Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into sdg-notebooks

Author: sdgilley

.openpublishing.publish.config.json

@@ -499,6 +499,11 @@
       "path_to_root": "azure-cosmosdb-java-v4-getting-started",
       "url": "https://github.com/Azure-Samples/azure-cosmos-java-getting-started",
       "branch": "master"
+    },
+    {
+      "path_to_root": "azure-storage-snippets",
+      "url": "https://github.com/azure-samples/AzureStorageSnippets",
+      "branch": "master"
     }
   ],
   "branch_target_mapping": {

.openpublishing.redirection.json

@@ -39,7 +39,7 @@ Define your application and service architecture, inventory current systems, and
 | Create a migration plan |Planning ahead can make migration go more smoothly. Learn more about [user migration](user-migration.md).|
 | Usability vs. security | Your solution must strike the right balance between application usability and your organization's acceptable level of risk. |
 | Move on-premises dependencies to the cloud | To help ensure a resilient solution, consider moving existing application dependencies to the cloud. |
-| Migrate existing apps to b2clogin.com | The deprecation of login.microsoftonline.com went into effect for all Azure AD B2C tenants on 04 December 2020. [Learn more](b2clogin.md). |
+| Migrate existing apps to b2clogin.com | The deprecation of login.microsoftonline.com will go into effect for all Azure AD B2C tenants on 04 December 2020. [Learn more](b2clogin.md). |
 
 ## Implementation
 
@@ -88,4 +88,4 @@ Stay up to date with the state of the service and find support options.
 |--|--|
 | [Service updates](https://azure.microsoft.com/updates/?product=active-directory-b2c) |  Stay up to date with Azure AD B2C product updates and announcements. |
 | [Microsoft Support](support-options.md) | File a support request for Azure AD B2C technical issues. Billing and subscription management support is provided at no cost. |
-| [Azure status](https://status.azure.com/status) | View the current health status of all Azure services. |
+| [Azure status](https://status.azure.com/status) | View the current health status of all Azure services. |

articles/active-directory-b2c/best-practices.md

@@ -43,3 +43,9 @@ The following tables provide links to samples for applications including iOS, An
 | Sample | Description |
 |--------| ----------- |
 | [javascript-msal-singlepageapp](https://github.com/Azure-Samples/active-directory-b2c-javascript-msal-singlepageapp) | A single page application (SPA) calling a Web API. Authentication is done with Azure AD B2C by using MSAL.js. |
+
+## SAML test application
+
+| Sample | Description |
+|--------| ----------- |
+| [saml-sp-tester](https://github.com/azure-ad-b2c/saml-sp-tester/tree/master/source-code) | SAML test application to test Azure AD B2C configured to act as SAML identity provider. |

articles/active-directory-b2c/code-samples.md

@@ -57,6 +57,7 @@ The RD environment deployment contains a number of steps. The existing RD deploy
 
 1. Sign in to VMs created for the RD environment with an account that's part of the *Azure AD DC Administrators* group, such as *contosoadmin*.
 1. To create and configure RDS, use the existing [Remote Desktop environment deployment guide][deploy-remote-desktop]. Distribute the RD server components across your Azure VMs as desired.
+    * Specific to Azure AD DS - when you configure RD licensing, set it to **Per Device** mode, not **Per User** as noted in the deployment guide.
 1. If you want to provide access using a web browser, [set up the Remote Desktop web client for your users][rd-web-client].
 
 With RD deployed into the Azure AD DS managed domain, you can manage and use the service as you would with an on-premises AD DS domain.

articles/active-directory-domain-services/secure-remote-vm-access.md

@@ -69,7 +69,7 @@ Along with this property, attribute-mappings also support the following attribut
 - **Target attribute** – The user attribute in the target system (example: ServiceNow).
 - **Default value if null (optional)** - The value that will be passed to the target system if the source attribute is null. This value will only be provisioned when a user is created. The "default value when null" will not be provisioned when updating an existing user. If, for example, you want to provision all existing users in the target system with a particular Job Title (when it is null in the source system), you can use the following [expression](../app-provisioning/functions-for-customizing-application-data.md): Switch(IsPresent([jobTitle]), "DefaultValue", "True", [jobTitle]). Make sure to replace the "Default Value" with what you would like to provision when null in the source system. 
 - **Match objects using this attribute** – Whether this mapping should be used to uniquely identify users between the source and target systems. It's typically set on the userPrincipalName or mail attribute in Azure AD, which is typically mapped to a username field in a target application.
-- **Matching precedence** – Multiple matching attributes can be set. When there are multiple, they're evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated.
+- **Matching precedence** – Multiple matching attributes can be set. When there are multiple, they're evaluated in the order defined by this field. As soon as a match is found, no further matching attributes are evaluated. While you can set as many matching attributes as you would like, consider whether the attributes you are using as matching attributes are truly unique and need to be matching attributes. Generally customers have 1 or 2 matching attributes in their configuration. 
 - **Apply this mapping**
   - **Always** – Apply this mapping on both user creation and update actions.
   - **Only during creation** - Apply this mapping only on user creation actions.
@@ -312,8 +312,10 @@ Selecting this option will effectively force a resynchronization of all users wh
 - Updating attribute-mappings has an impact on the performance of a synchronization cycle. An update to the attribute-mapping configuration requires all managed objects to be reevaluated.
 - A recommended best practice is to keep the number of consecutive changes to your attribute-mappings at a minimum.
 - Adding a photo attribute to be provisioned to an app is not supported today as you cannot specify the format to sync the photo. You can request the feature on [User Voice](https://feedback.azure.com/forums/169401-azure-active-directory)
-- The attribute IsSoftDeleted is often part of the default mappings for an application. IsSoftdeleted can be true in one of four scenarios (the user is out of scope due to being unassigned from the application, the user is out of scope due to not meeting a scoping filter, the user has been soft deleted in Azure AD, or the property AccountEnabled is set to false on the user). 
-- The Azure AD provisioning service does not support provisioning null values
+- The attribute IsSoftDeleted is often part of the default mappings for an application. IsSoftdeleted can be true in one of four scenarios (the user is out of scope due to being unassigned from the application, the user is out of scope due to not meeting a scoping filter, the user has been soft deleted in Azure AD, or the property AccountEnabled is set to false on the user). It is not recommended to remove the IsSoftDeleted attribute from your attribute mappings.
+- The Azure AD provisioning service does not support provisioning null values.
+- They primary key, typically "ID", should not be included as a target attribute in your attribute mappings. 
+- The role attribute typically needs to be mapped using an expression, rather than a direct mapping. See section above for more details on role mapping. 
 
 ## Next steps
 

articles/active-directory/app-provisioning/customize-application-attributes.md

@@ -519,11 +519,11 @@ SelectUniqueValue(uniqueValueRule1, uniqueValueRule2, uniqueValueRule3, …)
 **Description:**<br> 
 Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory. The first unique value found will be the one returned. If all of the values already exist in the target, the entry will get escrowed and the reason gets logged in the audit logs. There is no upper bound to the number of arguments that can be provided.
 
-> [!NOTE]
-> - This is a top-level function, it cannot be nested.
-> - This function cannot be applied to attributes that have a matching precedence. 	
-> - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
-> - This function is currently only supported for "Workday to Active Directory User Provisioning". It cannot be used with other provisioning applications. 
+
+ - This is a top-level function, it cannot be nested.
+ - This function cannot be applied to attributes that have a matching precedence. 	
+ - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
+ - This function is currently only supported for "Workday to Active Directory User Provisioning". It cannot be used with other provisioning applications. 
 
 
 **Parameters:**<br> 

articles/active-directory/app-provisioning/functions-for-customizing-application-data.md

@@ -0,0 +1,126 @@
+---
+title: Using SCIM, the Microsoft Graph, and the Azure AD provisioning service to provision users and enrich your application with the data it needs | Microsoft Docs
+description: Using SCIM and the Microsoft Graph together to provision users and enrich your application with the data it needs .
+services: active-directory
+documentationcenter: ''
+author: msmimart
+manager: CelesteDG
+
+ms.assetid: 
+ms.service: active-directory
+ms.subservice: app-provisioning
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 04/23/2020
+ms.author: mimart
+ms.reviewer: arvinh
+
+ms.collection: M365-identity-device-management
+---
+
+
+# Using SCIM and Microsoft Graph together to provision users and enrich your application with the data it needs
+
+**Target audience:** This document is targeted towards developers building applications to be integrated with Azure AD. For others looking to use applications already integrated with Azure AD, such as Zoom, ServiceNow, and DropBox, you can skip this and review the application specific [tutorials](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list) or review [how the provisioning service works](https://docs.microsoft.com/azure/active-directory/app-provisioning/how-provisioning-works).
+
+**Common scenarios**
+
+Azure AD provides an out of the box service for provisioning and an extensible platform to build your applications on. The decision tree outlines how a developer would use [SCIM](https://aka.ms/scimoverview) and the [Microsoft Graph](https://docs.microsoft.com/graph/overview) to automate provisioning. 
+
+> [!div class="checklist"]
+> * Automatically create users in my application
+> * Automatically remove users from my application when they shouldn't have access anymore
+> * Integrate my application with multiple identity providers for provisioning
+> * Enrich my application with data from Microsoft services such as Teams, Outlook, and Office.
+> * Automatically create, update, and delete users and groups in Azure AD and Active Directory
+
+![SCIM Graph decision tree](./media/user-provisioning/scim-graph.png)
+
+## Scenario 1: Automatically create users in my app
+Today, IT admins provision users by manually creating user accounts or periodically uploading CSV files into my application. The process is time consuming for customers and slows down adoption of my application. All I need is basic user information such as name, email, and userPrincipalName to create a user. 
+
+**Recommendation**: 
+* If your customers use various IdPs and you do not want to maintain a sync engine to integrate with each, support a SCIM compliant [/Users](https://aka.ms/scimreferencecode) endpoint. Your customers will be able to easily use this endpoint to integrate with the Azure AD provisioning service and automatically create user accounts when they need access. You can build the endpoint once and it will be compatible with all IdPs. Check out the example request below for how a user would be created using SCIM.
+* If you require user data found on the user object in Azure AD and other data from across Microsoft, consider building a SCIM endpoint for user provisioning and calling into the Microsoft Graph to get the rest of the data. 
+
+
+```json
+POST /Users
+{
+	"schemas": [
+	    "urn:ietf:params:scim:schemas:core:2.0:User",
+	    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
+	"externalId": "0a21f0f2-8d2a-4f8e-bf98-7363c4aed4ef",
+	"userName": "BillG",
+	"active": true,
+	"meta": {
+		"resourceType": "User"
+	},
+	"name": {
+		"formatted": "Bill Gates",
+		"familyName": "Gates",
+		"givenName": "Bill"
+	},
+	"roles": []
+}
+```
+    
+## Scenario 2: Automatically remove users from my app
+The customers using my application are security focused and have governance requirements to remove accounts when employees don't need them anymore. How can I automate deprovisioning from my application?
+
+**Recommendation:** Support a SCIM compliant /Users endpoint. The Azure AD provisioning service will send requests to disable and delete when the user shouldn't have access anymore. We recommend supporting both disabling and deleting users. See the examples below for what a disable and delete request look like. 
+
+Disable user
+```json
+PATCH /Users/5171a35d82074e068ce2 HTTP/1.1
+{
+    "Operations": [
+        {
+            "op": "Replace",
+            "path": "active",
+            "value": false
+        }
+    ],
+    "schemas": [
+        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
+    ]
+}
+```
+Delete user
+```json
+DELETE /Users/5171a35d82074e068ce2 HTTP/1.1
+```
+
+## Scenario 3: Automate managing group memberships in my app
+My application relies on groups for access to various resources, and customers want to reuse the groups that they have in Azure AD. How can I import groups from Azure AD and keep them updated as the memberships change?  
+
+**Recommendation:** Support a SCIM compliant /Groups [endpoint](https://aka.ms/scimreferencecode). The Azure AD provisioning service will take care of creating groups and managing membership updates in your application. 
+
+## Scenario 4: Enrich my app with data from Microsoft services such as Teams, Outlook, and OneDrive
+My application is built into Microsoft Teams and relies on message data. In addition, we store files for users in OneDrive. How can I enrich my application with the data from these services and across Microsoft?
+
+**Recommendation:** The [Microsoft Graph](https://docs.microsoft.com/graph/) is your entry point to access Microsoft data. Each workload exposes APIs with the data that you need. The Microsoft graph can be used along with [SCIM provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) for the scenarios above. You can use SCIM to provision basic user attributes into your application while calling into graph to get any other data that you need. 
+
+## Scenario 5: Track changes in Microsoft services such as Teams, Outlook, and Azure AD
+I need to be able to track changes to Teams and Outlook messages and react to them in real time. How can I get these changes pushed to my application?
+
+**Recommendation:** The Microsoft Graph provides [change notifications](https://docs.microsoft.com/graph/webhooks) and [change tracking](https://docs.microsoft.com/graph/delta-query-overview) for various resources. Note the following limitations of change notifications:
+- If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
+- If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
+- Change notifications don't always contain the [resource data](https://docs.microsoft.com/graph/webhooks-with-resource-data)
+For the reasons above, developers often use change notifications along with change tracking for synchronization scenarios. 
+
+## Scenario 6: Provision users and groups in Azure AD
+My application creates information about a user that customers need in Azure AD. This could be an HR application than manages hiring, a communications app that creates phone numbers for users, or some other app that generates data that would be valuable in Azure AD. How do I populate the user record in Azure AD with that data? 
+
+**Recommendation** The Microsoft graph exposes /Users and /Groups endpoints that you can integrate with today to provision users into Azure AD. Please note that Azure Active Directory doesn't support writing those users back into Active Directory. 
+
+> [!NOTE]
+> Microsoft has a provisioning service that pulls in data from HR applications such as Workday and SuccessFactors. These integrations are built and managed by Microsoft. For onboarding a new HR application to our service, you can request it on [UserVoice](https://feedback.azure.com/forums/374982-azure-active-directory-application-requests). 
+
+## Related articles
+
+- [Review the synchronization Microsoft Graph documentation](https://docs.microsoft.com/graph/api/resources/synchronization-overview?view=graph-rest-beta)
+- [Integrating a custom SCIM app with Azure AD](use-scim-to-provision-users-and-groups.md)

articles/active-directory/app-provisioning/media/user-provisioning/scim-graph.png

@@ -79,6 +79,8 @@
     items:
     - name: SCIM 2.0 protocol compliance
       href: application-provisioning-config-problem-scim-compatibility.md
+    - name: SCIM and Graph scenarios
+      href: scim-graph-scenarios.md
     - name: Choose a provisioning method
       href: isv-automatic-provisioning-multi-tenant-apps.md
     - name: Cloud HR provisioning
@@ -106,4 +108,4 @@
         - name: Stack Overflow
           href: https://stackoverflow.com/questions/tagged/azure-active-directory
         - name: Videos
-          href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory
+          href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory