Merge pull request #252732 from MicrosoftDocs/main

9/25/2023 AM Publish

Author: Taojunshen

articles/active-directory/app-provisioning/inbound-provisioning-api-configure-app.md

@@ -36,7 +36,7 @@ If you're configuring inbound user provisioning to on-premises Active Directory,
 ## Create your API-driven provisioning app
 
 1. Log in to the [Microsoft Entra admin center](<https://entra.microsoft.com>) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
-2. Browse to **Microsoft Entra ID** > **Applications** > **Enterprise applications**.
+2. Browse to **Identity** > **Applications** > **Enterprise applications**.
 3. Click on **New application** to create a new provisioning application. 
      [![Screenshot of Microsoft Entra Admin Center.](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png)](media/inbound-provisioning-api-configure-app/provisioning-entra-admin-center.png#lightbox)
 4. Enter **API-driven** in the search field, then select the application for your setup:

articles/active-directory/app-provisioning/inbound-provisioning-api-custom-attributes.md

@@ -28,20 +28,21 @@ You have configured API-driven provisioning app. You're provisioning app is succ
 
 In this step, we'll add the two attributes "HireDate" and "JobCode" that are not part of the standard SCIM schema to the provisioning app and use them in the provisioning data flow.
 
-1. Log in to your [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
-1. Browse to **Enterprise applications** and open your API-driven provisioning app. 
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least an [Application Administrator](https://go.microsoft.com/fwlink/?linkid=2247823).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Open your API-driven provisioning app. 
 1. Open the **Provisioning** blade. 
 1. Click on the **Edit Provisioning** button. 
 1. Expand the **Mappings** section and click on the attribute mapping link. <br>
-    :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png" alt-text="Screenshot of edit attribute mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png":::
+   :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png" alt-text="Screenshot of edit attribute mapping." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-attribute-mapping.png":::
 1. Scroll down the **Attribute Mappings** page. Select **Show advanced options** and click on the **Edit attribute list for API** link.
-    :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png" alt-text="Screenshot of edit API attribute list." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png":::
+   :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png" alt-text="Screenshot of edit API attribute list." lightbox="./media/inbound-provisioning-api-custom-attributes/edit-api-attribute-list.png":::
 1. Scroll down to the end of the **Edit Attribute List** page.
 1. Add the following two attributes to the list as SCIM schema extensions. You can use your own SCIM schema namespace. <br>
    `urn:ietf:params:scim:schemas:extension:contoso:1.0:User:HireDate` <br>
    `urn:ietf:params:scim:schemas:extension:contoso:1.0:User:JobCode` <br>
-    :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png" alt-text="Screenshot of adding custom attributes." lightbox="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png":::
-1.  **Save** your changes
+   :::image type="content" border="true" source="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png" alt-text="Screenshot of adding custom attributes." lightbox="./media/inbound-provisioning-api-custom-attributes/add-custom-attributes.png":::
+1. **Save** your changes
 
 > [!NOTE]
 > If you'd like to add only a few additional attributes to the provisioning app, use Microsoft Entra admin center to extend the schema. If you'd like to add more custom attributes (let's say 20+ attributes), then we recommend using the [`UpdateSchema` mode of the CSV2SCIM PowerShell script](inbound-provisioning-api-powershell.md#extending-provisioning-job-schema) which automates the above manual process.

articles/active-directory/app-provisioning/on-premises-powershell-connector.md

@@ -30,14 +30,12 @@ The Microsoft Entra provisioning service supports a [SCIM 2.0](https://techcommu
 
 If you have already downloaded the provisioning agent and configured it for another on-premises application, then continue reading in the next section.
 
-  1.  In the Azure portal, select **Microsoft Entra ID**.
-  2.  On the left, select **Microsoft Entra Connect**.
-  3.  On the left, select **Cloud sync**.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator).
+1. Browse to **Identity** > **Hybrid management** > **Azure AD Connect** > **Cloud Sync** > **Agents**.
 
- :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
+   :::image type="content" source="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png" alt-text="Screenshot of new UX screen." lightbox="../../../includes/media/active-directory-cloud-sync-how-to-install/new-ux-1.png":::
 
- 4. On the left, select **Agent**.
- 5. Select **Download on-premises agent**, and select **Accept terms & download**.
+1. Select **Download on-premises agent**, and select **Accept terms & download**.
 
      >[!NOTE]
      >Please use different provisioning agents for on-premises application provisioning and Microsoft Entra Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. 
@@ -51,24 +49,31 @@ If you have already downloaded the provisioning agent and configured it for anot
 ## Provisioning to SCIM-enabled application
 Once the agent is installed, no further configuration is necessary on-premises, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
 
- 1. In the Azure portal navigate to the Enterprise applications and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
- 2. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
- 3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
- 4.  Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
- 5.  Now either wait 10 minutes or restart the **Microsoft Entra Connect Provisioning Agent** before proceeding to the next step & testing the connection.
- 6.  In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png) 
- 7.  Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
- >[!NOTE]
-> If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above. 
-
- 8.  Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
- 9.  Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
- 10.  Test provisioning a few users [on demand](provision-on-demand.md).
- 11.  Add more users into scope by assigning them to your application.
- 12.  Go to the **Provisioning** pane, and select **Start provisioning**.
- 13.  Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
+1. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
+1. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
+1. Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
+1. Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
+1. In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolvable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim 
+
+   ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png) 
+
+1. Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
+
+   > [!NOTE]
+   > If the test connection fails, you will see the request made. Please note that while the URL in the test connection error message is truncated, the actual request sent to the application contains the entire URL provided above. 
+
+1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
+1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
+1. Test provisioning a few users [on demand](provision-on-demand.md).
+1. Add more users into scope by assigning them to your application.
+1. Go to the **Provisioning** pane, and select **Start provisioning**.
+1. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
 
 The following video provides an overview of on-premises provisioning.
+
 > [!VIDEO https://www.youtube.com/embed/QdfdpaFolys]
 
 ## Additional requirements

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -80,8 +80,8 @@ You also need a valid Microsoft Entra ID P1 or higher subscription license for e
 
 ### Prerequisites
 
-- Microsoft Entra ID [hybrid identity administrator](../roles/permissions-reference.md#hybrid-identity-administrator)  to configure the Microsoft Entra Connect provisioning agent.
-- Microsoft Entra ID [application administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app in the Azure portal
+- [Hybrid Identity Administrator](../roles/permissions-reference.md#hybrid-identity-administrator) role to configure the Connect provisioning agent.
+- [Application Administrator](../roles/permissions-reference.md#application-administrator) role to configure the provisioning app.
 - A test and production instance of the cloud HR app.
 - Administrator permissions in the cloud HR app to create a system integration user and make changes to test employee data for testing purposes.
 - For user provisioning to Active Directory, a server running Windows Server 2016 or greater is required to host the Microsoft Entra Connect provisioning agent. This server should be a tier 0 server based on the Active Directory administrative tier model.

articles/active-directory/app-provisioning/plan-cloud-hr-provision.md

@@ -30,23 +30,24 @@ Use on-demand provisioning to provision a user or group in seconds. Among other
 
 ::: zone pivot="app-provisioning"
 
-2. Browse to **Identity** > **Applications** > **Enterprise applications** > **All applications**.
+2. Browse to **Identity** > **Applications** > **Enterprise applications** > select your application.
+3. Select **Provisioning**.
 
-3. Select your application, and then go to the provisioning configuration page.
 ::: zone-end
 
 ::: zone pivot="cross-tenant-synchronization"
 
 2. Browse to **Identity** > **External Identities** > **Cross-tenant Synchronization** > **Configurations**
-
 3. Select your configuration, and then go to the **Provisioning** configuration page.
+
 ::: zone-end
 
 4. Configure provisioning by providing your admin credentials.
 
 5. Select **Provision on demand**.
 
 6. Search for a user by first name, last name, display name, user principal name, or email address. Alternatively, you can search for a group and pick up to five users. 
+
    > [!NOTE]
    > For Cloud HR provisioning app (Workday/SuccessFactors to AD/Azure AD), the input value is different. 
    > For Workday scenario, please provide "WorkerID" or "WID" of the user in Workday. 

articles/active-directory/app-provisioning/provision-on-demand.md

@@ -26,8 +26,10 @@ Because this configuration is widely used with the *Workday to Active Directory
 
 [!INCLUDE [portal updates](~/articles/active-directory/includes/portal-update.md)]
 
-1. Sign in to the [Azure portal](https://portal.azure.com), and navigate to the Properties section of your  provisioning application. For example, if you want to export your *Workday to AD User Provisioning application* mapping navigate to the Properties section of that app.
-1. In the Properties section of your provisioning app, copy the GUID value associated with the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.
+1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com) as at least a [Application Administrator](../roles/permissions-reference.md#application-administrator).
+1. Browse to **Identity** > **Applications** > **Enterprise applications**.
+1. Select your application and go to Properties section of your provisioning app. In this example we are using Workday.
+1. Copy the GUID value in the *Object ID* field. This value is also called the **ServicePrincipalId** of your app and it's used in Graph Explorer operations.
 
    ![Screenshot of Workday App Service Principal ID.](./media/skip-out-of-scope-deletions/wd_export_01.png)