Merge pull request #25 from MicrosoftDocs/master

refresh kromerm master

Author: kromerm

.openpublishing.redirection.json

@@ -423,12 +423,17 @@
     },
     {
       "source_path": "articles/active-directory/saas-apps/realtimeboard-tutorial.md",
-      "redirect_url": "/articles/active-directory/saas-apps/miro-tutorial",
+      "redirect_url": "/azure/active-directory/saas-apps/miro-tutorial",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/active-directory/saas-apps/redbrickhealth-tutorial.md",
-      "redirect_url": "/articles/active-directory/saas-apps/redbrick-health-tutorial",
+      "redirect_url": "/azure/active-directory/saas-apps/redbrick-health-tutorial",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/active-directory/saas-apps/adobe-identity-management-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
       "redirect_document_id": false
     },
     {
@@ -40082,12 +40087,12 @@
     },
     {
       "source_path": "articles/iot-central/tutorial-add-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/tutorial-connect-pnp-device",
+      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device",
       "redirect_document_id": false
     },
     {
       "source_path": "articles/iot-central/tutorial-define-device-type-pnp.md",
-      "redirect_url": "/azure/iot-central/core/howto-set-up-template",
+      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device",
       "redirect_document_id": false
     },
     {
@@ -46282,7 +46287,7 @@
     },
     {
       "source_path": "articles/iot-central/quick-create-pnp-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
       "redirect_document_id": false
     },
     {
@@ -46347,12 +46352,7 @@
     },
     {
       "source_path": "articles/iot-central/core/quick-create-pnp-device-pnp.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
-      "redirect_document_id": false
-    },
-    {
-      "source_path": "articles/iot-central/core/quick-create-pnp-device.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
       "redirect_document_id": false
     },
     {
@@ -46787,7 +46787,7 @@
     },
     {
       "source_path": "articles/iot-central/preview/quick-create-pnp-device.md",
-      "redirect_url": "/azure/iot-central/core/quick-create-simulated-device/",
+      "redirect_url": "/azure/iot-central/core/quick-create-pnp-device/",
       "redirect_document_id": false
     },
     {

articles/active-directory/authentication/multi-factor-authentication-faq.md

@@ -0,0 +1,100 @@
+---
+title: Invite internal users to B2B collaboration - Azure AD
+description: If you have internal user accounts for partners, distributors, suppliers, vendors, and other guests, you can change to Azure AD B2B collaboration by inviting them to sign in with their own external credentials or login. Use either PowerShell or the Microsoft Graph invitation API.
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: B2B
+ms.topic: conceptual
+ms.date: 04/12/2020
+
+ms.author: mimart
+author: msmimart
+manager: celestedg
+ms.reviewer: mal
+
+ms.collection: M365-identity-device-management
+---
+
+# Invite internal users to B2B collaboration
+
+|     |
+| --- |
+| Inviting internal users to use B2B collaboration is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
+|     |
+
+Before the availability of Azure AD B2B collaboration, organizations could collaborate with distributors, suppliers, vendors, and other guest users by setting up internal credentials for them. If you have internal guest users like this, you can invite them to use B2B collaboration so you can take advantage of Azure AD B2B benefits. Your B2B guest users will be able to use their own identities and credentials to sign in, and you won’t need to maintain passwords or manage account lifecycles.
+
+Sending an invitation to an existing internal account lets you retain that user’s object ID, UPN, group memberships, and app assignments. You don’t need to manually delete and re-invite the user or reassign resources. To invite the user, you’ll use the invitation API to pass both the internal user object and the guest user’s email address along with the invitation. When the user accepts the invitation, the B2B service changes the existing internal user object to a B2B user. Going forward, the user must sign in to cloud resources services using their B2B credentials. They can still use their internal credentials to access on premises resources, but you can prevent this by resetting or changing the password on the internal account.
+
+> [!NOTE]
+> Invitation is one-way. You can invite internal users to use B2B collaboration, but you can’t remove the B2B credentials once they’re added. To change the user back to an internal-only user, you’ll need to delete the user object and create a new one.
+
+While in public preview, the method described in this article for inviting internal users to B2B collaboration can’t be used in these instances:
+
+- The internal user has already been assigned an Exchange license.
+- The user is from a domain that is set up for direct federation in your directory.
+- The internal user is a cloud-only account, and their main account isn't in Azure AD.
+
+In these instances, if the internal user must be changed to a B2B user, you should delete the internal account and send the user an invitation for B2B collaboration.
+
+**On-premises synced users**: For user accounts that are synced between on-premises and the cloud, the on-premises directory remains the source of authority after they’re invited to use B2B collaboration. Any changes you make to the on-premises account will sync to the cloud account, including disabling or deleting the account. Therefore, you can’t prevent the user from signing into their on-premises account while retaining their cloud account by simply deleting the on-premises account. Instead, you can set the on-premises account password to a random GUID or other unknown value.
+
+## How to invite internal users to B2B collaboration
+
+You can use PowerShell or the invitation API to send a B2B invitation to the internal user. Make sure the email address you want to use for the invitation is set as the external email address on the internal user object.
+
+- For a cloud-only user, use the email address in the User.OtherMails property for the invitation.
+- For an on-premises synced user, you must use the value in the User.Mail property for the invitation.
+- The domain in the user’s Mail property must match the account they’re using to sign in. Otherwise, some services such as Teams won't be able to authenticate the user.
+
+By default, the invitation will send the user an email letting them know they’ve been invited, but you can suppress this email and send your own instead.
+
+> [!NOTE]
+> To send your own email or other communication, you can use New-AzureADMSInvitation with -SendInvitationMessage:$false to invite users silently, and then send your own email message to the converted user. See [Azure AD B2B collaboration API and customization](customize-invitation-api.md).
+
+## Use PowerShell to send a B2B invitation
+
+Use the following command to invite the user to B2B collaboration:
+
+```powershell
+Uninstall-Module AzureADPreview
+Install-Module AzureADPreview
+$ADGraphUser = Get-AzureADUser -searchstring "<<external email>>"
+$msGraphUser = New-Object Microsoft.Open.MSGraph.Model.User -ArgumentList $ADGraphUser.ObjectId
+New-AzureADMSInvitation -InvitedUserEmailAddress <<external email>> -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com" -InvitedUser $msGraphUser
+```
+
+## Use the invitation API to send a B2B invitation
+
+The sample below illustrates how to call the invitation API to invite an internal user as a B2B user.
+
+```json
+POST https://graph.microsoft.com/v1.0/invitations
+Authorization: Bearer eyJ0eX...
+ContentType: application/json
+{
+    "invitedUserEmailAddress": "<<external email>>"",
+    "sendInvitationMessage": true,
+    "invitedUserMessageInfo": {
+        "messageLanguage": "en-US",
+        "ccRecipients": [
+            {
+                "emailAddress": {
+                    "name": null,
+                    "address": "<<optional additional notification email>>""
+                }
+            }
+        ],
+        "customizedMessageBody": "<<custom message>>"
+    },
+    "inviteRedirectUrl": "https://myapps.microsoft.com?tenantId=",
+    "invitedUser": {"id": "<<ID for the user you want to convert>>"}
+}
+```
+
+The response to the API is the same response you get when you invite a new guest user to the directory.
+
+## Next steps
+
+- [B2B collaboration invitation redemption](redemption-experience.md)

articles/active-directory/b2b/invite-internal-users.md

@@ -63,6 +63,8 @@
         href: add-users-administrator.md
       - name: Information workers adding B2B users
         href: add-users-information-worker.md
+      - name: Invite internal users to B2B
+        href: invite-internal-users.md
       - name: Google federation
         href: google-federation.md
       - name: One-time passcode authentication

articles/active-directory/b2b/toc.yml

@@ -0,0 +1,162 @@
+---
+title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Fortes Change Cloud | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Fortes Change Cloud.
+services: active-directory
+documentationCenter: na
+author: jeevansd
+manager: mtillman
+ms.reviewer: barbkess
+
+ms.assetid: 1590757f-ce9f-4066-911f-47f3d3b92443
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.topic: tutorial
+ms.date: 04/06/2020
+ms.author: jeedes
+
+ms.collection: M365-identity-device-management
+---
+
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Fortes Change Cloud
+
+In this tutorial, you'll learn how to integrate Fortes Change Cloud with Azure Active Directory (Azure AD). When you integrate Fortes Change Cloud with Azure AD, you can:
+
+* Control in Azure AD who has access to Fortes Change Cloud.
+* Enable your users to be automatically signed-in to Fortes Change Cloud with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on).
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Fortes Change Cloud single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Fortes Change Cloud supports **SP and IDP** initiated SSO
+* Once you configure Fortes Change Cloud you can enforce session control, which protect exfiltration and infiltration of your organization’s sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+
+## Adding Fortes Change Cloud from the gallery
+
+To configure the integration of Fortes Change Cloud into Azure AD, you need to add Fortes Change Cloud from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Fortes Change Cloud** in the search box.
+1. Select **Fortes Change Cloud** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+
+## Configure and test Azure AD single sign-on for Fortes Change Cloud
+
+Configure and test Azure AD SSO with Fortes Change Cloud using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Fortes Change Cloud.
+
+To configure and test Azure AD SSO with Fortes Change Cloud, complete the following building blocks:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Fortes Change Cloud SSO](#configure-fortes-change-cloud-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Fortes Change Cloud test user](#create-fortes-change-cloud-test-user)** - to have a counterpart of B.Simon in Fortes Change Cloud that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com/), on the **Fortes Change Cloud** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, enter the values for the following fields:
+
+    a. In the **Identifier** text box, type a URL using the following pattern:
+    `https://<identifier>.fortes-online.com`
+
+    b. In the **Reply URL** text box, type a URL using the following pattern:
+    `https://<identifier>.fortes-online.com/saml/SSO`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+    In the **Sign-on URL** text box, type a URL using the following pattern:
+    `https://<identifier>.fortes-online.com/saml/SSO`
+
+	> [!NOTE]
+	> These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Fortes Change Cloud Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. Fortes Change Cloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes, where as **nameidentifier** is mapped with **user.userprincipalname**. Fortes Change Cloud application expects **nameidentifier** to be mapped with **user.samaccountname**, so you need to edit the attribute mapping by clicking on **Edit** icon and change the attribute mapping.
+
+	![image](common/edit-attribute.png)
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+	![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Fortes Change Cloud.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Fortes Change Cloud**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+
+   ![The "Users and groups" link](common/users-groups-blade.png)
+
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+
+	![The Add User link](common/add-assign-user.png)
+
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Fortes Change Cloud SSO
+
+To configure single sign-on on **Fortes Change Cloud** side, you need to send the **App Federation Metadata Url** to [Fortes Change Cloud support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Fortes Change Cloud test user
+
+In this section, you create a user called Britta Simon in Fortes Change Cloud. Work with [Fortes Change Cloud support team](mailto:[email protected]) to add the users in the Fortes Change Cloud platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+
+When you click the Fortes Change Cloud tile in the Access Panel, you should be automatically signed in to the Fortes Change Cloud for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+
+## Additional resources
+
+- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
+
+- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+
+- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+
+- [Try Fortes Change Cloud with Azure AD](https://aad.portal.azure.com/)
+
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+
+- [How to protect Fortes Change Cloud with advanced visibility and controls](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+