Merge pull request #104130 from msmimart/mm-b2bem

v-albemi · web-flow · commit 6c395be2199e · 2020-02-13T08:35:45.000-08:00
[B2B] Updates for Azure AD entitlement management
diff --git a/articles/active-directory/b2b/self-service-portal.md b/articles/active-directory/b2b/self-service-portal.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: sample
-ms.date: 05/08/2018
+ms.date: 02/12/2020
 
 ms.author: mimart
 author: msmimart
@@ -16,17 +16,17 @@ ms.reviewer: mal
 ms.collection: M365-identity-device-management
 ---
 
-# Self-service portal for Azure AD B2B collaboration sign-up
+# Self-service for Azure AD B2B collaboration sign-up
 
-Customers can do a lot with the built-in features that are exposed through the [Azure portal](https://portal.azure.com) and the [Application Access Panel](https://myapps.microsoft.com) for end users. However, you might need to customize the onboarding workflow for B2B users to fit your organization’s needs. You can do that with [the invitation API](https://developer.microsoft.com/graph/docs/api-reference/v1.0/resources/invitation).
+Customers can do a lot with the built-in features that are exposed through the [Azure portal](https://portal.azure.com) and the [Application Access Panel](https://myapps.microsoft.com) for end users. However, you might need to customize the onboarding workflow for B2B users to fit your organization’s needs.
 
-As an inviting organization, you may not know ahead of time who the individual external collaborators are who need access to your resources. You need a way for users from partner companies to sign themselves up with a set of policies that you as the inviting organization controls. This scenario is possible through the APIs. There's a [sample project on GitHub](https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web) that does just that.
+## Azure AD entitlement management for B2B guest user sign-up
 
-This GitHub project shows how organizations can use the APIs to provide a policy-based, self-service sign-up capability for your trusted partners, with rules that determine the apps they can access. Partner users can get access to resources when they need them. They can do this securely, without requiring the inviting organization to manually onboard them. You can easily deploy the project into an Azure subscription of your choice.
+As an inviting organization, you might not know ahead of time who the individual external collaborators are who need access to your resources. You need a way for users from partner companies to sign themselves up with policies that you control. If you want to enable users from other organizations to request access, and upon approval be provisioned with guest accounts and assigned to groups, apps and SharePoint Online sites, you can use [Azure AD entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview) to configure policies that [manage access for external users](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-external-users#how-access-works-for-external-users).
 
-## As-is code
+## Azure Active Directory B2B invitation API
 
-This code is made available as a sample to demonstrate usage of the Azure Active Directory B2B invitation API. It should be customized by your development team or a partner, and should be reviewed before you deploy it in a production scenario.
+Organizations can use the [Microsoft Graph invitation manager API](https://docs.microsoft.com/graph/api/resources/invitation?view=graph-rest-1.0) to build their own onboarding experiences for B2B guest users. When you want to offer self-service B2B guest user sign-up, we recommend that you use [Azure AD entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview). But if you want to build your own experience, you can use the [create invitation API](https://docs.microsoft.com/graph/api/invitation-post?view=graph-rest-1.0&tabs=http) to automatically send your customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
 
 ## Next steps
 
diff --git a/articles/active-directory/b2b/toc.yml b/articles/active-directory/b2b/toc.yml
@@ -23,8 +23,6 @@
       href: b2b-tutorial-require-mfa.md
   - name: Samples
     items:
-    - name: Self-service sign-up portal sample
-      href: self-service-portal.md
     - name: Code and Azure PowerShell samples
       href: code-samples.md
   - name: Concepts
@@ -50,6 +48,8 @@
       href: conditional-access.md
     - name: B2B for hybrid organizations
       href: hybrid-organizations.md
+    - name: Self-service sign-up
+      href: self-service-portal.md
     - name: Current limitations
       href: current-limitations.md
   - name: How-to guides
diff --git a/articles/active-directory/b2b/what-is-b2b.md b/articles/active-directory/b2b/what-is-b2b.md
@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: overview
-ms.date: 01/23/2020
+ms.date: 02/12/2020
 
 ms.author: mimart
 author: msmimart
@@ -27,23 +27,29 @@ The following video provides a useful overview.
 >[!VIDEO https://www.youtube.com/embed/AhwrweCBdsc]
 
 ## Collaborate with any partner using their identities
-With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization. 
-- The partner uses their own identities and credentials; Azure AD is not required. 
-- You don't need to manage external accounts or passwords. 
+
+With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for your organization.
+
+- The partner uses their own identities and credentials; Azure AD is not required.
+- You don't need to manage external accounts or passwords.
 - You don't need to sync accounts or manage account lifecycles.  
 
 ![Screenshot showing the Add members page](media/what-is-b2b/add-member.png)
 
 ## Invite guest users with a simple invitation and redemption process
+
 Guest users sign in to your apps and services with their own work, school, or social identities. If the guest user doesn’t have a Microsoft account or an Azure AD account, one is created for them when they redeem their invitation. 
+
 - Invite guest users using the email identity of their choice.
-- Send a direct link to an app, or send an invitation to the guest user's own Access Panel. 
+- Send a direct link to an app, or send an invitation to the guest user's own Access Panel.
 - Guest users follow a few simple redemption steps to sign in.
 
 ![Screenshot showing the Review permissions page](media/what-is-b2b/consentscreen.png)
 
 ## Use policies to securely share your apps and services
+
 You can use authorization policies to protect your corporate content. Conditional Access policies, such as multi-factor authentication, can be enforced:
+
 - At the tenant level.
 - At the application level.
 - For specific guest users to protect corporate apps and data.
@@ -54,6 +60,7 @@ You can use authorization policies to protect your corporate content. Conditiona
 ## Easily add guest users in the Azure AD portal
 
 As an administrator, you can easily add guest users to your organization in the Azure portal.
+
 - Create a new guest user in Azure AD, similar to how you'd add a new user.
 - The guest user immediately receives a customizable invitation that lets them sign in to their Access Panel.
 - Guest users in the directory can be assigned to apps or groups.  
@@ -62,19 +69,19 @@ As an administrator, you can easily add guest users to your organization in the
 
 ## Let application and group owners manage their own guest users
 
-You can delegate guest user management to application owners so that they can add guest users directly to any application they want to share, whether it's a Microsoft application or not. 
- - Administrators set up self-service app and group management.
- - Non-administrators use their [Access Panel](https://myapps.microsoft.com) to add guest users to applications or groups.
+You can delegate guest user management to application owners so that they can add guest users directly to any application they want to share, whether it's a Microsoft application or not.
+
+- Administrators set up self-service app and group management.
+- Non-administrators use their [Access Panel](https://myapps.microsoft.com) to add guest users to applications or groups.
 
 ![Screenshot showing the Access panel for a guest user](media/what-is-b2b/access-panel-manage-app.png)
 
-## Use APIs and sample code to easily build applications to onboard
+## Customize the onboarding experience for B2B guest users
 
 Bring your external partners on board in ways customized to your organization’s needs.
-- Use the [B2B collaboration invitation APIs](https://developer.microsoft.com/graph/docs/api-reference/v1.0/resources/invitation) to customize your onboarding experiences, including creating self-service sign-up portals. 
-- Use the sample code we provide for a self-service portal [on GitHub](https://github.com/Azure/active-directory-dotnet-graphapi-b2bportal-web).
 
-![Screenshot showing the sample sign-up portal](media/what-is-b2b/sign-up-portal.png)
+- Use [Azure AD entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview) to configure policies that [manage access for external users](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-external-users#how-access-works-for-external-users).
+- Use the [B2B collaboration invitation APIs](https://developer.microsoft.com/graph/docs/api-reference/v1.0/resources/invitation) to customize your onboarding experiences.
 
 ## Next steps
 
