Merge branch 'main' into patch-87

Author: sreekzz

articles/active-directory/develop/scenario-spa-overview.md

@@ -9,10 +9,10 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 10/12/2021
+ms.date: 11/4/2022
 ms.author: owenrichards
-ms.custom: aaddev, identityplatformtop40, devx-track-js
-#Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
+ms.custom: aaddev, identityplatformtop40, devx-track-js, engagement-fy23
+# Customer intent: As an application developer, I want to know how to write a single-page application by using the Microsoft identity platform.
 ---
 
 # Scenario: Single-page application
@@ -21,9 +21,9 @@ Learn all you need to build a single-page application (SPA). For instructions re
 
 ## Getting started
 
-If you haven't already,  create your first app by completing the JavaScript SPA quickstart:
+If you haven't already, create your first app by completing the JavaScript SPA quickstart:
 
-[Quickstart: Single-page application](./quickstart-v2-javascript-auth-code.md)
+[Quickstart: Single-page application](./single-page-app-quickstart.md?pivots=devlang-javascript)
 
 ## Overview
 
@@ -33,18 +33,16 @@ The Microsoft identity platform provides **two** options to enable single-page a
 
 - [OAuth 2.0 Authorization code flow (with PKCE)](./v2-oauth2-auth-code-flow.md). The authorization code flow allows the application to exchange an authorization code for **ID** tokens to represent the authenticated user and **Access** tokens needed to call protected APIs. 
 
-    Proof Key for Code Exchange, or _PKCE_, is an extension to the authorization code flow to prevent authorization code injection attacks. This IETF standard mitigates the threat of having an authorization code intercepted and enables secure OAuth exchange from public clients as documented in [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636). In addition, it returns **refresh** tokens that provide long-term access to resources on behalf of users without requiring interaction from those users. 
+    Proof Key for Code Exchange (PKCE), is an extension to the authorization code flow to prevent authorization code injection attacks. In addition, it returns **refresh** tokens that provide long-term access to resources on behalf of users without requiring additional interaction from them. 
 
     Using the authorization code flow with PKCE is the more secure and **recommended** authorization approach, not only in native and browser-based JavaScript apps, but for every other type of OAuth client.
 
 ![Single-page applications-auth](./media/scenarios/spa-app-auth.svg)
 
-- [OAuth 2.0 implicit flow](./v2-oauth2-implicit-grant-flow.md). The implicit grant flow allows the application to get **ID** and **Access** tokens. Unlike the authorization code flow, implicit grant flow does not return a **Refresh token**.
+- [OAuth 2.0 implicit flow](./v2-oauth2-implicit-grant-flow.md). The implicit grant flow allows the application to get **ID** and **Access** tokens. Unlike the authorization code flow, implicit grant flow does not return a **Refresh token**. It is also less secure, so it's recommended to use the authorization code flow for new applications. This authentication flow does not include application scenarios that use cross-platform JavaScript frameworks such as Electron and React-Native. They require further capabilities for interaction with the native platforms.
 
 ![Single-page applications-implicit](./media/scenarios/spa-app.svg)
 
-This authentication flow does not include application scenarios that use cross-platform JavaScript frameworks such as Electron and React-Native. They require further capabilities for interaction with the native platforms.
-
 ## Specifics
 
 To enable this scenario for your application, you need:

articles/active-directory/external-identities/azure-ad-account.md

@@ -7,36 +7,37 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 10/06/2022
+ms.date: 11/11/2022
 
 ms.author: mimart
 author: msmimart
 manager: celestedg
 ms.collection: M365-identity-device-management
 ms.custom: engagement-fy23
+# Customer intent: As a tenant administrator, I want to add Azure AD as an identity provider for external guest users.
 ---
 
 # Add Azure Active Directory (Azure AD) as an identity provider for External Identities
 
-Azure Active Directory is available as an identity provider option for B2B collaboration by default. If an external guest user has an Azure AD account through work or school, they can redeem your B2B collaboration invitations or complete your sign-up user flows using their Azure AD account.
+Azure Active Directory is available as an identity provider option for [B2B collaboration](what-is-b2b.md) by default. If an external guest user has an Azure AD account through work or school, they can redeem your B2B collaboration invitations or complete your sign-up user flows using their Azure AD account.
 
 ## Guest sign-in using Azure Active Directory accounts
 
-Azure Active Directory is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Azure AD account using either the invitation flow or a [self-service sign-up user flow](self-service-sign-up-overview.md).
+Azure Active Directory is available in the list of External Identities identity providers by default. No further configuration is needed to allow guest users to sign in with their Azure AD account using either the [invitation flow](redemption-experience.md#invitation-redemption-flow) or a [self-service sign-up user flow](self-service-sign-up-overview.md).
 
-![Azure AD account in the identity providers list](media/azure-ad-account/azure-ad-account-identity-provider.png)
+:::image type="content" source="media/azure-ad-account/azure-ad-account-identity-provider.png" alt-text="Screenshot of Azure AD account in the identity provider list." lightbox="media/azure-ad-account/azure-ad-account-identity-provider.png":::
 
 ### Azure AD account in the invitation flow
 
 When you [invite a guest user](add-users-administrator.md) to B2B collaboration, you can specify their Azure AD account as the email address they'll use to sign in.
 
-![Invite using a Azure AD account](media/azure-ad-account/azure-ad-account-invite.png)
+:::image type="content" source="media/azure-ad-account/azure-ad-account-invite.png" alt-text="Screenshot of inviting a guest user using the Azure AD account." lightbox="media/azure-ad-account/azure-ad-account-invite.png":::
 
 ### Azure AD account in self-service sign-up user flows
 
 Azure AD account is an identity provider option for your self-service sign-up user flows. Users can sign up for your applications using their own Azure AD accounts. First, you'll need to [enable self-service sign-up](self-service-sign-up-user-flow.md) for your tenant. Then you can set up a user flow for the application and select Azure Active Directory as one of the sign-in options.
 
-![Azure AD account in a self-service sign-up user flow](media/azure-ad-account/azure-ad-account-user-flow.png)
+:::image type="content" source="media/azure-ad-account/azure-ad-account-user-flow.png" alt-text="Screenshot of Azure Ad account in a self-service sign-up user flow." lightbox="media/azure-ad-account/azure-ad-account-user-flow.png":::
 
 ## Verifying the application's publisher domain
 As of November 2020, new application registrations show up as unverified in the user consent prompt unless [the application's publisher domain is verified](../develop/howto-configure-publisher-domain.md), ***and*** the company’s identity has been verified with the Microsoft Partner Network and associated with the application. ([Learn more](../develop/publisher-verification-overview.md) about this change.) For Azure AD user flows, the publisher’s domain appears only when using a [Microsoft account](microsoft-account.md) or other Azure AD tenant as the identity provider. To meet these new requirements, follow these steps:
@@ -48,5 +49,6 @@ As of November 2020, new application registrations show up as unverified in the
 
 ## Next steps
 
+- [Microsoft account](microsoft-account.md)
 - [Add Azure Active Directory B2B collaboration users](add-users-administrator.md)
 - [Add self-service sign-up to an app](self-service-sign-up-user-flow.md)

articles/active-directory/external-identities/b2b-direct-connect-overview.md

@@ -63,7 +63,7 @@ Then Contoso adds the Fabrikam organization and configures the following **Organ
 
 - Allow inbound access to B2B direct connect for all Fabrikam users and groups.
 - Allow inbound access to all internal Contoso applications by Fabrikam B2B direct connect users.
-- Allow all Contoso users and groups to have outbound access to Fabrikam using B2B direct connect.
+- Allow all Contoso users, or select users and groups to have outbound access to Fabrikam using B2B direct connect.
 - Allow Contoso B2B direct connect users to have outbound access to all Fabrikam applications.
 
 For this scenario to work, Fabrikam also needs to allow B2B direct connect with Contoso by configuring these same cross-tenant access settings for Contoso and for their own users and applications. When configuration is complete, Contoso users who manage Teams shared channels will be able to add Fabrikam users by searching for their full Fabrikam email addresses.
@@ -161,7 +161,7 @@ The Microsoft Teams admin center displays reporting for shared channels, includi
 
 - **Teams access reviews**: Access reviews of Groups that are Teams can now detect B2B direct connect users who are using Teams shared channels. When creating an access review, you can scope the review to all internal users, guest users, and external B2B direct connect users who have been added directly to a shared channel. The reviewer is then presented with users who have direct access to the shared channel.  
 
-- **Current limitations**: An access review can detect internal users and external B2B direct connect users, but not other teams, that have been added to a shared channel. To view and remove teams that have been added to a shared channel, the shared channel owner can manage membership from within Teams.
+- **Current limitations**: An access review can detect internal users and external B2B direct connect users, but not other teams that have been added to a shared channel. To view and remove teams that have been added to a shared channel, the shared channel owner can manage membership from within Teams.
 
 For more information about Microsoft Teams audit logs, see the [Microsoft Teams auditing documentation](/microsoftteams/audit-log-events).
 

articles/active-directory/external-identities/media/azure-ad-account/azure-ad-account-identity-provider.png

@@ -76,7 +76,7 @@ If a user wants to sign in using a different email:
 ```powershell
 Install-Module Microsoft.Graph
 Select-MgProfile -Name beta
-Connect-MgGraph
+Connect-MgGraph -Scopes "User.ReadWrite.All"
 
 $user = Get-MgUser -Filter "startsWith(mail, '[email protected]')"
 New-MgInvitation `

articles/active-directory/external-identities/media/azure-ad-account/azure-ad-account-invite.png

@@ -16,7 +16,7 @@ ms.author: jeedes
 
 # Azure Active Directory SSO integration with Adstream
 
-In this article, you'll learn how to integrate Adstream with Azure Active Directory (Azure AD). Adstream provides the safest and easiest to use business solution for sending and receiving files. When you integrate Adstream with Azure AD, you can:
+In this article, you'll learn how to integrate Adstream with Azure Active Directory (Azure AD). Adstream is a content management system that provides the ability for multiple teams to collaborate on assets and distribute content. When you integrate Adstream with Azure AD, you can:
 
 * Control in Azure AD who has access to Adstream.
 * Enable your users to be automatically signed-in to Adstream with their Azure AD accounts.

articles/active-directory/external-identities/media/azure-ad-account/azure-ad-account-user-flow.png

@@ -0,0 +1,124 @@
+---
+title: Azure Active Directory SSO integration with Databook
+description: Learn how to configure single sign-on between Azure Active Directory and Databook.
+services: active-directory
+author: jeevansd
+manager: CelesteDG
+ms.reviewer: CelesteDG
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: how-to
+ms.date: 11/16/2022
+ms.author: jeedes
+
+---
+
+# Azure Active Directory SSO integration with Databook
+
+In this article, you'll learn how to integrate Databook with Azure Active Directory (Azure AD). Databook is a customer intelligence platform that provides insights into a company's financial & strategic priorities and maps best-fit Microsoft solutions to deliver high impact recommendations. When you integrate Databook with Azure AD, you can:
+
+* Control in Azure AD who has access to Databook.
+* Enable your users to be automatically signed-in to Databook with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+You'll configure and test Azure AD single sign-on for Databook in a test environment. Databook supports **SP** and **IDP** initiated single sign-on and also supports **Just In Time** user provisioning.
+
+## Prerequisites
+
+To integrate Azure Active Directory with Databook, you need:
+
+* An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the service principal.
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Databook single sign-on (SSO) enabled subscription.
+
+## Add application and assign a test user
+
+Before you begin the process of configuring single sign-on, you need to add the Databook application from the Azure AD gallery. You need a test user account to assign to the application and test the single sign-on configuration.
+
+### Add Databook from the Azure AD gallery
+
+Add Databook from the Azure AD application gallery to configure single sign-on with Databook. For more information on how to add application from the gallery, see the [Quickstart: Add application from the gallery](../manage-apps/add-application-portal.md).
+
+### Create and assign Azure AD test user
+
+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.
+
+Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). 
+
+## Configure Azure AD SSO
+
+Complete the following steps to enable Azure AD single sign-on in the Azure portal.
+
+1. In the Azure portal, on the **Databook** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, select the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Screenshot shows how to edit Basic Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+    a. In the **Identifier** textbox, type a value using the following pattern:
+    `urn:auth0:databook:<CustomerID>`
+
+    b. In the **Reply URL** textbox, type a URL using the following pattern:
+    `https://databook.auth0.com/login/callback?connection=<CustomerID>`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+    In the **Sign on URL** textbox, type a URL using the following pattern:
+    `https://databook.auth0.com/login?client=<ID>&connection=<CustomerID>`
+
+	> [!NOTE]
+	> These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Databook Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Databook application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+    ![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Attributes")
+
+1. In addition to above, Databook application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+
+    | Name | Source Attribute|
+    | ------------ | --------- |
+    | email | user.mail |
+    | firstName | user.givenname |
+    | lastName | user.surname |
+    | grouptag | user.groups |
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, select copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+	![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
+
+## Configure Databook SSO
+
+To configure single sign-on on **Databook** side, you need to send the **App Federation Metadata Url**  to [Databook support team](mailto:[email protected]). The support team will use the copied URLs to configure the single sign-on on the application.
+
+### Create Databook test user
+
+In this section, a user called B.Simon is created in Databook. Databook supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Databook, a new one is created after authentication.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration with following options. 
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Databook Sign-on URL where you can initiate the login flow.  
+
+* Go to Databook Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Databook for which you set up the SSO. 
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Databook tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Databook for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Additional resources
+
+* [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).
+
+## Next steps
+
+Once you configure Databook you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).