MicrosoftDocs
diff --git a/‎articles/active-directory/conditional-access/concept-conditional-access-session.md
Lines changed: 4 additions & 4 deletions b/‎articles/active-directory/conditional-access/concept-conditional-access-session.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/active-directory/devices/hybrid-azuread-join-managed-domains.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/devices/hybrid-azuread-join-managed-domains.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md
Lines changed: 5 additions & 13 deletions b/‎articles/active-directory/external-identities/hybrid-cloud-to-on-premises.md
Lines changed: 5 additions & 13 deletions
diff --git a/‎articles/active-directory/saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md
Lines changed: 145 additions & 0 deletions b/‎articles/active-directory/saas-apps/appaegis-isolation-access-cloud-provisioning-tutorial.md
Lines changed: 145 additions & 0 deletions
diff --git a/‎articles/active-directory/saas-apps/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/saas-apps/toc.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/aks/csi-secrets-store-driver.md
Lines changed: 1 addition & 1 deletion b/‎articles/aks/csi-secrets-store-driver.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-resource-manager/bicep/file.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-resource-manager/bicep/file.md
Lines changed: 1 addition & 1 deletion
@@ -73,10 +73,10 @@ For more information, see the article [Configure authentication session manageme
 
 [Continuous access evaluation](concept-continuous-access-evaluation.md) is auto enabled as part of an organization's Conditional Access policies. For organizations who wish to disable or strictly enforce continuous access evaluation, this configuration is now an option within the session control within Conditional Access. Continuous access evaluation policies can be scoped to all users or specific users and groups. Admins can make the following selections while creating a new policy or while editing an existing Conditional Access policy.
 
-- **Disable** is accomplished when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy.
-- **Strict enforcement** means that any critical event and policy will be enforced in real time. All CAE-capable services always get CAE tokens, whatever the client or user might ask for or do. There are two scenarios where CAE won't come into play when strict enforcement mode is turned on:
-   - Non-CAE capable clients shouldn't get a regular token for CAE-capable services.
-   - Reject when IP seen by resource provider isn't in the allowed range.
+- **Disable** only work when **All cloud apps** are selected, no conditions are selected, and **Disable** is selected under **Session** > **Customize continuous access evaluation** in a Conditional Access policy. You can choose to disable all users or specific users and groups.
+- **Strict enforcement** can be used to further strengthen the security benefits from CAE. It will make sure that any critical event and policy will be enforced in real time.  There are two additional scenarios where CAE will enforce when strict enforcement mode is turned on:
+   - Non-CAE capable clients will not be allowed to access CAE-capable services.
+   - Access will be rejected when client's IP address seen by resource provider isn't in the Conditional Access's allowed range.
 
 > [!NOTE] 
 > You should only enable strict enforcement after you ensure that all the client applications support CAE and you have included all your IP addresses seen by Azure AD and the resource providers, like Exchange online and Azure Resource Mananger, in your location policy under Conditional Access. Otherwise, users in your tenants could be blocked.
 
@@ -73,7 +73,7 @@ Hybrid Azure AD join requires devices to have access to the following Microsoft
 - `https://autologon.microsoftazuread-sso.com` (If you use or plan to use seamless SSO)
 
 > [!WARNING]
-> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to `https://device.login.microsoftonline.com` and `https://enterpriseregistration.windows.net`is excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.
+> If your organization uses proxy servers that intercept SSL traffic for scenarios like data loss prevention or Azure AD tenant restrictions, ensure that traffic to these URLs are excluded from TLS break-and-inspect. Failure to exclude these URLs may cause interference with client certificate authentication, cause issues with device registration, and device-based Conditional Access.
 
 If your organization requires access to the internet via an outbound proxy, you can use [implementing Web Proxy Auto-Discovery (WPAD)](/previous-versions/tn-archive/cc995261(v=technet.10)) to enable Windows 10 computers for device registration with Azure AD. To address issues configuring and managing WPAD, see [Troubleshooting Automatic Detection](/previous-versions/tn-archive/cc302643(v=technet.10)). In Windows 10 devices prior to 1709 update, WPAD is the only available option to configure a proxy to work with Hybrid Azure AD join. 
 
@@ -224,4 +224,4 @@ If you experience issues completing hybrid Azure AD join for domain-joined Windo
 
 Advance to the next article to learn how to manage device identities by using the Azure portal.
 > [!div class="nextstepaction"]
-> [Manage device identities](device-management-azure-portal.md)
+> [Manage device identities](device-management-azure-portal.md)
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 10/30/2020
+ms.date: 11/05/2021
 
 ms.author: mimart
 author: msmimart
@@ -44,10 +44,10 @@ To provide B2B users access to on-premises applications that are secured with in
    > [!NOTE]
    > When you configure the Azure AD Application Proxy, ensure that **Delegated Logon Identity** is set to **User principal name** (default) in the single sign-on configuration for integrated Windows authentication (IWA).
 
-   For the B2B user scenario, there are two methods available that you can use to create the guest user objects that are required for authorization in the on-premises directory:
+   For the B2B user scenario, there are two methods you can use to create the guest user objects that are required for authorization in the on-premises directory:
 
-   - Microsoft Identity Manager (MIM) and the MIM management agent for Microsoft Graph. 
-   - [A PowerShell script](#create-b2b-guest-user-objects-through-a-script-preview). Using the script is a more lightweight solution that does not require MIM. 
+   - Microsoft Identity Manager (MIM) and the MIM management agent for Microsoft Graph.
+   - A PowerShell script, which is a more lightweight solution that does not require MIM.
 
 The following diagram provides a high-level overview of how Azure AD Application Proxy and the generation of the B2B user object in the on-premises directory work together to grant B2B users access to your on-premises IWA and KCD apps. The numbered steps are described in detail below the diagram.
 
@@ -72,20 +72,12 @@ You can manage the on-premises B2B user objects through lifecycle management pol
 
 For information about how to use MIM 2016 Service Pack 1 and the MIM management agent for Microsoft Graph to create the guest user objects in the on-premises directory, see [Azure AD business-to-business (B2B) collaboration with Microsoft Identity Manager (MIM) 2016 SP1 with Azure Application Proxy](/microsoft-identity-manager/microsoft-identity-manager-2016-graph-b2b-scenario).
 
-### Create B2B guest user objects through a script (Preview)
-
-There’s a PowerShell sample script available that you can use as a starting point to create the guest user objects in your on-premises Active Directory.
-
-You can download the script and the Readme file from [Connectors for Microsoft Identity Manager 2016 and Forefront Identity Manager 2010 R2](https://www.microsoft.com/download/details.aspx?id=51495). In the download package, choose the **Script and Readme to pull Azure AD B2B users on-prem.zip** file.
-
-Before you use the script, make sure that you review the prerequisites and important considerations in the associated Readme file. Also, understand that the script is made available only as a sample. Your development team or a partner must customize and review the script before you run it.
-
 ## License considerations
 
 Make sure that you have the correct Client Access Licenses (CALs) for external guest users who access on-premises apps. For more information, see the "External Connectors" section of [Client Access Licenses and Management Licenses](https://www.microsoft.com/licensing/product-licensing/client-access-license.aspx). Consult your Microsoft representative or local reseller regarding your specific licensing needs.
 
 ## Next steps
 
-- [Azure Active Directory B2B collaboration for hybrid organizations](hybrid-organizations.md)
+- See also [Azure Active Directory B2B collaboration for hybrid organizations](hybrid-organizations.md)
 
 - For an overview of Azure AD Connect, see [Integrate your on-premises directories with Azure Active Directory](../hybrid/whatis-hybrid-identity.md).
@@ -0,0 +1,145 @@
+---
+title: 'Tutorial: Configure Appaegis Isolation Access Cloud for automatic user provisioning with Azure Active Directory | Microsoft Docs'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to Appaegis Isolation Access Cloud.
+services: active-directory
+author: twimmers
+writer: twimmers
+manager: beatrizd
+ms.assetid: c845e98a-6fcd-4285-94b7-a72a2175ca7e
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 10/29/2021
+ms.author: thwimmer
+---
+
+# Tutorial: Configure Appaegis Isolation Access Cloud for automatic user provisioning
+
+This tutorial describes the steps you need to do in both Appaegis Isolation Access Cloud and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [Appaegis Isolation Access Cloud](https://www.appaegis.com) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). 
+
+
+## Supported capabilities
+> [!div class="checklist"]
+> * Create users in Appaegis Isolation Access Cloud
+> * Remove users in Appaegis Isolation Access Cloud when they do not require access anymore
+> * Keep user attributes synchronized between Azure AD and Appaegis Isolation Access Cloud
+> * [Single sign-on](appaegis-isolation-access-cloud-tutorial.md) to Appaegis Isolation Access Cloud (recommended)
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md) 
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* An [Appaegis Cloud](https://www.appaegis.com) account with Professional level of subscription. 
+* An Appaegis Cloud user account with **Global Admin** permissions.
+
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+2. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+3. Determine what data to [map between Azure AD and Appaegis Isolation Access Cloud](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure Appaegis Isolation Access Cloud to support provisioning with Azure AD
+
+1. Enabled [SSO](appaegis-isolation-access-cloud-tutorial.md) with Appaegis Cloud.
+2. When at the **Identity Provider Details** page (the page lists ACS URL and Entity ID), you'll find the SCIM URL and SCIM Token.
+
+## Step 3. Add Appaegis Isolation Access Cloud from the Azure AD application gallery
+
+Add Appaegis Isolation Access Cloud from the Azure AD application gallery to start managing provisioning to Appaegis Isolation Access Cloud. If you have previously setup Appaegis Isolation Access Cloud for SSO, you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). 
+
+## Step 4. Define who will be in scope for provisioning 
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+
+* When assigning users and groups to Appaegis Isolation Access Cloud, you must select a role other than **Default Access**. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the default access role, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add more roles. 
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control it by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+
+
+## Step 5. Configure automatic user provisioning to Appaegis Isolation Access Cloud 
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for Appaegis Isolation Access Cloud in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+	![Enterprise applications blade](common/enterprise-applications.png)
+
+2. In the applications list, select **Appaegis Isolation Access Cloud**.
+
+	![The Appaegis Isolation Access Cloud link in the Applications list](common/all-applications.png)
+
+3. Select the **Provisioning** tab.
+
+	![Provision tab](common/provisioning.png)
+
+4. Set the **Provisioning Mode** to **Automatic**.
+
+	![Provisioning tab](common/provisioning-automatic.png)
+
+5. Under the **Admin Credentials** section, input your Appaegis Isolation Access Cloud Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to Appaegis Isolation Access Cloud. If the connection fails, ensure your Appaegis Isolation Access Cloud account has Admin permissions and try again.
+
+ 	![Token](common/provisioning-testconnection-tenanturltoken.png)
+
+6. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+	![Notification Email](common/provisioning-notification-email.png)
+
+7. Select **Save**.
+
+8. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to Appaegis Isolation Access Cloud**.
+
+9. Review the user attributes that are synchronized from Azure AD to Appaegis Isolation Access Cloud in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in Appaegis Isolation Access Cloud for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the Appaegis Isolation Access Cloud API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+    |Attribute|Type|Supported for filtering|
+    |---|---|---|
+    |userName|String|&check;
+    |active|Boolean|
+    |displayName|String|
+    |name.givenName|String|
+    |name.familyName|String|
+
+10. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to Contoso**.
+
+11. Review the group attributes that are synchronized from Azure AD to Contoso in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in Contoso for update operations. Select the **Save** button to commit any changes.
+
+      |Attribute|Type|Supported for filtering|
+      |---|---|---|
+      |displayName|String|&check;
+      |members|Reference|
+
+12. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+13. To enable the Azure AD provisioning service for Appaegis Isolation Access Cloud, change the **Provisioning Status** to **On** in the **Settings** section.
+
+	![Provisioning Status Toggled On](common/provisioning-toggle-on.png)
+
+14. Define the users and/or groups that you would like to provision to Appaegis Isolation Access Cloud by choosing the desired values in **Scope** in the **Settings** section.
+
+	![Provisioning Scope](common/provisioning-scope.png)
+
+15. When you are ready to provision, click **Save**.
+
+	![Saving Provisioning Configuration](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. 
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+1. Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+2. Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it is to completion
+3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
@@ -2385,6 +2385,8 @@
         href: alertmedia-provisioning-tutorial.md
       - name: Amazon Web Services (AWS) - Role Provisioning
         href: amazon-web-service-tutorial.md#configure-azure-ad-sso
+      - name: Appaegis Isolation Access Cloud
+        href: appaegis-isolation-access-cloud-provisioning-tutorial.md  
       - name: Asana
         href: asana-provisioning-tutorial.md
       - name: askSpoke
 
@@ -116,7 +116,7 @@ The Secrets Store CSI Driver allows for the following methods to access an Azure
 - [Azure Active Directory pod identity][aad-pod-identity]
 - User or System-assigned managed identity
 
-Follow the steps to [provide an identity to access Azure Key Vault][csi-secrets-store-identity-access.md] for your chosen method.
+Follow the steps to [provide an identity to access Azure Key Vault][identity-access-methods] for your chosen method.
 
 ## Validate the secrets
 
 
@@ -235,7 +235,7 @@ resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = if (newOrExisting =
 }
 ```
 
-To [deploy more than one instance](https://github.com/Azure/bicep/blob/main/docs/spec/loops.md) of a resource type, add a `for` expression. The expression can iterate over members of an array.
+To [deploy more than one instance](loops.md) of a resource type, add a `for` expression. The expression can iterate over members of an array.
 
 ```bicep
 resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = [for storageName in storageAccounts: {
Original file line number	Diff line number	Diff line change
`@@ -235,7 +235,7 @@ resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = if (newOrExisting =`
`235`	`235`	`}`
`236`	`236`	```
`237`	`237`
`238`		-To [deploy more than one instance](https://github.com/Azure/bicep/blob/main/docs/spec/loops.md) of a resource type, add a `for` expression. The expression can iterate over members of an array.
	`238`	+To [deploy more than one instance](loops.md) of a resource type, add a `for` expression. The expression can iterate over members of an array.
`239`	`239`
`240`	`240`	```bicep
`241`	`241`	`resource sa 'Microsoft.Storage/storageAccounts@2019-06-01' = [for storageName in storageAccounts: {`