Merge pull request #219220 from MicrosoftDocs/main

11/21 PM Publish

Author: huypub

.openpublishing.redirection.active-directory.json

@@ -10953,7 +10953,7 @@
     },
     {
       "source_path_from_root": "/articles/active-directory/fundamentals/keep-me-signed-in.md",
-      "redirect_url": "/azure/active-directory/fundamentals/customize-branding",
+      "redirect_url": "/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal",
       "redirect_document_id": false
     },
     {

.openpublishing.redirection.virtual-desktop.json

@@ -74,6 +74,11 @@
             "source_path_from_root": "/articles/virtual-desktop/user-documentation/linux-overview.md",
             "redirect_url": "/azure/virtual-desktop/users/connect-thin-clients",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/troubleshoot-client.md",
+            "redirect_url": "/azure/virtual-desktop/troubleshoot-client-windows",
+            "redirect_document_id": true
         }
     ]
 }

articles/active-directory/app-proxy/application-proxy-azure-front-door.md

@@ -0,0 +1,102 @@
+---
+title: Using Azure Front Door to provide geo-acceleration
+description: How to optimize performance for global connectivity scenarios using Azure Front Door (for Geo-Acceleration) with Azure Active Directory Application Proxy.
+services: active-directory
+author: dhruvinshah
+ms.service: active-directory
+ms.subservice: app-proxy
+ms.workload: identity
+ms.topic: how-to
+ms.date: 08/22/2022
+ms.author: dhruvinshah
+ms.reviewer: ashishj
+---
+
+# Using Azure Front Door to achieve geo-acceleration
+
+This article explains how to configure Azure Active Directory (Azure AD) Application Proxy to work with Azure Front Door (AFD) to achieve reduce latency and better performance.
+ 
+## What is Azure Front Door?
+
+Azure Front Door helps deliver low-latency, high-throughput content at scale from the cloud or on-premises infrastructure to users anywhere. Accelerate static and dynamic content delivery with a unified platform built on the massively scalable Microsoft private global network. For more information about Azure Front Door, see [What is Azure Front Door?][front-door-overview].
+
+## Deployment steps
+
+This article guides you through the steps to securely expose a web application on the Internet, by integrating the Azure AD Application Proxy with Azure Front Door. In this guide we'll be using the Azure portal. The reference architecture for this deployment is represented below.   
+ 
+:::image type="content" source="./media/application-proxy-azure-front-door/azure-front-door.png" alt-text="Diagram of deployment described." lightbox="./media/application-proxy-azure-front-door/azure-front-door.png":::
+
+## Prerequisites
+
+- A Front Door Service – Standard or Classic tier
+- Apps that exist in a single region.
+- A custom domain to use for the application.
+- For licensing information, Application Proxy is available through an Azure AD Premium subscription. Refer here for a full listing of licensing options and features: [Azure Active Directory Pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing) 
+
+### Application Proxy Configuration
+
+Follow these steps to configure Application Proxy for Front Door: 
+1.	Install connector for the location that your app instances will be in (For example US West).  For the connector group assign the connector to the right region (For example North America).
+2.	Set up your app instance with Application Proxy as follows:
+    - Set the Internal URL to the address users access the app from the internal network, for example contoso.org
+    - Set the External URL to the domain address you want the users to access the app from. For this you must configure a custom domain for our application here, for example, contoso.org. Reference: [Custom domains in Azure Active Directory Application Proxy][appproxy-custom-domain]
+    - Assign the application to the appropriate connector group (For example: North America)
+    - Note down the URL generated by Application Proxy to access the application. For example, contoso.msappproxy.net 
+    - For the application configure a CNAME Entry in your DNS provider which points the external URL to the Front Door’s endpoint, for example ‘contoso.org’ to contoso.msappproxy.net 
+3.	In the Front Door service, utilize the URL generated for the app by Application Proxy as a backend for the backend pool. For example, contoso.msappproxy.net 
+
+#### Sample Application Proxy Configuration
+The following table shows a sample Application Proxy configuration. The sample scenario uses the sample application domain www.contoso.org as the External URL. 
+
+|     | Configuration | Additional Information |
+|---- | ----------------------- | ---------------------- |
+| **Internal URL** | nam.contoso.com |  |
+| **External URL** | contoso.org | Configure a custom domain for users to access the app from.|
+| **Connector group** | North America | Select the connector group in the geo closest to where the app instance will be in for optimized performance.|
+
+### Front Door Configuration
+
+Azure Front Door is offered in different tiers including Standard, Premium and Classic. Select a tier based on the preference. For more information on tier comparison, refer here: [Azure Front Door tier comparison][front-door-tier]
+
+For Front Door Standard Tier
+The configuration steps that follow refer to the following definitions: 
+- Endpoint name: A globally unique name for the endpoint. You can onboard custom domains as well. For example, front door endpoint name: contoso-nam that will generate the Endpoint host name contoso-nam.azurefd.net and utilize custom domain host name: contoso.org 
+- Origin: Origins are your application servers. Front door will route your client requests to origins, based on the type, ports, priority, and weight you specify here
+- Origin Type: The type of resource you want to add. Front Door supports auto-discovery of your application backends from App Service, Cloud Service, or Storage. If you want a different resource in Azure or even a non-Azure backend, select Custom host. For example Custom host for have a backend of an Application Proxy service
+- Origin host name: This represents the backend origin host name. For example, contoso.msappproxy.net 
+- Origin host header: This represented the host header value being sent to the backend for each request. For example, contoso.org. For more information refer here: [Origins and origin groups – Azure Front Door][front-door-origin]
+
+Follow these steps to configure the Front Door Service (Standard): 
+1.	Create a Front Door (Standard) with the configuration below: 
+    - Add an Endpoint name for generating the Front Door’s default domain i.e. azurefd.net. For example, contoso-nam that generated the Endpoint hostname contoso-nam.azurefd.net 
+    - Add an Origin Type for the type of backend resource. For example Custom here for the Application Proxy resource
+    - Add an Origin host name to represent the backend host name. For example, contoso.msappproxy.net 
+    - Optional: Enable Caching for the routing rule for Front Door to cache your static content. 
+2.	Verify if the deployment is complete and the Front Door Service is ready
+3.	To give your Front Door service a user-friendly domain host name URL, create a CNAME record with your DNS provider for your Application Proxy External URL that points to Front Door’s domain host name (generated by the Front Door service). For example, contoso.org points to contoso.azurefd.net Reference: [How to add a custom domain - Azure Front Door][front-door-custom-domain]
+4.	As per the reference, on the Front Door Service Dashboard navigate to Front Door Manager and add a Domain with the Custom Hostname. For example, contoso.org 
+5.	Navigate to the Origin groups in the Front Door Service Dashboard, select the origin name and validate the Origin host header matches the domain of the backend. For example here the Origin host header should be: contoso.org 
+
+|     | Configuration | Additional Information |
+|---- | ----------------------- | ---------------------- |
+| **Endpoint Name** | •	Endpoint name: contoso-nam <br /> •	Front door generated Hostname: <br /> contoso-nam.azurefd.net <br /> •	Custom Domain Hostname: contoso.org| A custom domain host name must be utilized here.|
+| **Origin hostname** | contoso.msappproxy.net | The URL generated for the app by Application Proxy must be utilized here.|
+| **Connector group** | North America | Select the connector group in the geo closest to where the app instance will be in for optimized performance.|
+
+:::image type="content" source="./media/application-proxy-azure-front-door/azure-front-door-profile-1.png" alt-text="Screenshot of Azure Front Door Configuration 1." lightbox="./media/application-proxy-azure-front-door/azure-front-door-profile-1.png":::
+
+:::image type="content" source="./media/application-proxy-azure-front-door/azure-front-door-profile-2.png" alt-text="Screenshot of Azure Front Door Configuration 2." lightbox="./media/application-proxy-azure-front-door/azure-front-door-profile-2.png":::
+
+:::image type="content" source="./media/application-proxy-azure-front-door/azure-front-door-profile-3.png" alt-text="Screenshot of Azure Front Door Configuration 3." lightbox="./media/application-proxy-azure-front-door/azure-front-door-profile-3.png":::
+
+## Next steps
+
+To prevent false positives, learn how to [Customize Web Application Firewall rules](../../web-application-firewall/ag/application-gateway-customize-waf-rules-portal.md), configure [Web Application Firewall exclusion lists](../../web-application-firewall/ag/application-gateway-waf-configuration.md?tabs=portal), or [Web Application Firewall custom rules](../../web-application-firewall/ag/create-custom-waf-rules.md).
+
+[front-door-overview]: ../../frontdoor/front-door-overview.md
+[front-door-origin]: ../../frontdoor/origin.md?pivots=front-door-standard-premium#origin-host-header
+[front-door-tier]: ../../frontdoor/standard-premium/tier-comparison.md
+[front-door-custom-domain]: ../../frontdoor/standard-premium/how-to-add-custom-domain.md
+[appproxy-custom-domain]: ./application-proxy-configure-custom-domain.md
+[private-dns]: ../../dns/private-dns-getstarted-portal.md
+[waf-logs]: ../../application-gateway/application-gateway-diagnostics.md#firewall-log

articles/active-directory/app-proxy/media/application-proxy-azure-front-door/azure-front-door-profile-1.png

@@ -83,6 +83,8 @@
       href: application-proxy-configure-connectors-with-proxy-servers.md
     - name: Add Traffic Manager
       href: application-proxy-integrate-with-traffic-manager.md
+    - name: Geo-acceleration with Azure Front Door
+      href: application-proxy-azure-front-door.md
     - name: Give mobile and desktop apps access to on-premises APIs
       href: application-proxy-secure-api-access.md 
     - name: Configure custom home page

articles/active-directory/app-proxy/media/application-proxy-azure-front-door/azure-front-door-profile-2.png

@@ -68,7 +68,7 @@ When a user selects **Yes** on the *Stay signed in?* option during sign-in, a pe
 
 If you have an Azure AD Premium 1 license, we recommend using Conditional Access policy for *Persistent browser session*. This policy overwrites the *Stay signed in?* setting and provides an improved user experience. If you don't have an Azure AD Premium 1 license, we recommend enabling the stay signed in setting for your users.
 
-For more information on configuring the option to let users remain signed-in, see [Customize your Azure AD sign-in page](../fundamentals/customize-branding.md#learn-about-the-stay-signed-in-prompt).
+For more information on configuring the option to let users remain signed-in, see [Customize your Azure AD sign-in page](../fundamentals/active-directory-users-profile-azure-portal.md#learn-about-the-stay-signed-in-prompt).
 
 ### Remember Multi-Factor Authentication  
 

articles/active-directory/app-proxy/media/application-proxy-azure-front-door/azure-front-door-profile-3.png

@@ -30,10 +30,23 @@ Microsoft provides [security defaults](../fundamentals/concept-fundamentals-secu
 ### Prerequisites
 
 * A working Azure AD tenant with Azure AD Premium or trial license enabled. If needed, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-* An account with Conditional Access Administrator privileges.
+* An account with privileges to create Conditional Access policies.
 * A test user (non-administrator) that allows you to verify policies work as expected before you impact real users. If you need to create a user, see [Quickstart: Add new users to Azure Active Directory](../fundamentals/add-users-azure-active-directory.md).
 * A group that the non-administrator user is a member of. If you need to create a group, see [Create a group and add members in Azure Active Directory](../fundamentals/active-directory-groups-create-azure-portal.md).
 
+#### Permissions
+
+Conditional Access policies can be created or modified by anyone assigned the following roles:
+
+- Conditional Access Administrator 
+- Security Administrator
+- Global Administrator
+
+Conditional Access policies can be read by anyone assigned the following roles:
+
+- Security Reader
+- Global Reader
+
 ## Understand Conditional Access policy components
 
 Policies answer questions about who should access your resources, what resources they should access, and under what conditions. Policies can be designed to grant access, limit access with session controls, or to block access. You [build a Conditional Access policy](concept-conditional-access-policies.md)  by defining the if-then statements: **If an assignment is met, then apply the access controls**.