Merge pull request #111138 from MicrosoftDocs/master

4/13 AM Publish

Author: huypub

articles/active-directory/b2b/invite-internal-users.md

@@ -0,0 +1,100 @@
+---
+title: Invite internal users to B2B collaboration - Azure AD
+description: If you have internal user accounts for partners, distributors, suppliers, vendors, and other guests, you can change to Azure AD B2B collaboration by inviting them to sign in with their own external credentials or login. Use either PowerShell or the Microsoft Graph invitation API.
+
+services: active-directory
+ms.service: active-directory
+ms.subservice: B2B
+ms.topic: conceptual
+ms.date: 04/12/2020
+
+ms.author: mimart
+author: msmimart
+manager: celestedg
+ms.reviewer: mal
+
+ms.collection: M365-identity-device-management
+---
+
+# Invite internal users to B2B collaboration
+
+|     |
+| --- |
+| Inviting internal users to use B2B collaboration is a public preview feature of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). |
+|     |
+
+Before the availability of Azure AD B2B collaboration, organizations could collaborate with distributors, suppliers, vendors, and other guest users by setting up internal credentials for them. If you have internal guest users like this, you can invite them to use B2B collaboration so you can take advantage of Azure AD B2B benefits. Your B2B guest users will be able to use their own identities and credentials to sign in, and you won’t need to maintain passwords or manage account lifecycles.
+
+Sending an invitation to an existing internal account lets you retain that user’s object ID, UPN, group memberships, and app assignments. You don’t need to manually delete and re-invite the user or reassign resources. To invite the user, you’ll use the invitation API to pass both the internal user object and the guest user’s email address along with the invitation. When the user accepts the invitation, the B2B service changes the existing internal user object to a B2B user. Going forward, the user must sign in to cloud resources services using their B2B credentials. They can still use their internal credentials to access on premises resources, but you can prevent this by resetting or changing the password on the internal account.
+
+> [!NOTE]
+> Invitation is one-way. You can invite internal users to use B2B collaboration, but you can’t remove the B2B credentials once they’re added. To change the user back to an internal-only user, you’ll need to delete the user object and create a new one.
+
+While in public preview, the method described in this article for inviting internal users to B2B collaboration can’t be used in these instances:
+
+- The internal user has already been assigned an Exchange license.
+- The user is from a domain that is set up for direct federation in your directory.
+- The internal user is a cloud-only account, and their main account isn't in Azure AD.
+
+In these instances, if the internal user must be changed to a B2B user, you should delete the internal account and send the user an invitation for B2B collaboration.
+
+**On-premises synced users**: For user accounts that are synced between on-premises and the cloud, the on-premises directory remains the source of authority after they’re invited to use B2B collaboration. Any changes you make to the on-premises account will sync to the cloud account, including disabling or deleting the account. Therefore, you can’t prevent the user from signing into their on-premises account while retaining their cloud account by simply deleting the on-premises account. Instead, you can set the on-premises account password to a random GUID or other unknown value.
+
+## How to invite internal users to B2B collaboration
+
+You can use PowerShell or the invitation API to send a B2B invitation to the internal user. Make sure the email address you want to use for the invitation is set as the external email address on the internal user object.
+
+- For a cloud-only user, use the email address in the User.OtherMails property for the invitation.
+- For an on-premises synced user, you must use the value in the User.Mail property for the invitation.
+- The domain in the user’s Mail property must match the account they’re using to sign in. Otherwise, some services such as Teams won't be able to authenticate the user.
+
+By default, the invitation will send the user an email letting them know they’ve been invited, but you can suppress this email and send your own instead.
+
+> [!NOTE]
+> To send your own email or other communication, you can use New-AzureADMSInvitation with -SendInvitationMessage:$false to invite users silently, and then send your own email message to the converted user. See [Azure AD B2B collaboration API and customization](customize-invitation-api.md).
+
+## Use PowerShell to send a B2B invitation
+
+Use the following command to invite the user to B2B collaboration:
+
+```powershell
+Uninstall-Module AzureADPreview
+Install-Module AzureADPreview
+$ADGraphUser = Get-AzureADUser -searchstring "<<external email>>"
+$msGraphUser = New-Object Microsoft.Open.MSGraph.Model.User -ArgumentList $ADGraphUser.ObjectId
+New-AzureADMSInvitation -InvitedUserEmailAddress <<external email>> -SendInvitationMessage $True -InviteRedirectUrl "http://myapps.microsoft.com" -InvitedUser $msGraphUser
+```
+
+## Use the invitation API to send a B2B invitation
+
+The sample below illustrates how to call the invitation API to invite an internal user as a B2B user.
+
+```json
+POST https://graph.microsoft.com/v1.0/invitations
+Authorization: Bearer eyJ0eX...
+ContentType: application/json
+{
+    "invitedUserEmailAddress": "<<external email>>"",
+    "sendInvitationMessage": true,
+    "invitedUserMessageInfo": {
+        "messageLanguage": "en-US",
+        "ccRecipients": [
+            {
+                "emailAddress": {
+                    "name": null,
+                    "address": "<<optional additional notification email>>""
+                }
+            }
+        ],
+        "customizedMessageBody": "<<custom message>>"
+    },
+    "inviteRedirectUrl": "https://myapps.microsoft.com?tenantId=",
+    "invitedUser": {"id": "<<ID for the user you want to convert>>"}
+}
+```
+
+The response to the API is the same response you get when you invite a new guest user to the directory.
+
+## Next steps
+
+- [B2B collaboration invitation redemption](redemption-experience.md)

articles/active-directory/b2b/toc.yml

@@ -63,6 +63,8 @@
         href: add-users-administrator.md
       - name: Information workers adding B2B users
         href: add-users-information-worker.md
+      - name: Invite internal users to B2B
+        href: invite-internal-users.md
       - name: Google federation
         href: google-federation.md
       - name: One-time passcode authentication

articles/automation/TOC.yml

@@ -10,30 +10,30 @@
   items:
     - name: Create an Automation account
       href: automation-quickstart-create-account.md
-    - name: Create standalone Automation account
+    - name: Create a standalone Automation account
       href: automation-create-standalone-account.md
-    - name: Manage Automation Run As account
+    - name: Manage an Automation Run As account
       href: manage-runas-account.md
       displayName: certificate renewal
     - name: Manage role-based access control
       href: automation-role-based-access-control.md
       displayName: RBAC
-    - name: Use Azure AD in Azure Automation to authenticate to Azure
+    - name: Use Azure AD to authenticate to Azure
       href: automation-use-azure-ad.md
-    - name: Manage Office 365 services using Azure Automation
+    - name: Manage Office 365 services
       href: manage-office-365.md
     - name: Configure authentication with AWS
       href: automation-config-aws-account.md
     - name: Encrypt secure assets in Azure Automation
       href: automation-secure-asset-encryption.md
-    - name: Move your Automation Account to another Subscription
+    - name: Move your Automation Account to another subscription
       href: how-to/move-account.md
-    - name: Automate onboarding of Automation Services
+    - name: Automate onboarding of Automation services
       href: /azure/architecture/cloud-adoption/operations/azure-server-management/onboarding-automation
     - name: Manage Azure Automation data
       href: automation-managing-data.md
       displayName: backup
-    - name: Supported Regions for Log Analytics Workspace Mappings
+    - name: Supported regions for Log Analytics workspace mappings
       href: how-to/region-mappings.md
     - name: Troubleshoot
       items:  

articles/automation/automation-create-standalone-account.md

@@ -28,7 +28,7 @@ To create or update an Automation account, and to complete the tasks described i
 * To create an Automation account, your Azure AD user account must be added to a role with permissions equivalent to the Owner role for **Microsoft. Automation** resources. For more information, see [Role-Based Access Control in Azure Automation](automation-role-based-access-control.md).
 * In the Azure portal, under **Azure Active Directory** > **MANAGE** > **User settings**, if **App registrations** is set to **Yes**, non-admin users in your Azure AD tenant can [register Active Directory applications](../active-directory/develop/howto-create-service-principal-portal.md#check-azure-subscription-permissions). If **App registrations** is set to **No**, the user who performs this action must be a global administrator in Azure AD.
 
-If you aren't a member of the subscription’s Active Directory instance before you are added to the subscription's global administrator/coadministrator role, you are added to Active Directory as a guest. In this scenario, you see this message on the **Add Automation Account** page: “You do not have permissions to create."
+If you aren't a member of the subscription's Active Directory instance before you are added to the subscription's global administrator/coadministrator role, you are added to Active Directory as a guest. In this scenario, you see this message on the **Add Automation Account** page: "You do not have permissions to create."
 
 If a user is added to the global administrator/coadministrator role first, you can remove them from the subscription's Active Directory instance, and then readd them to the full User role in Active Directory.
 
@@ -86,7 +86,7 @@ When the Automation account is successfully created, several resources are autom
 | AzureRunAsCertificate |A certificate asset that's automatically created when the Automation account is created, or by using a PowerShell script for an existing account. The certificate authenticates with Azure so you can manage Azure Resource Manager resources from runbooks. This certificate has a one-year lifespan. |
 | AzureRunAsConnection |A connection asset that's automatically created when the Automation account is created, or by using a PowerShell script for an existing account. |
 
-## Classic Run-As Accounts
+## Create a Classic Run-As account
 
 Classic Run-As accounts are no longer created, by default, when you create an Azure Automation account. If you still require a Classic Run-As account, please perform the following steps.
 

articles/automation/automation-solution-vm-management-enable.md

@@ -12,7 +12,7 @@ ms.topic: conceptual
 Perform the following steps to add the Start/Stop VMs during off-hours solution to a new or existing Automation account and linked Log Analytics workspace. After completing the onboarding process, configure the variables to customize the solution.
 
 >[!NOTE]
->To use this solution with Classic VMs, you need a Classic RunAs account, which is not created by default. For instructions on creating a Classic RunAs account, see [Classic Run-As Accounts](automation-create-standalone-account.md#classic-run-as-accounts).
+>To use this solution with Classic VMs, you need a Classic Run As account, which is not created by default. For instructions on creating a Classic Run As account, see [Create a Classic Run As account](automation-create-standalone-account.md#create-a-classic-run-as-account).
 >
 
 ## Enable solution