MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/partner-zscaler.md
Lines changed: 83 additions & 88 deletions b/‎articles/active-directory-b2c/partner-zscaler.md
Lines changed: 83 additions & 88 deletions
diff --git a/‎articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/roles/admin-units-assign-roles.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/roles/admin-units-assign-roles.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/saas-apps/officespace-software-provisioning-tutorial.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/saas-apps/officespace-software-provisioning-tutorial.md
Lines changed: 2 additions & 2 deletions
@@ -1,153 +1,148 @@
 ---
-title: Tutorial - Configure Azure Active Directory B2C with Zscaler 
+title: Tutorial - Configure Zscaler Private access with Azure Active Directory B2C 
+
 titleSuffix: Azure AD B2C
 description: Learn how to integrate Azure AD B2C authentication with Zscaler.
 services: active-directory-b2c
 author: gargi-sinha
-manager: CelesteDG
+manager: martinco
 ms.reviewer: kengaderdus
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/13/2022
+ms.date: 12/20/2022
 ms.author: gasinh
 ms.subservice: B2C
 ---
 
 # Tutorial: Configure Zscaler Private Access with Azure Active Directory B2C
 
-In this tutorial, you'll learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with [Zscaler Private Access (ZPA)](https://www.zscaler.com/products/zscaler-private-access). ZPA delivers policy-based, secure access to private applications and assets without the cost, hassle, or security risks of a virtual private network (VPN). The Zscaler secure hybrid access offering enables a zero-attack surface for consumer-facing applications when it's combined with Azure AD B2C.
+In this tutorial, learn how to integrate Azure Active Directory B2C (Azure AD B2C) authentication with Zscaler Private Access (ZPA). ZPA is policy-based, secure access to private applications and assets without the overhead or security risks of a virtual private network (VPN). Zscaler secure hybrid access reduces attack surface for consumer-facing applications when combined with Azure AD B2C.
+
+Learn more: Go to [Zscaler](https://www.zscaler.com/products/zscaler-private-access) and select Products & Solutions, Products.
 
 ## Prerequisites
 
 Before you begin, you’ll need:
 
-- An Azure subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).  
-- [An Azure AD B2C tenant](./tutorial-create-tenant.md) that's linked to your Azure subscription.  
-- [A ZPA subscription](https://azuremarketplace.microsoft.com/marketplace/apps/aad.zscalerprivateaccess?tab=Overview).
+- An Azure subscription
+  - If you don't have one, you can get an [Azure free account](https://azure.microsoft.com/free/)
+- [An Azure AD B2C tenant](./tutorial-create-tenant.md) linked to your Azure subscription
+- A ZPA subscription
+  - Go to [Azure Marketplace, Zscaler Private Access](https://azuremarketplace.microsoft.com/marketplace/apps/aad.zscalerprivateaccess?tab=Overview)
 
 ## Scenario description
 
 ZPA integration includes the following components:
 
-- **Azure AD B2C**: The identity provider (IdP) that's responsible for verifying the user’s credentials. It's also responsible for signing up a new user.  
-- **ZPA**: The service that's responsible for securing the web application by enforcing [zero-trust access](https://www.microsoft.com/security/blog/2018/12/17/zero-trust-part-1-identity-and-access-management/#:~:text=Azure%20Active%20Directory%20%28Azure%20AD%29%20provides%20the%20strong%2C,to%20express%20their%20access%20requirements%20in%20simple%20terms.).  
-- **The web application**: Hosts the service that the user is trying to access.
+- **Azure AD B2C** - The identity provider (IdP) that verifies user credentials
+- **ZPA** - Secures web applications by enforcing Zero Trust access 
+  - See, [Zero Trust defined](https://www.microsoft.com/security/blog/2018/12/17/zero-trust-part-1-identity-and-access-management/#:~:text=Azure%20Active%20Directory%20%28Azure%20AD%29%20provides%20the%20strong%2C,to%20express%20their%20access%20requirements%20in%20simple%20terms)  
+- **Web application** - Hosts the service users access
 
 The following diagram shows how ZPA integrates with Azure AD B2C.
 
-![Diagram of Zscaler architecture, showing how ZPA integrates with Azure AD B2C.](media/partner-zscaler/zscaler-architecture-diagram.png)
-
-The sequence is described in the following table:
+   ![Diagram of Zscaler architecture, the ZPA and Azure AD B2C integration.](media/partner-zscaler/zscaler-architecture-diagram.png)
 
-|Step | Description |
-| :-----:| :-----------|
-| 1 | A user arrives at a ZPA user portal or a ZPA browser-access application.
-| 2 | ZPA requires user context information before it can decide whether to allow the user to access the web application. To authenticate the user, ZPA performs a SAML redirect to the Azure AD B2C login page.  
-| 3 | The user arrives at the Azure AB B2C login page. New users sign up to create an account, and existing users log in with their existing credentials. Azure AD B2C validates the user's identity.
-| 4 | Upon successful authentication, Azure AD B2C redirects the user back to ZPA along with the SAML assertion. ZPA verifies the SAML assertion and sets the user context.
-| 5 | ZPA evaluates access policies for the user. If the user is allowed to access the web application, the connection is allowed to pass through.
+1. A user arrives at the ZPA portal, or a ZPA browser-access application, to request access
+2. ZPA collects user attributes. ZPA performs a SAML redirect to the Azure AD B2C sign-in page.
+3. New users sign up and create an account. Current users sign in with credentials. Azure AD B2C validates user identity.
+4. Azure AD B2C redirects the user to ZPA with the SAML assertion, which ZPA verifies. ZPA sets the user context.
+5. ZPA evaluates access policies. The request is allowed or it isn't.
 
 ## Onboard to ZPA
 
-This tutorial assumes that you already have a working ZPA setup. If you're getting started with ZPA, refer to the [step-by-step configuration guide for ZPA](https://help.zscaler.com/zpa/step-step-configuration-guide-zpa).
-
-## Integrate ZPA with Azure AD B2C
-
-### Step 1: Configure Azure AD B2C as an IdP on ZPA
-
-To configure Azure AD B2C as an [IdP on ZPA](https://help.zscaler.com/zpa/configuring-idp-single-sign), do the following:
-
-1. Log in to the [ZPA Admin Portal](https://admin.private.zscaler.com).
-
-1. Go to **Administration** > **IdP Configuration**.
-
-1. Select **Add IdP Configuration**.
+This tutorial assumes ZPA is installed and running. 
 
-   The **Add IdP Configuration** pane opens.
+To get started with ZPA, go to help.zscaler.com for [Step-by-Step Configuration Guide for ZPA](https://help.zscaler.com/zpa/step-step-configuration-guide-zpa).
 
-   ![Screenshot of the "IdP Information" tab on the "Add IdP Configuration" pane.](media/partner-zscaler/add-idp-configuration.png)
-
-1. Select the **IdP Information** tab, and then do the following:
-
-   a. In the **Name** box, enter **Azure AD B2C**.  
-   b. Under **Single Sign-On**, select **User**.  
-   c. In the **Domains** drop-down list, select the authentication domains that you want to associate with this IdP.
-
-1. Select **Next**.
-
-1. Select the **SP Metadata** tab, and then do the following:
-
-   a. Under **Service Provider URL**, copy or note the value for later use.  
-   b. Under **Service Provider Entity ID**, copy or note the value for later use.
-
-   ![Screenshot of the "SP Metadata" tab on the "Add IdP Configuration" pane.](media/partner-zscaler/sp-metadata.png)
-
-1. Select **Pause**.
+## Integrate ZPA with Azure AD B2C
 
-After you've configured Azure AD B2C, the rest of the IdP configuration resumes.
+### Configure Azure AD B2C as an IdP on ZPA
 
-### Step 2: Configure custom policies in Azure AD B2C
+Configure Azure AD B2C as an IdP on ZPA.
 
->[!Note]
->This step is required only if you haven’t already configured custom policies. If you already have one or more custom policies, you can skip this step.
+For more information, see [Configuring an IdP for single sign-on](https://help.zscaler.com/zpa/configuring-idp-single-sign).
 
-To configure custom policies on your Azure AD B2C tenant, see [Get started with custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).
+1. Sign in to the [ZPA Admin portal](https://admin.private.zscaler.com).
+2. Go to **Administration** > **IdP Configuration**.
+3. Select **Add IdP Configuration**.
+4. The **Add IdP Configuration** pane appears.
 
-### Step 3: Register ZPA as a SAML application in Azure AD B2C
+    ![Screenshot of the IdP Information tab on the Add IdP Configuration pane.](media/partner-zscaler/add-idp-configuration.png)
 
-To configure a SAML application in Azure AD B2C, see [Register a SAML application in Azure AD B2C](./saml-service-provider.md). 
+5. Select the **IdP Information** tab
+6. In the **Name** box, enter **Azure AD B2C**.
+7. Under **Single Sign-On**, select **User**.
+8. In the **Domains** drop-down list, select the authentication domains to associate with the IdP.
+9. Select **Next**.
+10. Select the **SP Metadata** tab.
+11. Under **Service Provider URL**, copy the value to use later.
+12. Under **Service Provider Entity ID**, copy the value to user later.
 
-In step ["Upload your policy"](./saml-service-provider.md#upload-your-policy), copy or note the IdP SAML metadata URL that's used by Azure AD B2C. You'll need it later.
+    ![Screenshot of the Service Provider Entity ID option on the SP Metadata tab.](media/partner-zscaler/sp-metadata.png)
 
-Follow the instructions through step ["Configure your application in Azure AD B2C"](./saml-service-provider.md#configure-your-application-in-azure-ad-b2c). In step 4.2, update the app manifest properties as follows:
+13. Select **Pause**.
 
-- For **identifierUris**: Use the Service Provider Entity ID that you copied or noted earlier in "Step 1.6.b".  
-- For **samlMetadataUrl**: Skip this property, because ZPA doesn't host a SAML metadata URL.  
-- For **replyUrlsWithType**: Use the Service Provider URL that you copied or noted earlier in "Step 1.6.a".  
-- For **logoutUrl**: Skip this property, because ZPA doesn't support a logout URL.
+### Configure custom policies in Azure AD B2C
 
-The rest of the steps aren't relevant to this tutorial.
+>[!IMPORTANT]
+>Configure custom policies in Azure AD B2C if you haven’t configured custom policies.
 
-### Step 4: Extract the IdP SAML metadata from Azure AD B2C
+For more information, see [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy).
 
-Next, you need to obtain a SAML metadata URL in the following format:
+### Register ZPA as a SAML application in Azure AD B2C
 
-`https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/Samlp/metadata`
+1. [Register a SAML application in Azure AD B2C](./saml-service-provider.md). 
+2. During registration, in **Upload your policy**, copy the IdP SAML metadata URL used by Azure AD B2C to use later.
+3. Follow the instructions until **Configure your application in Azure AD B2C**. 
+4. For step 4.2, update the app manifest properties
 
-Note that `<tenant-name>` is the name of your Azure AD B2C tenant, and `<policy-name>` is the name of the custom SAML policy that you created in the preceding step.
+    * For **identifierUris**, enter the Service Provider Entity ID you copied
+    * For **samlMetadataUrl**, skip this entry
+    * For **replyUrlsWithType**, enter the Service Provider URL you copied
+    * For **logoutUrl**, skip this entry
 
-For example, the URL might be:
+The remaining steps aren't required.
 
-`https://safemarch.b2clogin.com/safemarch.onmicrosoft.com/B2C_1A_signup_signin_saml/Samlp/metadata`.
+### Extract the IdP SAML metadata from Azure AD B2C
 
-Open a web browser and go to the SAML metadata URL. Right-click anywhere on the page, select **Save as**, and then save the file to your computer for use in the next step.
+1. Obtain a SAML metadata URL in the following format:
 
-### Step 5: Complete the IdP configuration on ZPA
+    `https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/Samlp/metadata`
 
-Complete the [IdP configuration in the ZPA Admin Portal](https://help.zscaler.com/zpa/configuring-idp-single-sign) that you partially configured earlier in "Step 1: Configure Azure AD B2C as an IdP on ZPA".
+> [!NOTE]
+> `<tenant-name>` is your Azure AD B2C tenant, and `<policy-name>` is the custom SAML policy that you created.
+> The URL might be:
+> `https://safemarch.b2clogin.com/safemarch.onmicrosoft.com/B2C_1A_signup_signin_saml/Samlp/metadata`.
 
-1. In the [ZPA Admin Portal](https://admin.private.zscaler.com), go to **Administration** > **IdP Configuration**.
+2. Open a web browser.
+3. Go to the SAML metadata URL. 
+4. Right-click on the page.
+5. Select **Save as**.
+6. Save the file to your computer to use later.
 
-1. Select the IdP that you configured in "Step 1", and then select **Resume**.
+### Complete IdP configuration on ZPA
 
-1. On the **Add IdP Configuration** pane, select the **Create IdP** tab, and then do the following:
+To complete the IdP configuration:
 
-   a. Under **IdP Metadata File**, upload the metadata file that you saved earlier in "Step 4: Extract the IdP SAML metadata from Azure AD B2C".  
-   b. Verify that the **Status** for the IdP configuration is **Enabled**.  
-   c. Select **Save**.
+1. Go to the [ZPA Admin portal](https://admin.private.zscaler.com).
+2. Select **Administration** > **IdP Configuration**.
+3. Select the IdP you configured, and then select **Resume**.
+4. On the **Add IdP Configuration** pane, select the **Create IdP** tab.
+5. Under **IdP Metadata File**, upload the metadata file you saved.
+6. Under **Status**, verify the configuration is **Enabled**.
+7. Select **Save**.
 
-   ![Screenshot of the "Create IdP" tab on the "Add IdP Configuration" pane.](media/partner-zscaler/create-idp.png)
+    ![Screenshot of Enabled status, under SAML attributes, on the Add IdP Configuration pane.](media/partner-zscaler/create-idp.png)
 
 ## Test the solution
 
-Go to a ZPA user portal or a browser-access application, and test the sign-up or sign-in process. The test should result in a successful SAML authentication.
+To confirm SAML authentication, go to a ZPA user portal or a browser-access application, and test the sign-up or sign-in process. 
 
 ## Next steps
 
-For more information, review the following articles:
-
-- [Get started with custom policies in Azure AD B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
+- [Tutorial: Create user flows and custom policies in Azure Active Directory B2C](./tutorial-create-user-flows.md?pivots=b2c-custom-policy)
 - [Register a SAML application in Azure AD B2C](./saml-service-provider.md)
-- [Step-by-step configuration guide for ZPA](https://help.zscaler.com/zpa/step-step-configuration-guide-zpa)
-- [Configure an IdP for single sign-on](https://help.zscaler.com/zpa/configuring-idp-single-sign)
+- [Step-by-Step Configuration Guide for ZPA](https://help.zscaler.com/zpa/step-step-configuration-guide-zpa)
+- [Configuring an IdP for single sign-on](https://help.zscaler.com/zpa/configuring-idp-single-sign)
@@ -32,7 +32,7 @@ There are many security benefits of using Azure AD-based authentication to log i
    - When users join or leave your team, you can update the Azure RBAC policy for the VM to grant access as appropriate. 
    - When employees leave your organization and their user accounts are disabled or removed from Azure AD, they no longer have access to your resources.
 - Configure Conditional Access policies to require multifactor authentication (MFA) and other signals, such as user sign-in risk, before you can RDP into Windows VMs. 
-- Use Azure deploy and audit policies to require Azure AD login for Windows VMs and to flag the use of unapproved local accounts on the VMs.
+- Use Azure Policy to deploy and audit policies to require Azure AD login for Windows VMs and to flag the use of unapproved local accounts on the VMs.
 - Use Intune to automate and scale Azure AD join with mobile device management (MDM) auto-enrollment of Azure Windows VMs that are part of your virtual desktop infrastructure (VDI) deployments. 
 
   MDM auto-enrollment requires Azure AD Premium P1 licenses. Windows Server VMs don't support MDM enrollment.
 
@@ -50,7 +50,7 @@ The following Azure AD roles can be assigned with administrative unit scope. Add
 | [SharePoint Administrator](permissions-reference.md#sharepoint-administrator) | Can manage Microsoft 365 groups in the assigned administrative unit only. For SharePoint sites associated with Microsoft 365 groups in an administrative unit, can also update site properties (site name, URL, and external sharing policy) using the Microsoft 365 admin center. Cannot use the SharePoint admin center or SharePoint APIs to manage sites. |
 | [Teams Administrator](permissions-reference.md#teams-administrator) | Can manage Microsoft 365 groups in the assigned administrative unit only.  Can manage team members in the Microsoft 365 admin center for teams associated with groups in the assigned administrative unit only.  Cannot use the Teams admin center. |
 | [Teams Devices Administrator](permissions-reference.md#teams-devices-administrator) | Can perform management related tasks on Teams certified devices. |
-| [User Administrator](permissions-reference.md#user-administrator) | Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only. |
+| [User Administrator](permissions-reference.md#user-administrator) | Can manage all aspects of users and groups, including resetting passwords for limited admins within the assigned administrative unit only. Cannot currently manage users' profile photographs. |
 | [&lt;Custom role&gt;](custom-create.md) | Can perform actions that apply to users, groups, or devices, according to the definition of the custom role. |
 
 Certain role permissions apply only to non-administrator users when assigned with the scope of an administrative unit. In other words, administrative unit scoped [Helpdesk Administrators](permissions-reference.md#helpdesk-administrator) can reset passwords for users in the administrative unit only if those users do not have administrator roles. The following list of permissions are restricted when the target of an action is another administrator:
 
@@ -45,7 +45,7 @@ Before configuring and enabling automatic user provisioning, you should decide w
 
 ## Set up OfficeSpace Software for provisioning
 
-1. Sign in to your [OfficeSpace Software Admin Console](https://support.officespacesoftware.com/hc). Navigate to **Settings > Connectors**.
+1. Sign in to your [OfficeSpace Software Admin Console](https://support.officespacesoftware.com/s/). Navigate to **Settings > Connectors**.
 
 	![OfficeSpace Software Admin Console](media/officespace-software-provisioning-tutorial/settings.png)
 
@@ -147,4 +147,4 @@ For more information on how to read the Azure AD provisioning logs, see [Reporti
 
 ## Next steps
 
-* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)