxy checks user authentication state. With no session token, or an invalid token, the user goes to Azure AD B2C for authentication.
+
+4. Azure AD B2C sends the user request to the endpoint specified during Grit app proxy registration in the Azure AD B2C tenant.
+
+4. Grit app proxy evaluates access policies and calculates attribute values in HTTP headers forwarded to the application. Grit app proxy sets the header values and sends the request to the application.
+
+5. The user is authenticated with access granted/denied to the application.
+
+## Onboard with Grit app proxy
+
+Contact [Grit support](mailto:[email protected]) for details to get onboarded.
+
+### Configure Grit's app proxy solution with Azure AD B2C
+
+For this tutorial, Grit already has a backend application and an Azure AD B2C policy. This tutorial will be about configuring the proxy to access the backend application.
+
+You can use the UX to configure each page of the backend application for security. You can configure the type of auth required by each page and the header values needed.
+
+If the users need to be denied permission to certain pages based on group membership or some other criteria, it's handled by the auth user journey.
+
+1. Navigate to https://proxyeditor.z13.web.core.windows.net/.
+
+2. Once the dropdown appears, select the dropdown, and select **Create New**.
+
+3. Enter a name for the page that contains only letters and numbers.
+
+4. Enter **B2C_1A_SIGNUP_SIGNIN** into the B2C Policy box.
+
+5. Select **GET** at the HTTP method.
+
+6. Enter 'https://anj-grit-legacy-backend.azurewebsites.net/Home/Page' into the endpoint field and that would be the endpoint to your legacy application.
+
+   >[!NOTE]
+   >This demo is publicly available, values you enter will be visible to public. Don't configure a secure application with this demo.
+
+   ![Screenshot shows the proxy configuration UI.](./media/partner-grit-app-proxy/proxy-configuration.png)
+
+7. Select **ADD HEADER**.
+
+8. Enter **x-iss** in the destination header field to configure the valid HTTP header that must be sent to the application.
+
+9. Enter **given_name** into the Value field that is the name of a claim in the B2C policy. The value of the claim will be passed into the header.
+
+10. Select **Token** as the source.
+
+11. Select **SAVE SETTINGS**.
+
+12. Select the link in the popup. It will take you to a sign-in page. Select the sign-up link and enter the required information. Once you complete the sign-up process, you'll be redirected to the legacy application. The application displays the name you provided in the **Given name** field during sign-up.
+
+## Test the flow
+
+1. Navigate to the on-premises application URL.
+
+2. The Grit app proxy redirects to the page you configured in your user flow.
+From the list, select the IdP.
+
+3. At the prompt, enter your credentials. If necessary, include an Azure AD Multi-Factor authentication (MFA) token.
+
+4. You're redirected to Azure AD B2C, which forwards the application request to the Grit's app proxy redirect URI.
+
+5. The Grit's app proxy evaluates policies, calculates headers, and sends the user to the upstream application.
+
+6. The requested application appears.
+
+## Additional resources
+
+- [Grit app proxy documentation](https://www.gritiam.com/appProxy.html)
+
+- [Configure the Grit IAM B2B2C solution with Azure AD B2C](partner-grit-iam.md)
+
+- [Edit Azure AD B2C Identity Experience Framework (IEF) XML with Grit Visual IEF Editor](partner-grit-editor.md)
+
+- [Configure Grit biometric authentication with Azure AD B2C](partner-grit-authentication.md)

articles/active-directory-b2c/partner-gallery.md

@@ -0,0 +1,99 @@
+---
+title: Configure Grit's biometric authentication with Azure Active Directory B2C
+titleSuffix: Azure AD B2C
+description: Learn how Grit's biometric authentication with Azure AD B2C secures your account
+services: active-directory-b2c
+author: gargi-sinha
+manager: martinco
+ms.service: active-directory
+ms.workload: identity
+ms.topic: how-to
+ms.date: 1/25/2023
+ms.author: gasinh
+ms.reviewer: kengaderdus
+ms.subservice: B2C 
+---
+
+# Configure Grit's biometric authentication with Azure Active Directory B2C
+
+In this sample tutorial, learn how to integrate [Grit's](https://www.gritiam.com) Biometric authentication with Azure Active Directory B2C (Azure AD B2C). Biometric authentication provides  users the option to sign in using finger print, face ID or [Windows Hello](https://support.microsoft.com/windows/learn-about-windows-hello-and-set-it-up-dae28983-8242-bb2a-d3d1-87c9d265a5f0). It works both on desktop and mobile applications, provided the device is capable of doing biometric authentication.
+
+Biometric authentication has the following benefits:
+
+1. For users who sign in infrequently or forget passwords often resulting in frequent password resets, biometric authentication reduces friction.
+
+2. Compared to Multi-factor authentication (MFA), biometric authentication is cheaper and more secure.
+
+3. Improved security prevents phishing attack for high valued customers.
+
+4. Adds an additional layer of authentication before the user performs a high value operation like credit card transaction.
+
+## Prerequisites
+
+To get started, you'll need:
+
+- License to [Grit's Visual IEF builder](https://www.gritiefedit.com/). Contact [Grit support](mailto:[email protected]) for licensing details. For this tutorial you don't need a license.
+
+- An Azure subscription. If you don't have one, get a [free account](https://azure.microsoft.com/free/).
+
+- An [Azure AD B2C tenant](tutorial-create-tenant.md) that is linked to your Azure subscription.
+
+## Scenario description
+
+In this tutorial, we'll cover the following scenario:
+
+The end user creates an account with username and password (and MFA if needed). If their device supports biometric, they're enrolled in biometrics, and their account is linked to the biometric authentication of the device. Any future logins in that device, unless the user chooses not to, will happen through biometrics.
+
+The user can link multiple devices to the same account. User will have to sign in through their email/password (and MFA if needed), they'll then be presented with an option to link a new device.
+
+For example, user has an account with Contoso. User accesses the account from the computer at work that supports Windows Hello. User also accesses the account from the home computer that doesn't support Windows Hello and an Android phone.
+
+1. After logging in with the work computer, user will be presented with an option to enroll in Windows Hello. If user chooses to do so, any future logins will happen through Windows Hello.
+
+1. After logging in with the home computer, user won't be prompted to enroll in biometrics as the device doesn't support biometrics.
+
+1. After logging in with the Android phone, user will be asked to enroll in biometrics. Any future logins will happen through biometrics.
+
+Using Grit's visual flow chart multiple other scenarios can be implemented. Contact [Grit support](mailto:[email protected]) to discuss your scenarios.
+
+## Onboard with Grit's biometric authentication
+
+Contact [Grit support](mailto:[email protected]) for details to get onboarded.
+
+### Configure Grit's biometric authentication with Azure AD B2C
+
+1. Navigate to <https://www.gritiefedit.com> and enter your email if you're asked for it.
+
+1. Press cancel in the quick start wizard.
+
+1. In the pop-up, select **Customize User Journey**. Under Bio Metric, select the checkbox for **Enable Biometric**.
+
+1. Scroll down and select **Generate template**, a flow chart appears.
+
+1. From the left menu, select **Run Flowcharts** > **Deploy flow charts**.
+
+1. If your device supports Windows Hello or biometric authenticator,
+    select **Test Authentication Journey Builder** link, otherwise send
+    the link to a device that supports biometric authentication.
+
+1. A web page will open on a new tab. Under **Sign in with your social account**, select **createNewAccount**.
+
+1. Go through the steps to create an account. When asked for **Setup Biometric Device sign in**, select **yes**.
+
+1. Steps to perform the biometric depends on the device you are in.
+
+1. A page appears that displays the token. Open the provided link.
+
+1. This time the sign-in will happen through biometrics.
+
+Repeat the same steps for another device. No need to sign up again, use the credentials created to sign in.
+
+## Additional resources
+
+- [Grit documentation](https://app.archbee.com/public/PREVIEW-ddjwV0RI2eVfcBOylxFGI/PREVIEW-bjH2arQd1Kn4le6z_zH84)
+
+- [Configure the Grit IAM B2B2C solution with Azure AD B2C](partner-grit-iam.md)
+
+- [Edit Azure AD B2C Identity Experience Framework (IEF) XML with Grit Visual IEF Editor](partner-grit-editor.md)
+
+- [Migrate legacy apps to Azure AD B2C with Grit's app proxy](partner-grit-app-proxy.md)

articles/active-directory-b2c/partner-grit-app-proxy.md

@@ -23,7 +23,8 @@ Adding missing attributes needed for an application will start in either on-prem
 
 First, identify which users in your Azure AD tenant will need access to the application and therefore are going to be in scope of being provisioned into the application.
 
-If any of those users originate in on-premises Active Directory, then you must sync the attributes with the users from Active Directory to Azure AD. You will need to perform the following tasks before configuring provisioning to your application.
+>[!NOTE]
+> For users in on-premises Active Directory, you must sync the users to Azure AD. You can sync users and attributes using [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or [Azure AD Connect cloud sync](../cloud-sync/what-is-cloud-sync.md). Both of these solutions automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as SAMAccountName) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect) or [use Azure AD Connect cloud sync](#create-an-extension-attribute-using-cloud-sync). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.
 
   1. Check with the on-premises Active Directory domain admins whether the required attributes are part of the AD DS schema, and if they are not, extend the AD DS schema in the domains where those users have accounts.
   1. Configure [Azure AD Connect](../hybrid/whatis-azure-ad-connect.md) or Azure AD Connect cloud sync to synchronize the users with their extension attribute from Active Directory to Azure AD.   Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes. Furthermore, some attributes (such as `sAMAccountName`) that are synchronized by default might not be exposed using the Graph API. In these cases, you can [use the Azure AD Connect directory extension feature to synchronize the attribute to Azure AD](#create-an-extension-attribute-using-azure-ad-connect). That way, the attribute will be visible to the Graph API and the Azure AD provisioning service.
@@ -113,6 +114,24 @@ Set-AzureADUserExtension -objectid 0ccf8df6-62f1-4175-9e55-73da9e742690 -Extensi
 Get-AzureADUser -ObjectId 0ccf8df6-62f1-4175-9e55-73da9e742690 | Select -ExpandProperty ExtensionProperty
 
 ```
+## Create an extension attribute using cloud sync
+Cloud sync will automatically discover your extensions in on-premises Active Directory when you go to add a new mapping.  Use the steps below to auto-discover these attributes and set up a corresponding mapping to Azure AD.
+
+1. Sign-in to the Azure portal with a hybrid administrator account
+2. Select Azure AD Connect
+3. Select **Manage Azure AD cloud sync**
+4. Select the configuration you wish to add the extension attribute and mapping
+5. Under **Manage attributes** select **click to edit mappings**
+6. Click **Add attribute mapping**.  The attributes will automatically be discovered.
+7. The new attributes will be available in the drop-down under **source attribute**.  
+8. Fill in the type of mapping you want and click **Apply**.
+   [![Custom attribute mapping](media/user-provisioning-sync-attributes-for-mapping/schema-1.png)](media/user-provisioning-sync-attributes-for-mapping/schema-1.png#lightbox)
+
+For more information, see [Cloud Sync Custom Attribute Mapping](../cloud-sync/custom-attribute-mapping.md)
+
+
+
+
 
 ## Create an extension attribute using Azure AD Connect