Merge pull request #204897 from MicrosoftDocs/main

7/15 AM Publish

Author: huypub

articles/active-directory/develop/msal-client-application-configuration.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/20/2020
+ms.date: 07/15/2022
 ms.author: marsma
 ms.reviewer: saeeda
 ms.custom: aaddev, has-adal-ref
@@ -33,12 +33,12 @@ The authority is a URL that indicates a directory that MSAL can request tokens f
 
 Common authorities are:
 
-| Common authority URLs | When to use |
-|--|--|
-| `https://login.microsoftonline.com/<tenant>/` | Sign in users of a specific organization only. The `<tenant>` in the URL is the tenant ID of the Azure Active Directory (Azure AD) tenant (a GUID), or its tenant domain. |
-| `https://login.microsoftonline.com/common/` | Sign in users with work and school accounts or personal Microsoft accounts. |
-| `https://login.microsoftonline.com/organizations/` | Sign in users with work and school accounts. |
-| `https://login.microsoftonline.com/consumers/` | Sign in users with personal Microsoft accounts (MSA) only. |
+| Common authority URLs                              | When to use                                                                                                                                                               |
+| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `https://login.microsoftonline.com/<tenant>/`      | Sign in users of a specific organization only. The `<tenant>` in the URL is the tenant ID of the Azure Active Directory (Azure AD) tenant (a GUID), or its tenant domain. |
+| `https://login.microsoftonline.com/common/`        | Sign in users with work and school accounts or personal Microsoft accounts.                                                                                               |
+| `https://login.microsoftonline.com/organizations/` | Sign in users with work and school accounts.                                                                                                                              |
+| `https://login.microsoftonline.com/consumers/`     | Sign in users with personal Microsoft accounts (MSA) only.                                                                                                                |
 
 The authority you specify in your code needs to be consistent with the **Supported account types** you specified for the app in **App registrations** in the Azure portal.
 
@@ -50,16 +50,16 @@ The authority can be:
 
 Azure AD cloud authorities have two parts:
 
-- The identity provider *instance*
-- The sign-in *audience* for the app
+- The identity provider _instance_
+- The sign-in _audience_ for the app
 
 The instance and audience can be concatenated and provided as the authority URL. This diagram shows how the authority URL is composed:
 
 ![How the authority URL is composed](media/msal-client-application-configuration/authority.png)
 
 ## Cloud instance
 
-The *instance* is used to specify if your app is signing users from the Azure public cloud or from national clouds. Using MSAL in your code, you can set the Azure cloud instance by using an enumeration or by passing the URL to the [national cloud instance](authentication-national-cloud.md#azure-ad-authentication-endpoints) as the `Instance` member (if you know it).
+The _instance_ is used to specify if your app is signing users from the Azure public cloud or from national clouds. Using MSAL in your code, you can set the Azure cloud instance by using an enumeration or by passing the URL to the [national cloud instance](authentication-national-cloud.md#azure-ad-authentication-endpoints) as the `Instance` member.
 
 MSAL.NET will throw an explicit exception if both `Instance` and `AzureCloudInstance` are specified.
 
@@ -100,7 +100,7 @@ Currently, the only way to get an app to sign in users with only personal Micros
 
 ## Client ID
 
-The client ID is the unique application (client) ID assigned to your app by Azure AD when the app was registered.
+The client ID is the unique **Application (client) ID** assigned to your app by Azure AD when the app was registered.
 
 ## Redirect URI
 
@@ -110,40 +110,41 @@ The redirect URI is the URI the identity provider will send the security tokens
 
 If you're a public client app developer who's using MSAL:
 
-- You'd want to use `.WithDefaultRedirectUri()` in desktop or UWP applications (MSAL.NET 4.1+). This method will set the public client application's redirect URI property to the default recommended redirect URI for public client applications.
+- You'd want to use `.WithDefaultRedirectUri()` in desktop or Universal Windows Platform (UWP) applications (MSAL.NET 4.1+). The `.WithDefaultRedirectUri()` method will set the public client application's redirect URI property to the default recommended redirect URI for public client applications.
 
-  | Platform | Redirect URI |
-  |--|--|
-  | Desktop app (.NET FW) | `https://login.microsoftonline.com/common/oauth2/nativeclient` |
-  | UWP | value of `WebAuthenticationBroker.GetCurrentApplicationCallbackUri()`. This enables SSO with the browser by setting the value to the result of WebAuthenticationBroker.GetCurrentApplicationCallbackUri() which you need to register |
-  | .NET Core | `https://localhost`. This enables the user to use the system browser for interactive authentication since .NET Core doesn't have a UI for the embedded web view at the moment. |
+  | Platform              | Redirect URI                                                                                                                                                                                                                                           |
+  | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+  | Desktop app (.NET FW) | `https://login.microsoftonline.com/common/oauth2/nativeclient`                                                                                                                                                                                         |
+  | UWP                   | value of `WebAuthenticationBroker.GetCurrentApplicationCallbackUri()`. This enables single sign-on (SSO) with the browser by setting the value to the result of WebAuthenticationBroker.GetCurrentApplicationCallbackUri(), which you need to register |
+  | .NET Core             | `https://localhost` enables the user to use the system browser for interactive authentication since .NET Core doesn't have a UI for the embedded web view at the moment.                                                                               |
 
-- You don't need to add a redirect URI if you're building a Xamarin Android and iOS application that doesn't support the broker redirect URI. It is automatically set to `msal{ClientId}://auth` for Xamarin Android and iOS.
+- You don't need to add a redirect URI if you're building a Xamarin Android and iOS application that doesn't support the broker redirect URI. It's automatically set to `msal{ClientId}://auth` for Xamarin Android and iOS.
 
 - Configure the redirect URI in [App registrations](https://aka.ms/appregistrations):
 
-   ![Redirect URI in App registrations](media/msal-client-application-configuration/redirect-uri.png)
+  ![Redirect URI in App registrations](media/msal-client-application-configuration/redirect-uri.png)
 
 You can override the redirect URI by using the `RedirectUri` property (for example, if you use brokers). Here are some examples of redirect URIs for that scenario:
 
 - `RedirectUriOnAndroid` = "msauth-5a434691-ccb2-4fd1-b97b-b64bcfbc03fc://com.microsoft.identity.client.sample";
 - `RedirectUriOnIos` = $"msauth.{Bundle.ID}://auth";
 
-For additional iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Leveraging-the-broker-on-iOS).
-For additional Android details, see [Brokered auth in Android](msal-android-single-sign-on.md).
+For more iOS details, see [Migrate iOS applications that use Microsoft Authenticator from ADAL.NET to MSAL.NET](msal-net-migration-ios-broker.md) and [Leveraging the broker on iOS](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/Leveraging-the-broker-on-iOS).
+For more Android details, see [Brokered auth in Android](msal-android-single-sign-on.md).
 
 ### Redirect URI for confidential client apps
 
-For web apps, the redirect URI (or reply URL) is the URI that Azure AD will use to send the token back to the application. This URI can be the URL of the web app/web API if the confidential app is one of these. The redirect URI needs to be registered in app registration. This registration is especially important when you deploy an app that you've initially tested locally. You then need to add the reply URL of the deployed app in the application registration portal.
+For web apps, the redirect URI (or reply URL) is the URI that Azure AD will use to send the token back to the application. The URI can be the URL of the web app/web API if the confidential app is one of them. The redirect URI needs to be registered in app registration. The registration is especially important when you deploy an app that you've initially tested locally. You then need to add the reply URL of the deployed app in the application registration portal.
 
 For daemon apps, you don't need to specify a redirect URI.
 
 ## Client secret
 
-This option specifies the client secret for the confidential client app. This secret (app password) is provided by the application registration portal or provided to Azure AD during app registration with PowerShell AzureAD, PowerShell AzureRM, or Azure CLI.
+This option specifies the client secret for the confidential client app. The client secret (app password) is provided by the application registration portal or provided to Azure AD during app registration with PowerShell AzureAD, PowerShell AzureRM, or Azure CLI.
 
 ## Logging
-To help in debugging and authentication failure troubleshooting scenarios, the Microsoft Authentication Library provides built-in logging support. Logging is each library is covered in the following articles:
+
+To help in debugging and authentication failure troubleshooting scenarios, the MSAL provides built-in logging support. Logging in each library is covered in the following articles:
 
 :::row:::
     :::column:::

articles/active-directory/manage-apps/toc.yml

@@ -43,6 +43,8 @@
     items: 
     - name: Application gallery
       href: overview-application-gallery.md
+    - name: Request to publish applications
+      href: v2-howto-app-gallery-listing.md
     - name: Application integration
       href: plan-an-application-integration.md
     - name: Application ownership
@@ -152,8 +154,6 @@
           href: migrate-okta-sync-provisioning-to-azure-active-directory.md
         - name: Migrate Okta federation to Azure AD managed authentication
           href: migrate-okta-federation-to-azure-active-directory.md
-    - name: Request to publish applications
-      href: v2-howto-app-gallery-listing.md
     - name: Secure legacy apps 
       items:
       - name: Secure hybrid access with Azure AD 

articles/active-directory/manage-apps/v2-howto-app-gallery-listing.md

@@ -10,7 +10,7 @@ ms.topic: how-to
 ms.workload: identity
 ms.date: 6/2/2022
 ms.author: ergreenl
-ms.custom: kr2b-contr-experiment
+ms.custom: kr2b-contr-experiment, contperf-fy22q4
 ---
 
 # Submit a request to publish your application in Azure Active Directory application gallery

articles/active-directory/saas-apps/docusign-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 03/16/2022
+ms.date: 07/14/2022
 ms.author: jeedes
 ---
 
@@ -27,6 +27,7 @@ To get started, you need the following items:
 
 * An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
 * A DocuSign subscription that's single sign-on (SSO) enabled.
+* Control over your domain DNS. This is needed to claim domain on DocuSign. 
 
 > [!NOTE]
 > This integration is also available to use from Azure AD US Government Cloud environment. You can find this application in the Azure AD US Government Cloud Application Gallery and configure it in the same way as you do from public cloud.
@@ -142,68 +143,94 @@ In this section, you'll grant B.Simon access to DocuSign so that this user can u
 
 3. If you want to set up DocuSign manually, open a new web browser window and sign in to your DocuSign company site as an administrator.
 
-4. In the upper-right corner of the page, select the profile logo, and then select **Go to Admin**.
+4. In the upper-left corner of the page, select the  app launcher (9 dots), and then select **Admin**.
 
-    ![Go to Admin under Profile][51]
+    ![Screenshot of Go to Admin under Profile.](media/docusign-tutorial/docusign-admin.png)
 
 5. On your domain solutions page, select **Domains**.
 
-    ![Domain Solutions/Domains][50]
+    ![Screenshot of Select_Domains.](media/docusign-tutorial/domains.png)
+
 
 6. In the **Domains** section, select **CLAIM DOMAIN**.
 
-    ![Claim Domain option][52]
+    ![Screenshot of Claim_domain.](media/docusign-tutorial/claim-domain.png)
+
 
 7. In the **Claim a Domain** dialog box, in the **Domain Name** box, type your company domain, and then select **CLAIM**. Make sure you verify the domain and that its status is active.
 
-    ![Claim a Domain/Domain Name dialog][53]
+    ![Screenshot of Claim a Domain/Domain Name dialog.](media/docusign-tutorial/claim-a-domain.png)
+
+8. In the **Domains** section, select **Get Validation Token** of new domain added in the claim list.
+
+    ![Screenshot of pending_Identity_provider.](media/docusign-tutorial/pending-Identity-provider.png)
+    
+9. Copy the **TXT Token**
+
+    ![Screenshot of TXT_token.](media/docusign-tutorial/token.png)
+
+10. Configure your DNS provider with the **TXT Token** by following these steps:
 
-8. On the domain solutions page, select **Identity Providers**.
+	a. Navigate to your domain's DNS record management page.
+	b. Add a new TXT record.
+	c. Name: @ or *
+	d. Text: paste the **TXT Token** value, which you copied from the earlier step.
+	e. TTL: Default or 1 hour / 3600 seconds
+
+
+11. On the domain solutions page, select **Identity Providers**.
 
-    ![Identity Providers option][54]
+    ![Screenshot of Identity Providers option.](media/docusign-tutorial/identity-providers.png)
 
-9. In the **Identity Providers** section, select **ADD IDENTITY PROVIDER**.
+12. In the **Identity Providers** section, select **ADD IDENTITY PROVIDER**.
 
-    ![Add Identity Provider option][55]
+    ![Screenshot of Add Identity Provider option.](media/docusign-tutorial/add-identity-provider-option.png)
 
-10. On the **Identity Provider Settings** page, follow these steps:
 
-    ![Identity Provider Settings fields][56]
+13. On the **Identity Provider Settings** page, follow these steps:
 
-    a. In the **Name** box, type a unique name for your configuration. Don't use spaces.
+    a. In the **Custom Name** box, type a unique name for your configuration. Don't use spaces.
+	
+	![Screenshot of name_Identity_provider.](media/docusign-tutorial/add-identity-providers.png)
 
     b. In the **Identity Provider Issuer box**, paste the **Azure AD Identifier** value, which you copied from the Azure portal.
 
+	![Screenshot of urls_Identity_provider.](media/docusign-tutorial/idp-urls.png)
+
+
     c. In the **Identity Provider Login URL** box, paste the **Login URL** value, which you copied from Azure portal.
 
     d. In the **Identity Provider Logout URL** box, paste the value of **Logout URL**, which you  copied from Azure portal.
+   
+       ![Screenshot of settings_Identity_provider.](media/docusign-tutorial/settings-Identity-provider.png)
+
 
     e. For **Send AuthN request by**, select **POST**.
 
     f. For **Send logout request by**, select **GET**.
 
     g. In the **Custom Attribute Mapping** section, select **ADD NEW MAPPING**.
 
-       ![Custom Attribute Mapping UI][62]
+       ![Screenshot of Custom Attribute Mapping UI.](media/docusign-tutorial/add-new-mapping.png)
 
     h. Choose the field you want to map to the Azure AD claim. In this example, the **emailaddress** claim is mapped with the value of `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`. That's the default claim name from Azure AD for the email claim. Select **SAVE**.
 
-       ![Custom Attribute Mapping fields][57]
+       ![Screenshot of Custom Attribute Mapping fields.](media/docusign-tutorial/email-address.png)
 
        > [!NOTE]
-       > Use the appropriate **User identifier** to map the user from Azure AD to DocuSign user mapping. Select the proper field, and enter the appropriate value based on your organization settings.
+       > Use the appropriate **User identifier** to map the user from Azure AD to DocuSign user mapping. Select the proper field, and enter the appropriate value based on your organization settings. Custom Attribute Mapping setting is not mandatory.
 
     i. In the **Identity Provider Certificates** section, select **ADD CERTIFICATE**, upload the certificate you downloaded from Azure AD portal, and select **SAVE**.
 
-       ![Identity Provider Certificates/Add Certificate][58]
+       ![Screenshot of Identity Provider Certificates/Add Certificate.](media/docusign-tutorial/certificates.png)
 
     j. In the **Identity Providers** section, select **ACTIONS**, and then select **Endpoints**.
 
-       ![Identity Providers/Endpoints][59]
+       ![Screenshot of Identity Providers/Endpoints.](media/docusign-tutorial/identity-providers-endpoints.png)
 
     k. In the **View SAML 2.0 Endpoints** section of the DocuSign admin portal, follow these steps:
 
-       ![View SAML 2.0 Endpoints][60]
+       ![Screenshot of View SAML 2.0 Endpoints.](media/docusign-tutorial/saml-endpoints.png)
 
        1. Copy the **Service Provider Issuer URL**, and then paste it into the **Identifier** box in **Basic SAML Configuration** section in the Azure portal.
 
@@ -230,22 +257,6 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 * You can use Microsoft My Apps. When you click the DocuSign tile in the My Apps, you should be automatically signed in to the DocuSign for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
 
-## Next Steps
+## Next steps
 
 Once you configure DocuSign you can enforce Session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
-
-<!--Image references-->
-
-[50]: ./media/docusign-tutorial/tutorial-docusign-18.png
-[51]: ./media/docusign-tutorial/tutorial-docusign-21.png
-[52]: ./media/docusign-tutorial/tutorial-docusign-22.png
-[53]: ./media/docusign-tutorial/tutorial-docusign-23.png
-[54]: ./media/docusign-tutorial/tutorial-docusign-19.png
-[55]: ./media/docusign-tutorial/tutorial-docusign-20.png
-[56]: ./media/docusign-tutorial/request.png
-[57]: ./media/docusign-tutorial/tutorial-docusign-25.png
-[58]: ./media/docusign-tutorial/tutorial-docusign-26.png
-[59]: ./media/docusign-tutorial/tutorial-docusign-27.png
-[60]: ./media/docusign-tutorial/tutorial-docusign-28.png
-[61]: ./media/docusign-tutorial/tutorial-docusign-29.png
-[62]: ./media/docusign-tutorial/tutorial-docusign-30.png