MicrosoftDocs
diff --git a/‎.openpublishing.publish.config.json
Lines changed: 3 additions & 2 deletions b/‎.openpublishing.publish.config.json
Lines changed: 3 additions & 2 deletions
diff --git a/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions b/‎.openpublishing.redirection.azure-monitor.json
Lines changed: 5 additions & 0 deletions
diff --git a/‎articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Lines changed: 25 additions & 21 deletions b/‎articles/active-directory/app-provisioning/on-premises-scim-provisioning.md
Lines changed: 25 additions & 21 deletions
diff --git a/‎articles/active-directory/develop/id-tokens.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/id-tokens.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/fundamentals/scenario-azure-first-sap-identity-integration.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/manage-apps/create-service-principal-cross-tenant.md
Lines changed: 108 additions & 0 deletions b/‎articles/active-directory/manage-apps/create-service-principal-cross-tenant.md
Lines changed: 108 additions & 0 deletions
diff --git a/‎articles/active-directory/manage-apps/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/manage-apps/toc.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/manage-apps/what-is-application-management.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/manage-apps/what-is-application-management.md
Lines changed: 1 addition & 1 deletion
@@ -813,8 +813,8 @@
       "branch_mapping": {}
     },
     {
-      "path_to_root": "azure-spring-cloud-reference-architecture",
-      "url": "https://github.com/Azure/azure-spring-cloud-reference-architecture",
+      "path_to_root": "azure-spring-apps-reference-architecture",
+      "url": "https://github.com/Azure/azure-spring-apps-reference-architecture",
       "branch": "main",
       "branch_mapping": {}
     },
@@ -1016,6 +1016,7 @@
     "articles/mysql/.openpublishing.redirection.mysql.json",
     "articles/container-apps/.openpublishing.redirection.container-apps.json",
     "articles/spring-cloud/.openpublishing.redirection.spring-cloud.json",
+    "articles/spring-apps/.openpublishing.redirection.spring-apps.json",
     "articles/load-testing/.openpublishing.redirection.azure-load-testing.json",
     "articles/azure-video-indexer/.openpublishing.redirection.azure-video-indexer.json",
     "articles/machine-learning/.openpublishing.redirection.machine-learning.json",
 
@@ -430,6 +430,11 @@
             "source_path_from_root": "/articles/azure-monitor/insights/key-vault-insights-overview.md" ,
             "redirect_url": "/azure/key-vault/key-vault-insights-overview",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/azure-monitor/app/cloudservices.md" ,
+            "redirect_url": "/azure/azure-monitor/app/azure-web-apps-net-core",
+            "redirect_document_id": false
         }
     ]
 }
@@ -23,27 +23,31 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 - Administrator role for installing the agent. This task is a one-time effort and should be an Azure account that's either a hybrid administrator or a global administrator. 
 - Administrator role for configuring the application in the cloud (application administrator, cloud application administrator, global administrator, or a custom role with permissions).
 
-## On-premises app provisioning to SCIM-enabled apps
-To provision users to SCIM-enabled apps:
-
- 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
- 1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
- 1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
- 1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
- 1. Select **Confirm** to confirm the installation was successful.
- 1. Navigate to the Azure Portal and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
- 1. Select **On-Premises Connectivity**, and download the provisioning agent. 1. Go back to your application, and select **On-Premises Connectivity**.
- 1. Select the agent that you installed from the dropdown list, and select **Assign Agent(s)**.
- 1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
- 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim. 
-     ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
- 1. Select **Test Connection**, and save the credentials. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
- 1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
- 1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
- 1. Test provisioning a few users [on demand](provision-on-demand.md).
- 1. Add more users into scope by assigning them to your application.
- 1. Go to the **Provisioning** pane, and select **Start provisioning**.
- 1. Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
+## Deploying Azure AD provisioning agent
+The Azure AD Provisioning agent can be deployed on the same server hosting a SCIM enabled application, or a seperate server, providing it has line of sight to the application's SCIM endpoint. A single agent also supports provision to multiple applications hosted locally on the same server or seperate hosts, again as long as each SCIM endpoint is reachable by the agent.  
+
+ 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM application endpoint is hosted on.
+ 2. Run the provisioning agent installer, agree to the terms of service, and select **Install**.
+ 3. Once installed, locate  and launch the **AAD Connect Provisioning Agent wizard**, and when prompted for an extensions select **On-premises provisioning**
+ 4. For the agent to register itself with your tenant, provide credentials for an Azure AD admin with Hybrid administrator or global administrator permissions.
+ 5. Select **Confirm** to confirm the installation was successful.
+ 
+## Provisioning to SCIM-enabled application
+Once the agent is installed, no further configuration is necesary on-prem, and all provisioning configurations are then managed from the portal. Repeat the below steps for every on-premises application being provisioned via SCIM.
+ 
+ 1. In the Azure portal navigate to the Enterprise applications and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
+ 2. From the left hand menu navigate to the **Provisioning** option and select **Get started**.
+ 3. Select **Automatic** from the dropdown list and expand the **On-Premises Connectivity** option.
+ 4.  Select the agent that you installed from the dropdown list and select **Assign Agent(s)**.
+ 5.  Now either wait 10 minutes or restart the **Microsoft Azure AD Connect Provisioning Agent** before proceeding to the next step & testing the connection.
+ 6.  In the **Tenant URL** field, provide the SCIM endpoint URL for your application. The URL is typically unique to each target application and must be resolveable by DNS. An example for a scenario where the agent is installed on the same host as the application is https://localhost:8585/scim ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
+ 7.  Select **Test Connection**, and save the credentials. The application SCIM endpoint must be actively listening for inbound provisioning requests, otherwise the test will fail. Use the steps [here](on-premises-ecma-troubleshoot.md#troubleshoot-test-connection-issues) if you run into connectivity issues. 
+ 8.  Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
+ 9.  Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
+ 10.  Test provisioning a few users [on demand](provision-on-demand.md).
+ 11.  Add more users into scope by assigning them to your application.
+ 12.  Go to the **Provisioning** pane, and select **Start provisioning**.
+ 13.  Monitor using the [provisioning logs](../../active-directory/reports-monitoring/concept-provisioning-logs.md).
 
 ## Additional requirements
 * Ensure your [SCIM](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) implementation meets the [Azure AD SCIM requirements](use-scim-to-provision-users-and-groups.md).
 
@@ -84,7 +84,7 @@ The table below shows the claims that are in most ID tokens by default (except w
 |`roles`| Array of strings | The set of roles that were assigned to the user who is logging in. |
 |`rh` | Opaque String |An internal claim used by Azure to revalidate tokens. Should be ignored. |
 |`sub` | String | The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. The subject is a pairwise identifier - it is unique to a particular application ID. If a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim. This may or may not be wanted depending on your architecture and privacy requirements. |
-|`tid` | String, a GUID | Represents the tenant that the user is signing in to. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user is signing in to. For sign-ins to the personal Microsoft account tenant (services like Xbox, Teams for Life, or Outlook), the value is `9188040d-6c67-4c5b-b112-36a304b66dad`. To receive this claim, your app must request the `profile` scope. |
+|`tid` | String, a GUID | Represents the tenant that the user is signing in to. For work and school accounts, the GUID is the immutable tenant ID of the organization that the user is signing in to. For sign-ins to the personal Microsoft account tenant (services like Xbox, Teams for Life, or Outlook), the value is `9188040d-6c67-4c5b-b112-36a304b66dad`.|
 | `unique_name` | String | Only present in v1.0 tokens. Provides a human readable value that identifies the subject of the token. This value is not guaranteed to be unique within a tenant and should be used only for display purposes. |
 | `uti` | String | Token identifier claim, equivalent to `jti` in the JWT specification. Unique, per-token identifier that is case-sensitive.|
 |`ver` | String, either 1.0 or 2.0 | Indicates the version of the id_token. |
 
@@ -29,7 +29,7 @@ This document provides advice on the technical design and configuration of SAP p
 | [IPS](https://help.sap.com/viewer/f48e822d6d484fa5ade7dda78b64d9f5/Cloud/en-US/2d2685d469a54a56b886105a06ccdae6.html) | SAP Cloud Identity Services - Identity Provisioning Service.  IPS helps to synchronize identities between different stores / target systems.                                                           |
 | [XSUAA](https://blogs.sap.com/2019/01/07/uaa-xsuaa-platform-uaa-cfuaa-what-is-it-all-about/)                          | Extended Services for Cloud Foundry User Account and Authentication.  XSUAA is a multi-tenant OAuth authorization server within the SAP BTP.                                                                   |
 | [CF](https://www.cloudfoundry.org/)                                                                                   | Cloud Foundry. Cloud Foundry is the environment on which SAP built their multi-cloud offering for BTP (AWS, Azure, GCP, Alibaba).                                                                                      |
-| [Fiori](https://www.sap.com/products/fiori/develop.html)                                                              | The web-based user experience of SAP (as opposed to the desktop-based experience).                                                                                                                            |
+| [Fiori](https://www.sap.com/products/fiori.html)                                                              | The web-based user experience of SAP (as opposed to the desktop-based experience).                                                                                                                            |
 
 ## Overview
 
@@ -272,4 +272,4 @@ Azure AD B2C doesn't natively support the use of groups to create collections of
 
 Fortunately, Azure AD B2C is highly customizable, so you can configure the SAML tokens it sends to IAS to include any custom information. For various options on supporting authorization claims, see the documentation accompanying the [Azure AD B2C App Roles sample](https://github.com/azure-ad-b2c/api-connector-samples/tree/main/Authorization-AppRoles), but in summary: through its [API Connector](../../active-directory-b2c/api-connectors-overview.md) extensibility mechanism you can optionally still use groups, app roles, or even a custom database to determine what the user is allowed to access.
 
-Regardless of where the authorization information comes from, it can then be emitted as the `Groups` attribute inside the SAML token by configuring that attribute name as the [default partner claim type on the claims schema](../../active-directory-b2c/claimsschema.md#defaultpartnerclaimtypes) or by overriding the [partner claim type on the output claims](../../active-directory-b2c/relyingparty.md#outputclaims). Note however that BTP allows you to [map Role Collections to User Attributes](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/b3fbb1a9232d4cf99967a0b29dd85d4c.html), which means that *any* attribute name can be used for authorization decisions, even if you don't use the `Groups` attribute name.
+Regardless of where the authorization information comes from, it can then be emitted as the `Groups` attribute inside the SAML token by configuring that attribute name as the [default partner claim type on the claims schema](../../active-directory-b2c/claimsschema.md#defaultpartnerclaimtypes) or by overriding the [partner claim type on the output claims](../../active-directory-b2c/relyingparty.md#outputclaims). Note however that BTP allows you to [map Role Collections to User Attributes](https://help.sap.com/products/BTP/65de2977205c403bbc107264b8eccf4b/b3fbb1a9232d4cf99967a0b29dd85d4c.html), which means that *any* attribute name can be used for authorization decisions, even if you don't use the `Groups` attribute name.
@@ -0,0 +1,108 @@
+---
+title: 'Create an enterprise application from a multi-tenant application'
+description: Create an enterprise application using the client ID for a multi-tenant application.
+services: active-directory
+author: omondiatieno
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.topic: how-to
+ms.workload: identity
+ms.date: 07/26/2022
+ms.author: jomondi
+ms.reviewer: karavar
+ms.custom: mode-other
+zone_pivot_groups: enterprise-apps-cli
+
+
+#Customer intent: As an administrator of an Azure AD tenant, I want to create an enterprise application using client ID for a multi-tenant application provided by a service provider or independent software vendor.
+---
+
+# Create an enterprise application from a multi-tenant application in Azure Active Directory
+
+In this article, you'll learn how to create an enterprise application in your tenant using the client ID for a multi-tenant application. An enterprise application refers to a service principal within a tenant. The service principal discussed in this article is the local representation, or application instance, of a global application object in a single tenant or directory. 
+
+Before you proceed to add the application using any of these options, check whether the enterprise application is already in your tenant by attempting to sign in to the application. If the sign-in is successful, the enterprise application already exists in your tenant.
+
+If you have verified that the application isn't in your tenant, proceed with any of the following ways to add the enterprise application to your tenant using the appId
+
+## Prerequisites
+
+To add an enterprise application to your Azure AD tenant, you need:
+
+- An Azure AD user account. If you don't already have one, you can [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Cloud Application Administrator, or Application Administrator.
+- The client ID of the multi-tenant application.
+
+
+## Create an enterprise application
+
+:::zone pivot="admin-consent-url"
+
+If you've been provided with the admin consent URL, navigate to the URL through a web browser to [grant tenant-wide admin consent](grant-admin-consent.md) to the application. Granting tenant-wide admin consent to the application will add it to your tenant. The tenant-wide admin consent URL has the following format:
+
+```http
+https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=248e869f-0e5c-484d-b5ea1fba9563df41&redirect_uri=https://www.your-app-url.com
+```
+where:
+
+- `{client-id}` is the application's client ID (also known as appId).
+
+:::zone-end
+
+:::zone pivot="msgraph-powershell"
+
+1. Run `connect-MgGraph -Scopes "Application.ReadWrite.All"` and sign in with a Global Admin user account.
+1. Run the following command to create the enterprise application:
+
+   ```powershell
+   New-MgServicePrincipal -AppId fc876dd1-6bcb-4304-b9b6-18ddf1526b62
+   ```
+1. To  delete the enterprise application you created, run the command:
+
+   ```powershell
+   Remove-MgServicePrincipal
+      -ServicePrincipalId <objectID>
+   ```
+:::zone-end
+:::zone pivot="ms-graph"
+
+From the Microsoft Graph explorer window:
+
+1. To create the enterprise application, insert the following query:
+   
+   ```http
+   POST /servicePrincipals.
+   ```
+1. Supply the following request in the **Request body**.
+
+   {
+     "appId": "fc876dd1-6bcb-4304-b9b6-18ddf1526b62"
+   }
+1. Grant the Application.ReadWrite.All permission under the **Modify permissions** tab and select **Run query**.
+
+1. To  delete the enterprise application you created, run the query:
+
+    ```http
+    DELETE /servicePrincipals/{objectID}
+    ```	
+:::zone-end
+:::zone pivot="azure-cli"
+1. To create the enterprise application, run the following command:
+   
+   ```azurecli
+   az ad sp create --id fc876dd1-6bcb-4304-b9b6-18ddf1526b62
+   ```
+
+1. To  delete the enterprise application you created, run the command:
+
+   ```azurecli
+   az ad sp delete --id
+   ```
+
+:::zone-end
+
+## Next steps
+
+- [Add RBAC role to the enterprise application](/azure/role-based-access-control/role-assignments-portal)
+- [Assign users to your application](add-application-portal-assign-users.md)
@@ -234,6 +234,8 @@
         href: application-sign-in-problem-application-error.md
       - name: Problem signing into a Microsoft app
         href: application-sign-in-problem-first-party-microsoft.md
+    - name: Create enterprise app for multi-tenant app registration
+      href: create-service-principal-cross-tenant.md    
   - name: Reference
     items:
     - name: Deletion and recovery FAQ
 
@@ -61,7 +61,7 @@ To [manage access](what-is-access-management.md) for an application, you want to
 
 You can [manage user consent settings](configure-user-consent.md) to choose whether users can allow an application or service to access user profiles and organizational data. When applications are granted access, users can sign in to applications integrated with Azure AD, and the application can access your organization's data to deliver rich data-driven experiences.
 
-Users often are unable to consent to the permissions an application is requesting. Configure the [admin consent workflow](configure-admin-consent-workflow.md) to allow users to provide a justification and request an administrator's review and approval of an application.
+Users often are unable to consent to the permissions an application is requesting. Configure the admin consent workflow to allow users to provide a justification and request an administrator's review and approval of an application. For training on how to configure admin consent workflow in your Azure AD tenant, see [Configure admin consent workflow](/learn/modules/configure-admin-consent-workflow).
 
 As an administrator, you can [grant tenant-wide admin consent](grant-admin-consent.md) to an application. Tenant-wide admin consent is necessary when an application requires permissions that regular users aren't allowed to grant, and allows organizations to implement their own review processes. Always carefully review the permissions the application is requesting before granting consent. When an application has been granted tenant-wide admin consent, all users are able to sign into the application unless it has been configured to require user assignment.
Original file line number	Diff line number	Diff line change
`@@ -430,6 +430,11 @@`
`430`	`430`	`"source_path_from_root": "/articles/azure-monitor/insights/key-vault-insights-overview.md" ,`
`431`	`431`	`"redirect_url": "/azure/key-vault/key-vault-insights-overview",`
`432`	`432`	`"redirect_document_id": false`
	`433`	`+ },`
	`434`	`+ {`
	`435`	`+ "source_path_from_root": "/articles/azure-monitor/app/cloudservices.md" ,`
	`436`	`+ "redirect_url": "/azure/azure-monitor/app/azure-web-apps-net-core",`
	`437`	`+ "redirect_document_id": false`
`433`	`438`	`}`
`434`	`439`	`]`
`435`	`440`	`}`