Merge pull request #47680 from MicrosoftDocs/master

7/27 PM Publish

Author: huypub

articles/active-directory/b2b/media/o365-external-user/odsp-sharing-setting.png

@@ -19,15 +19,20 @@ ms.reviewer: sasubram
 
 External sharing in Office 365 (OneDrive, SharePoint Online, Unified Groups, etc.) and Azure Active Directory (Azure AD) B2B collaboration are technically the same thing. All external sharing (except OneDrive/SharePoint Online), including guests in Office 365 Groups, already uses the Azure AD B2B collaboration invitation APIs for sharing.
 
-OneDrive/SharePoint Online has a separate invitation manager. Support for external sharing in OneDrive/SharePoint Online started before Azure AD developed its support. Over time, OneDrive/SharePoint Online external sharing has accrued several features and many millions of users who use the product's in-built sharing pattern. However, there are some subtle differences between how OneDrive/SharePoint Online external sharing works and how Azure AD B2B collaboration works:
+## How does Azure AD B2B differ from external sharing in SharePoint Online?
+
+OneDrive/SharePoint Online has a separate invitation manager. Support for external sharing in OneDrive/SharePoint Online started before Azure AD developed its support. Over time, OneDrive/SharePoint Online external sharing has accrued several features and many millions of users who use the product's in-built sharing pattern. However, there are some subtle differences between how OneDrive/SharePoint Online external sharing works and how Azure AD B2B collaboration works. You can learn more about OneDrive/SharePoint Online external sharing in [External sharing overview](https://docs.microsoft.com/sharepoint/external-sharing-overview). The process generally differs from Azure AD B2B in these ways:
 
 - OneDrive/SharePoint Online adds users to the directory after users have redeemed their invitations. So, before redemption, you don't see the user in Azure AD portal. If another site invites a user in the meantime, a new invitation is generated. However, when you use Azure AD B2B collaboration, users are added immediately on invitation so that they show up everywhere.
 
 - The redemption experience in OneDrive/SharePoint Online looks different from the experience in Azure AD B2B collaboration. After a user redeems an invitation, the experiences look alike.
 
 - Azure AD B2B collaboration invited users can be picked from OneDrive/SharePoint Online sharing dialog boxes. OneDrive/SharePoint Online invited users also show up in Azure AD after they redeem their invitations.
 
-- To manage external sharing in OneDrive/SharePoint Online with Azure AD B2B collaboration, set the OneDrive/SharePoint Online external sharing setting to **Only allow sharing with external users already in the directory**. Users can go to externally shared sites and pick from external collaborators that the admin has added. The admin can add the external collaborators through the B2B collaboration invitation APIs.
+- The licensing requirements differ. For each paid Azure AD license, you can let up to 5 guest users access your paid Azure AD features. To learn more about licensing, see [Azure AD B2B licensing](https://docs.microsoft.com/azure/active-directory/b2b/licensing-guidance) and ["What is an external user?" in the SharePoint Online external sharing overview](https://docs.microsoft.com/sharepoint/external-sharing-overview#what-is-an-external-user).
+
+To manage external sharing in OneDrive/SharePoint Online with Azure AD B2B collaboration, set the OneDrive/SharePoint Online external sharing setting to **Allow sharing only with the external users that already exist in your organization's directory**. Users can go to externally shared sites and pick from external collaborators that the admin has added. The admin can add the external collaborators through the B2B collaboration invitation APIs.
+
 
 ![The OneDrive/SharePoint Online external sharing setting](media/o365-external-user/odsp-sharing-setting.png)
 

articles/active-directory/b2b/o365-external-user.md

@@ -83,6 +83,7 @@
 
 ## Manage Federation Services
 ### [Manage and customize](active-directory-aadconnect-federation-management.md)
+### [Manage AD FS trust with Azure AD using Azure AD Connect](active-directory-azure-ad-connect-azure-ad-trust.md)
 ### [Federate multiple instances of Azure AD with single instance of AD FS](active-directory-aadconnectfed-single-adfs-multitenant-federation.md)
 
 

articles/active-directory/connect/TOC.md

@@ -64,13 +64,19 @@ On your AD FS server, open PowerShell. Check that the AutoCertificateRollover va
 >If you are using AD FS 2.0, first run Add-Pssnapin Microsoft.Adfs.Powershell.
 
 ### Step 2: Confirm that AD FS and Azure AD are in sync
-On your AD FS server, open the Azure AD PowerShell prompt, and connect to Azure AD.
+On your AD FS server, open the MSOnline PowerShell prompt, and connect to Azure AD.
 
 > [!NOTE]
-> You can download Azure AD PowerShell [here](https://technet.microsoft.com/library/jj151815.aspx).
->
+> MSOL-Cmdlets are part of the MSOnline PowerShell module.
+> You can download the MSOnline PowerShell Module directly from the PowerShell Gallery.
+> 
 >
 
+    Install-Module MSOnline
+
+Connect to Azure AD using the MSOnline PowerShell-Module.
+
+    Import-Module MSOnline
     Connect-MsolService
 
 Check the certificates configured in AD FS and Azure AD trust properties for the specified domain.

articles/active-directory/connect/active-directory-aadconnect-o365-certs.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 07/26/2018
+ms.date: 07/27/2018
 ms.component: hybrid
 ms.author: billmath
 ms.custom: seohack1
@@ -75,7 +75,7 @@ You need upgrade Azure AD Connect before upgrading the Authentication Agent on t
 Follow these steps to upgrade Authentication Agents on other servers (where Azure AD Connect is not installed):
 
 1. **Uninstall the preview version of the Authentication Agent**: Download [this PowerShell script](https://aka.ms/rmpreviewagent) and run it as an Administrator on the server.
-2. **Download the latest version of the Authentication Agent (versions 1.5.193.0 or later)**: Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the terms of service and download the latest version.
+2. **Download the latest version of the Authentication Agent (versions 1.5.389.0 or later)**: Sign in to the [Azure Active Directory admin center](https://aad.portal.azure.com) with your tenant's Global Administrator credentials. Select **Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent**. Accept the terms of service and download the latest version.
 3. **Install the latest version of the Authentication Agent**: Run the executable downloaded in Step 2. Provide your tenant's Global Administrator credentials when prompted.
 4. **Verify that the latest version has been installed**: As shown before, go to **Control Panel -> Programs -> Programs and Features** and verify that there is an entry called **Microsoft Azure AD Connect Authentication Agent**.
 

articles/active-directory/connect/active-directory-aadconnect-pass-through-authentication-upgrade-preview-authentication-agents.md

@@ -38,7 +38,6 @@ Before you install Azure AD Connect, there are a few things that you need.
 * The AD schema version and forest functional level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema and forest level requirements are met.
 * If you plan to use the feature **password writeback**, then the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must also apply [hotfix KB2386717](http://support.microsoft.com/kb/2386717).
 * The domain controller used by Azure AD must be writable. It is **not supported** to use a RODC (read-only domain controller) and Azure AD Connect does not follow any write redirects.
-* It is **not supported** to use on-premises forests/domains using SLDs (Single Label Domains).
 * It is **not supported** to use on-premises forests/domains using "dotted" (name contains a period ".") NetBios names.
 * It is recommended to [enable the Active Directory recycle bin](active-directory-aadconnectsync-recycle-bin.md).
 

articles/active-directory/connect/active-directory-aadconnect-prerequisites.md

@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: article
-ms.date: 07/26/2018
+ms.date: 07/27/2018
 ms.component: hybrid
 ms.author: billmath
 ---
@@ -76,6 +76,9 @@ Follow these instructions to verify that you have enabled Seamless SSO correctly
 
 ![Azure portal: Azure AD Connect pane](./media/active-directory-aadconnect-sso/sso10.png)
 
+>[!IMPORTANT]
+> Seamless SSO creates a computer account named `AZUREADSSOACC` (which represents Azure AD) in your on-premises Active Directory (AD) in each AD forest. This computer account is needed for the feature to work. Move the `AZUREADSSOACC` computer account to an Organization Unit (OU) where other computer accounts are stored to ensure that it is managed in the same way and is not deleted.
+
 ## Step 3: Roll out the feature
 
 You can gradually roll out Seamless SSO to your users using the instructions provided below. You start by adding the following Azure AD URL to all or selected users' Intranet zone settings by using Group Policy in Active Directory:

articles/active-directory/connect/active-directory-aadconnect-sso-quick-start.md

@@ -0,0 +1,116 @@
+---
+title: Azure AD Connect - Manage AD FS trust with Azure AD using Azure AD Connect | Microsoft Docs
+description: Operational details of Azure AD trust handling by Azure AD connect.
+keywords: AD FS, ADFS, AD FS management, AAD Connect, Connect, Azure AD, trust, AAD, claim, claim, claim rules, issuance, transform, rules, backup, restore
+services: active-directory
+documentationcenter: ''
+author: anandyadavmsft
+manager: samueld
+editor: ''
+
+ms.assetid: 2593b6c6-dc3f-46ef-8e02-a8e2dc4e9fb9
+ms.service: active-directory    
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: article
+ms.date: 07/11/2018
+ms.author: anandy
+ms.custom: 
+---
+# Manage AD FS trust with Azure AD using Azure AD Connect
+
+## Overview
+
+Azure AD Connect can manage federation between on-premises Active Directory Federation Service (AD FS) and Azure AD. This article provides an overview of:
+
+* The various settings configured on the trust by Azure AD Connect
+* The issuance transform rules (claim rules) set by Azure AD Connect
+* How to back-up and restore your claim rules between upgrades and configuration updates. 
+
+## Settings controlled by Azure AD Connect
+
+Azure AD Connect manages **only** settings related to Azure AD trust. Azure AD Connect does not modify any settings on other relying party trusts in AD FS. The following table indicates settings that are controlled by Azure AD Connect.
+
+| Setting | Description |
+| :--- | :--- |
+| Token signing certificate | Azure AD Connect can be used to reset and recreate the trust with Azure AD. Azure AD Connect does a one-time immediate rollover of token signing certificates for AD FS and updates the Azure AD domain federation settings.|
+| Token signing algorithm | Microsoft recommends using SHA-256 as the token signing algorithm. Azure AD Connect can detect if the token signing algorithm is set to a value less secure than SHA-256. It will update the setting to SHA-256 in the next possible configuration operation. |
+| Azure AD trust identifier | Azure AD Connect sets the correct identifier value for the Azure AD trust. AD FS uniquely identifies the Azure AD trust using the identifier value. |
+| Azure AD endpoints | Azure AD Connect makes sure that the endpoints configured for the Azure AD trust are always as per the latest recommended values for resiliency and performance. |
+| Issuance transform rules | There are numbers of claim rules which are needed for optimal performance of features of Azure AD in a federated setting. Azure AD Connect makes sure that the Azure AD trust is always configured with the right set of recommended claim rules. |
+| Alternate-id | If sync is configured to use alternate-id, Azure AD Connect configures AD FS to perform authentication using alternate-id. |
+| Automatic metadata update | Trust with Azure AD is configured for automatic metadata update. AD FS periodically checks the metadata of Azure AD trust and keeps it up-to-date in case it changes on the Azure AD side. |
+| Integrated Windows Authentication (IWA) | During Hybrid Azure AD join operation, IWA is enabled for device registration to facilitate Hybrid Azure AD join for downlevel devices |
+
+## Execution flows and federation settings configured by Azure AD Connect
+
+Azure AD connect does not update all settings for Azure AD trust during configuration flows. The settings modified depend on which task or execution flow is being executed. The following table lists the settings impacted in different execution flows.
+
+| Execution flow | Settings impacted |
+| :--- | :--- |
+| First pass installation (express) | None |
+| First pass installation (new AD FS farm) | A new AD FS farm is created and a trust with Azure AD is created from scratch. |
+| First pass installation (existing AD FS farm, existing Azure AD trust) | Azure AD trust identifier, Issuance transform rules, Azure AD endpoints, Alternate-id (if necessary), automatic metadata update |
+| Reset Azure AD trust | Token signing certificate, Token signing algorithm, Azure AD trust identifier, Issuance transform rules, Azure AD endpoints, Alternate-id (if necessary), automatic metadata update |
+| Add federation server | None |
+| Add WAP server | None |
+| Device options | Issuance transform rules, IWA for device registration |
+| Add federated domain | If the domain is being added for the first time, that is, the setup is changing from single domain federation to multi-domain federation – Azure AD Connect will recreate the trust from scratch. If the trust with Azure AD is already configured for multiple domains, only Issuance transform rules are modified |
+| Update SSL | None |
+
+During all operations, in which, any setting is modified, Azure AD Connect makes a backup of the current trust settings at **%ProgramData%\AADConnect\ADFS**
+
+![Azure AD Connect page showing message about existing Azure AD trust backup](media/active-directory-azure-ad-connect-azure-ad-trust/backup2.png)
+
+> [!NOTE]
+> Prior to version 1.1.873.0, the backup consisted of only issuance transform rules and they were backed up in the wizard trace log file.
+
+## Issuance transform rules set by Azure AD Connect
+
+Azure AD Connect makes sure that the Azure AD trust is always configured with the right set of recommended claim rules. Microsoft recommends using Azure AD connect for managing your Azure AD trust. This section lists the issuance transform rules set and their description.
+
+| Rule name | Description |
+| --- | --- |
+| Issue UPN | This rule queries the value of userprincipalname as from the attribute configured in sync settings for userprincipalname.|
+| Query objectguid and msdsconsistencyguid for custom ImmutableId claim | This rule adds a temporary value in the pipeline for objectguid and msdsconsistencyguid value if it exists |
+| Check for the existence of msdsconsistencyguid | Based on whether the value for msdsconsistencyguid exists or not, we set a temporary flag to direct what to use as ImmutableId |
+| Issue msdsconsistencyguid as Immutable ID if it exists | Issue msdsconsistencyguid as ImmutableId if the value exists |
+| Issue objectGuidRule if msdsConsistencyGuid rule does not exist | If the value for msdsconsistencyguid does not exist, the value of objectguid will be issued as ImmutableId |
+| Issue nameidentifier | This rule issues value for the nameidentifier claim.|
+| Issue accounttype for domain-joined computers | If the entity being authenticated is a domain joined device, this rule issues the account type as DJ signifying a domain joined device |
+| Issue AccountType with the value USER when it is not a computer account | If the entity being authenticated is a user, this rule issues the account type as User |
+| Issue issuerid when it is not a computer account | This rule issues the issuerId value when the authenticating entity is not a device. The value is created via a regex, which is configured by Azure AD Connect. The regex is created after taking into consideration all the domains federated using Azure AD Connect. |
+| Issue issuerid for DJ computer auth | This rule issues the issuerId value when the authenticating entity is a device |
+| Issue onpremobjectguid for domain-joined computers | If the entity being authenticated is a domain joined device, this rule issues the on-premises objectguid for the device |
+| Pass through primary SID | This rule issues the primary SID of the authenticating entity |
+| Pass through claim - insideCorporateNetwork | This rule issues a claim that helps Azure AD know if the authentication is coming from inside corporate network or externally |
+| Pass Through Claim – Psso |   |
+| Issue Password Expiry Claims | This rule issues three claims for password expiration time, number of days for the password to expire of the entity being authenticated and URL where to route for changing the password.|
+| Pass through claim – authnmethodsreferences | The value in the claim issued under this rule indicates what type of authentication was performed for the entity |
+| Pass through claim - multifactorauthenticationinstant | The value of this claim specifies the time, in UTC, when the user last performed multiple factor authentication. |
+| Pass through claim - AlternateLoginID | This rule issues the AlternateLoginID claim if the authentication was performed using alternate login ID. |
+
+> [!NOTE]
+> The claim rules for Issue UPN and ImmutableId will differ if you use non-default choice during Azure AD Connect configuration
+
+## Restore issuance transform rules
+
+Azure AD Connect version 1.1.873.0 or later makes a backup of the Azure AD trust settings whenever an update is made to the Azure AD trust settings. The Azure AD trust settings are backed up at **%ProgramData%\AADConnect\ADFS**. The file name is in the following format AadTrust-<date>-<time>.txt, for example - AadTrust-20180710-150216.txt
+
+![A sanpshot of example back up of Azure AD trust](media/active-directory-azure-ad-connect-azure-ad-trust/backup.png)
+
+You can restore the issuance transform rules using the suggested steps below
+
+1. Open the AD FS management UI in Server Manager
+2. Open the Azure AD trust properties by going **AD FS > Relying Party Trusts > Microsoft Office 365 Identity Platform > Edit Claims Issuance Policy**
+3. Click on **Add rule**
+4. In the claim rule template, select Send Claims Using a Custom Rule and click **Next**
+5. Copy the name of the claim rule from backup file and paste it in the field **Claim rule name**
+6. Copy the claim rule from backup file into the text field for **Custom rule** and click **Finish**
+
+> [!NOTE]
+> Make sure that your additional rules do not conflict with the rules configured by Azure AD Connect.
+
+## Next steps
+* [Manage and customize Active Directory Federation Services using Azure AD Connect](active-directory-aadconnect-federation-management.md)