Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into overview-rewrite

Author: eross-msft

.openpublishing.redirection.json

@@ -33,7 +33,7 @@ The following example shows the content definition identifier and the definition
   <Metadata>
     <Item Key="DisplayName">Local account sign up page</Item>
   </Metadata>
-  <LoalizedResourcesReferences MergeBehavior="Prepend">
+  <LocalizedResourcesReferences MergeBehavior="Prepend">
     <LocalizedResourcesReference Language="en" LocalizedResourcesReferenceId="api.localaccountsignup.en" />
     <LocalizedResourcesReference Language="es" LocalizedResourcesReferenceId="api.localaccountsignup.es" />
     ...

articles/active-directory-b2c/contentdefinitions.md

@@ -21,12 +21,17 @@ It is probably not a surprise that an Azure Active Directory (Azure AD) joined d
 
 This article explains how this works.
 
+## Prerequisites
+
+ If Azure AD joined machines are not connected to your organization's network, a VPN or other network infrastructure is required. On-premises SSO requires line-of-sight communication with your on-premises AD DS domain controllers.
+
 ## How it works 
 
 Because you need to remember just one single user name and password, SSO simplifies access to your resources and improves the security of your environment. With an Azure AD joined device, your users already have an SSO experience to the cloud apps in your environment. If your environment has an Azure AD and an on-premises AD, you probably want to expand the scope of your SSO experience to your on-premises Line Of Business (LOB) apps, file shares, and printers.  
 
 Azure AD joined devices have no knowledge about your on-premises AD environment because they aren't joined to it. However, you can provide additional information about your on-premises AD to these devices with Azure AD Connect.
-An environment that has both, an Azure AD and an on-premises AD, is also known has hybrid environment. If you have a hybrid environment, it is likely that you already have Azure AD Connect deployed to synchronize your on-premises identity information to the cloud. As part of the synchronization process, Azure AD Connect synchronizes on-premises domain information to Azure AD. When a user signs in to an Azure AD joined device in a hybrid environment:
+
+An environment that has both, an Azure AD and an on-premises AD, is also known has hybrid environment. If you have a hybrid environment, it is likely that you already have Azure AD Connect deployed to synchronize your on-premises identity information to the cloud. As part of the synchronization process, Azure AD Connect synchronizes on-premises user information to Azure AD. When a user signs in to an Azure AD joined device in a hybrid environment:
 
 1. Azure AD sends the name of the on-premises domain the user is a member of back to the device. 
 1. The local security authority (LSA) service enables Kerberos authentication on the device.

articles/active-directory/develop/media/v2-shared-device-mode/lifecycle.png

@@ -46,6 +46,9 @@ The following Windows distributions are currently supported during the preview o
 - Windows Server 2019 Datacenter
 - Windows 10 1809 and later
 
+> [!IMPORTANT]
+> Remote connection to VMs joined to Azure AD is only allowed from Windows 10 PCs that are Azure AD joined or hybrid Azure AD joined to the **same** directory as the VM. 
+
 The following Azure regions are currently supported during the preview of this feature:
 
 - All Azure global regions

articles/active-directory/devices/azuread-join-sso.md

@@ -0,0 +1,117 @@
+---
+title: Managing consent to applications and evaluating consent requests - Azure AD
+description: Learn how to manage consent requests when user consent is disabled or restricted, and how to evaluate a request for tenant-wide admin consent to an application.
+services: active-directory
+author: psignoret
+manager: CelesteDG
+
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.workload: identity
+ms.topic: conceptual
+ms.date: 12/27/2019
+ms.author: mimart
+ms.reviewer: phsignor
+ms.collection: M365-identity-device-management
+---
+
+# Managing consent to applications and evaluating consent requests
+
+Microsoft [recommends](https://docs.microsoft.com/azure/security/fundamentals/steps-secure-identity#restrict-user-consent-operations) disabling end-user consent to applications. This will centralize the decision-making process with your organization's security and identity administrator team.
+
+After end-user consent is disabled or restricted, there are several important considerations to ensure your organization stays secure while still allowing business critical applications to be used. These steps are crucial to minimize impact on your organization's support team and IT administrators, while preventing the use of unmanaged accounts in third-party applications.
+
+## Process changes and education
+
+ 1. Consider enabling the [admin consent workflow (preview)](configure-admin-consent-workflow.md) to allow users to request administrator approval directly from the consent screen.
+
+ 2. Ensure all administrators understand the [permissions and consent framework](../develop/consent-framework.md), how the [consent prompt](../develop/application-consent-experience.md) works, and how to [evaluate a request for tenant-wide admin consent](#evaluating-a-request-for-tenant-wide-admin-consent).
+ 3. Review your organization's existing processes for users to request administrator approval for an application, and make updates if necessary. If processes are changed:
+    * Update the relevant documentation, monitoring, automation, and so on.
+    * Communicate process changes to all affected users, developers, support teams, and IT administrators.
+
+## Auditing and monitoring
+
+1. [Audit apps and granted permissions](https://docs.microsoft.com/azure/security/fundamentals/steps-secure-identity#audit-apps-and-consented-permissions) in your organization to ensure no unwarranted or suspicious applications have previously been granted access to data.
+
+2. Review [Detect and Remediate Illicit Consent Grants in Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants) for additional best practices and safeguards against suspicious applications requesting OAuth consent.
+
+3. If your organization has the appropriate license:
+
+    * Use additional [OAuth application auditing features in Microsoft Cloud App Security](https://docs.microsoft.com/azure/cloud-app-security/investigate-risky-oauth).
+    * Use [Azure Monitor Workbooks to monitor permissions and consent](../reports-monitoring/howto-use-azure-monitor-workbooks.md) related activity. The *Consent Insights* workbook provides a view of apps by number of failed consent requests. This can be helpful to prioritize applications for administrators to review and decide whether to grant them admin consent.
+
+### Additional considerations for reducing friction
+
+To minimize impact on trusted, business-critical applications which are already in use, consider proactively granting administrator consent to applications that have a high number of user consent grants:
+
+1. Take an inventory of the apps already added to your organization with high usage, based on sign-in logs or consent grant activity. A PowerShell [script](https://gist.github.com/psignoret/41793f8c6211d2df5051d77ca3728c09) can be used to quickly and easily discover applications with a large number of user consent grants.
+
+2. Evaluate the top applications that have not yet been granted admin consent.
+
+   > [!IMPORTANT]
+   > Carefully evaluate an application before granting tenant-wide admin consent, even if many users in the organization have already consented for themselves.
+
+3. For each application that is approved, grant tenant-wide admin consent using one of the methods documented below.
+
+4. For each approved application, consider [restricting user access](configure-user-consent.md).
+
+## Evaluating a request for tenant-wide admin consent
+
+Granting tenant-wide admin consent is a sensitive operation.  Permissions will be granted on behalf of the entire organization, and can include permissions to attempt highly privileged operations. For example, role management,  full access to all mailboxes or all sites, and full user impersonation.
+
+Before granting tenant-wide admin consent, you must ensure you trust the application and the application publisher, for the level of access you're granting. If you aren't confident you understand who controls the application and why the application is requesting the permissions, *do not grant consent*.
+
+The following list provides some recommendations to consider when evaluating a request to grant admin consent.
+
+* **Understand the [permissions and consent framework](../develop/consent-framework.md) in the Microsoft identity platform.**
+
+* **Understand the difference between [delegated permissions and application permissions](../develop/v2-permissions-and-consent.md#permission-types).**
+
+   Application permissions allow the application to access the data for the entire organization, without any user interaction. Delegated permissions allow the application to act on behalf of a user who at some point was signed into the application.
+
+* **Understand the permissions being requested.**
+
+   The permissions requested by the application are listed in the [consent prompt](../develop/application-consent-experience.md). Expanding the permission title will display the permission’s description. The description for application permissions will generally end in "without a signed-in user". The description for delegated permissions will generally end with "on behalf of the signed-in user." Permissions for the Microsoft Graph API are described in [Microsoft Graph Permissions Reference]- refer to the documentation for other APIs to understand the permissions they expose.
+
+   If you do not understand a permission being requested, *do not grant consent*.
+
+* **Understand which application is requesting permissions and who published the application.**
+
+   Be wary of malicious applications trying to look like other applications.
+
+   If you doubt the legitimacy of an application or its publisher, *do not grant consent*. Instead, seek additional confirmation (for example, directly from the application publisher).
+
+* **Ensure the permissions requested are aligned with the features you expect from the application.**
+
+   For example, an application offering SharePoint site management may require delegated access to read all site collections, but wouldn't necessarily need full access to all mailboxes, or full impersonation privileges in the directory.
+
+   If you suspect the application is requesting more permissions than it needs, *do not grant consent*. Contact the application publisher to obtain more details.
+
+## Granting consent as an administrator
+
+### Granting tenant-wide admin consent
+
+See [Grant tenant-wide admin consent to an application](grant-admin-consent.md) for step-by-step instructions for granting tenant-wide admin consent from the Azure portal, using Azure AD PowerShell, or from the consent prompt itself.
+
+### Granting consent on behalf of a specific user
+
+Instead of granting consent for the entire organization, an administrator can also use the [Azure AD Graph API](https://docs.microsoft.com/azure/active-directory/develop/active-directory-graph-api) to grant consent to delegated permissions on behalf of a single user. To do this, send a `POST` request to create an [OAuth2PermissionGrant](https://docs.microsoft.com/previous-versions/azure/ad/graph/api/entity-and-complex-type-reference#oauth2permissiongrant-entity) entity where `consentType` is set to "Principal", and `principalId` is set to the object ID for the user on behalf of whom consent is being granted.
+
+## Limiting user access to applications
+
+Users' access to applications can still be limited even when tenant-wide admin consent has been granted. For more information on how to require user assignment to an application, see [methods for assigning users and groups](methods-for-assigning-users-and-groups.md).
+
+For more a broader overview including how to handle additional complex scenarios, see [using Azure AD for application access management](what-is-access-management.md).
+
+## Next steps
+
+[Five steps to securing your identity infrastructure](https://docs.microsoft.com/azure/security/fundamentals/steps-secure-identity#before-you-begin-protect-privileged-accounts-with-mfa)
+
+[Configure the admin consent workflow](configure-admin-consent-workflow.md)
+
+[Configure how end-users consent to applications](configure-user-consent.md)
+
+[Permissions and consent in the Microsoft identity platform](../develop/active-directory-v2-scopes.md)
+
+[Azure AD on StackOverflow](https://stackoverflow.com/questions/tagged/azure-active-directory)

articles/active-directory/devices/howto-vm-sign-in-azure-ad-windows.md

@@ -141,6 +141,8 @@
         items:
         - name: Configure user consent
           href: configure-user-consent.md
+          name: Manage and evaluate consent requests
+          href: manage-consent-requests.md
         - name: Grant tenant-wide admin consent
           href: grant-admin-consent.md
         - name: Configure admin consent workflow (preview)

articles/active-directory/manage-apps/manage-consent-requests.md

@@ -22,6 +22,9 @@ ms.collection: M365-identity-device-management
 
 # Tutorial: Azure Active Directory single sign-on (SSO) integration with Adobe Creative Cloud
 
+> [!NOTE]
+> This article describes Adobe Admin Console's custom SAML-based setup for Azure Active Directory (Azure AD). For brand-new configurations, we recommend that you use the [Azure AD Connector](https://helpx.adobe.com/enterprise/using/sso-setup-azure.html). Azure AD Connector can be set up in minutes and shortens the process of domain claim, single sign-on setup, and user sync.
+
 In this tutorial, you'll learn how to integrate Adobe Creative Cloud with Azure Active Directory (Azure AD). When you integrate Adobe Creative Cloud with Azure AD, you can:
 
 * Control in Azure AD who has access to Adobe Creative Cloud.
@@ -108,7 +111,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 	> [!NOTE]
 	> Users need to have a valid Office 365 ExO license for email claim value to be populated in the SAML response.
 
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Data XML**, and then select **Download** to download the XML metadata file and save it on your computer.
 
 	![The Certificate download link](common/certificatebase64.png)
 
@@ -148,31 +151,26 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure Adobe Creative Cloud SSO
 
-1. In a different web browser window, sign-in to [Adobe Admin Console](https://adminconsole.adobe.com) as an administrator.
-
-2. Go to **Settings** on the top navigation bar and then choose **Identity**. The list of domains opens. Click **Configure** link against your domain. Then perform the following steps on **Single Sign On Configuration Required** section. For more information, see [Setup a domain](https://helpx.adobe.com/enterprise/using/set-up-domain.html)
-
-	![Settings](https://helpx.adobe.com/content/dam/help/en/enterprise/using/configure-microsoft-azure-with-adobe-sso/_jcr_content/main-pars/procedure_719391630/proc_par/step_3/step_par/image/edit-sso-configuration.png "Settings")
+1. In a different web browser window, sign in to [Adobe Admin Console](https://adminconsole.adobe.com) as a system administrator.
 
-	a. Click **Browse** to upload the downloaded certificate from Azure AD to **IDP Certificate**.
+1. Go to **Settings** on the top navigation bar, and then choose **Identity**. The list of directories opens. Select the Federated directory you want.
 
-	b. In the **IDP issuer** textbox, paste the value of **Azure AD Identifier** which you copied from Azure portal.
+1. On the **Directory Details** page, select **Configure**.
 
-	c. In the **IDP Login URL** textbox, paste the value of **Login URL** which you copied from Azure portal.
+1. Copy the Entity ID and the ACS URL (Assertion Consumer Service URL or Reply URL). Enter the URLs at the appropriate fields in the Azure portal.
 
-	d. Select **HTTP - Redirect** as **IDP Binding**.
+	![Configure single sign-on on the app side](./media/adobe-creative-cloud-tutorial/tutorial_adobe-creative-cloud_003.png)
 
-	e. Select **Email Address** as **User Login Setting**.
+	a. Use the Entity ID value Adobe provided you for **Identifier** in the **Configure App Settings** dialog box.
 
-	f. Click **Save** button.
+	b. Use the ACS URL (Assertion Consumer Service URL) value Adobe provided you for **Reply URL** in the **Configure App Settings** dialog box.
 
-3. The dashboard will now present the XML **"Download Metadata"** file. It contains Adobe’s EntityDescriptor URL and AssertionConsumerService URL. Please open the file and configure them in the Azure AD application.
+1. Near the bottom of the page, upload the **Federation Data XML** file that you downloaded from the Azure portal. 
 
-	![Configure Single Sign-On On App Side](./media/adobe-creative-cloud-tutorial/tutorial_adobe-creative-cloud_003.png)
+	![Federation Data XML file](https://helpx.adobe.com/content/dam/help/en/enterprise/kb/configure-microsoft-azure-with-adobe-sso/jcr_content/main-pars/procedure/proc_par/step_228106403/step_par/image_copy/saml_signinig_certificate.png "IdP Metadata XML")
 
-	a. Use the EntityDescriptor value Adobe provided you for **Identifier** on the **Configure App Settings** dialog.
+1. Select **Save**.
 
-	b. Use the AssertionConsumerService value Adobe provided you for **Reply URL** on the **Configure App Settings** dialog.
 
 ### Create Adobe Creative Cloud test user
 
@@ -205,7 +203,7 @@ When you click the Adobe Creative Cloud tile in the Access Panel, you should be
 
 - [Try Adobe Creative Cloud with Azure AD](https://aad.portal.azure.com/)
 
-- [Set up a domain (adobe.com)](https://helpx.adobe.com/enterprise/using/set-up-domain.html)
+- [Set up an identity (adobe.com)](https://helpx.adobe.com/enterprise/using/set-up-identity.html)
 
 - [Configure Azure for use with Adobe SSO (adobe.com)](https://helpx.adobe.com/enterprise/kb/configure-microsoft-azure-with-adobe-sso.html)
 

articles/active-directory/manage-apps/toc.yml

@@ -122,19 +122,15 @@ To configure Azure AD single sign-on with &frankly, perform the following steps:
 
 	![The Certificate download link](common/metadataxml.png)
 
-7. On the **Set up &frankly** section, copy the appropriate URL(s) as per your requirement.
 
-	![Copy configuration URLs](common/copy-configuration-urls.png)
+### Configure &frankly single sign-on
 
-	a. Login URL
+To enable single sign-on in &frankly:
 
-	b. Azure Ad Identifier
-
-	c. Logout URL
-
-### Configure &frankly Single Sign-On
-
-To configure single sign-on on **&frankly** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [&frankly support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+1. Log in to &frankly. Go to **Account** > **User Management**.
+1. Change the authentication mechanism from the default to **Enterprise Sign-on (SAML)**.
+1. Upload the **Federation Metadata XML** that you downloaded in step 6 in the preceding section.
+1. Select **Save**.
 
 ### Create an Azure AD test user
 
@@ -203,4 +199,4 @@ When you click the &frankly tile in the Access Panel, you should be automaticall
 
 - [What is application access and single sign-on with Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
 
-- [What is Conditional Access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+- [What is Conditional Access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)