Merge pull request #109683 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/Microsoft/azure-docs (branch master)

Author: tfosmark

articles/active-directory/manage-apps/application-sign-in-unexpected-user-consent-error.md

@@ -30,9 +30,12 @@ Certain conditions must be true for a user to consent to the permissions an appl
 
 ## Requesting not authorized permissions error
 * **AADSTS90093:** <clientAppDisplayName> is requesting one or more permissions that you are not authorized to grant. Contact an administrator, who can consent to this application on your behalf.
+* **AADSTS90094:** <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
 
 This error occurs when a user who is not a company administrator attempts to use an application that is requesting permissions that only an administrator can grant. This error can be resolved by an administrator granting access to the application on behalf of their organization.
 
+This error can also occur when a user is prevented from consenting to an application due to Microsoft detecting that the permissions request is risky. In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".
+
 ## Policy prevents granting permissions error
 * **AADSTS90093:** An administrator of <tenantDisplayName> has set a policy that prevents you from granting <name of app> the permissions it is requesting. Contact an administrator of <tenantDisplayName>, who can grant permissions to this app on your behalf.
 

articles/active-directory/manage-apps/configure-user-consent.md

@@ -139,10 +139,54 @@ You can use the Azure AD PowerShell Preview module ([AzureADPreview](https://doc
     }
     ```
 
+## Configure risk-based step-up consent
+
+Risk-based step-up consent helps reduce user exposure to malicious apps making [illicit consent requests](https://docs.microsoft.com/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants). If Microsoft detects a risky end-user consent request, the request will require a "step-up" to admin consent instead. This capability is enabled by default, but it will only result in a behavior change when end-user consent is enabled.
+
+When a risky consent request is detected, the consent prompt will display a message indicating that admin approval is needed. If the [admin consent request workflow](configure-admin-consent-workflow.md) is enabled, the user can send the request to an admin for further review directly from the consent prompt. If it is not enabled, the following message will be displayed:
+
+* **AADSTS90094:** <clientAppDisplayName> needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
+
+In this case, an audit event will also be logged with a Category of "ApplicationManagement", Activity Type of "Consent to application" and Status Reason of "Risky application detected".
+
+> [!IMPORTANT]
+> Admins should [evaluate all consent requests](manage-consent-requests.md#evaluating-a-request-for-tenant-wide-admin-consent) carefully before approving, especially when Microsoft has detected risk.
+
+### Disable or re-enable risk-based step-up consent using PowerShell
+
+You can use the Azure AD PowerShell Preview module ([AzureADPreview](https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0-preview)), to disable the step-up to admin consent required in cases where Microsoft detects risk or to re-enable it if it was previously disabled.
+
+This can be done using the same steps as shown above for [configuring group owner consent using PowerShell](#configure-group-owner-consent-using-powershell), but substituting a different settings value. There are three differences in steps: 
+
+1. Understand the setting values for risk based step-up consent:
+
+    | Setting       | Type         | Description  |
+    | ------------- | ------------ | ------------ |
+    | _BlockUserConsentForRiskyApps_   | Boolean |  Flag indicating if user consent will be blocked when a risky request is detected. |
+
+2. Substitute the following value in step 3:
+
+    ```powershell
+    $riskBasedConsentEnabledValue = $settings.Values | ? { $_.Name -eq "BlockUserConsentForRiskyApps" }
+    ```
+3. Substitute one of the following in step 5:
+
+    ```powershell
+    # Disable risk-based step-up consent entirely
+    $riskBasedConsentEnabledValue.Value = "False"
+    ```
+
+    ```powershell
+    # Re-enable risk-based step-up consent, if disabled previously
+    $riskBasedConsentEnabledValue.Value = "True"
+    ```
+
 ## Next steps
 
 [Configure the admin consent workflow](configure-admin-consent-workflow.md)
 
+[Learn how to manage consent to applications and evaluate consent requests](manage-consent-requests.md)
+
 [Grant tenant-wide admin consent to an application](grant-admin-consent.md)
 
 [Permissions and consent in the Microsoft identity platform](../develop/active-directory-v2-scopes.md)

articles/active-directory/saas-apps/media/netvision-compas-tutorial/admin-idps.png

@@ -41,7 +41,7 @@ To get started, you need the following items:
 In this tutorial, you configure and test Azure AD SSO in a test environment.
 
 * Netvision Compas supports **SP and IDP** initiated SSO
-* Once you configure Netvision Compas you can enforce Session Control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
+* Once you configure Netvision Compas you can enforce Session Control, which protects exfiltration and infiltration of your organization's sensitive data in real time. Session Control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-aad)
 
 
 ## Adding Netvision Compas from the gallery
@@ -66,7 +66,7 @@ To configure and test Azure AD SSO with Netvision Compas, complete the following
     1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
     1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
 1. **[Configure Netvision Compas SSO](#configure-netvision-compas-sso)** - to configure the single sign-on settings on application side.
-    1. **[Create Netvision Compas test user](#create-netvision-compas-test-user)** - to have a counterpart of B.Simon in Netvision Compas that is linked to the Azure AD representation of user.
+    1. **[Configure Netvision Compas test user](#configure-netvision-compas-test-user)** - to have a counterpart of B.Simon in Netvision Compas that is linked to the Azure AD representation of user.
 1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
 
 ## Configure Azure AD SSO
@@ -92,16 +92,14 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     In the **Sign-on URL** text box, type a URL using the following pattern:
     `https://<TENANT>.compas.cloud/Identity/Auth/AssertionConsumerService`
 
-	> [!NOTE]
-	> These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Netvision Compas Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+    > [!NOTE]
+    > These values are not real. Update these values with the actual Identifier, Reply URL and Sign-on URL. Contact [Netvision Compas Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
-1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the metadata file and save it on your computer.
 
-	![The Certificate download link](common/certificatebase64.png)
+    ![The Certificate download link](common/metadataxml.png)
 
-1. On the **Set up Netvision Compas** section, copy the appropriate URL(s) based on your requirement.
 
-	![Copy configuration URLs](common/copy-configuration-urls.png)
 
 ### Create an Azure AD test user
 
@@ -127,26 +125,67 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
 
-	![The Add User link](common/add-assign-user.png)
+    ![The Add User link](common/add-assign-user.png)
 
 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
 1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
 1. In the **Add Assignment** dialog, click the **Assign** button.
 
 ## Configure Netvision Compas SSO
 
-To configure single sign-on on **Netvision Compas** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Netvision Compas support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+In this section you enable SAML SSO in **Netvision Compas**.
+1. Log into **Netvision Compas** using an administrative account and access the administration area.
 
-### Create Netvision Compas test user
+    ![Admin area](media/netvision-compas-tutorial/admin.png)
 
-In this section, you create a user called B.Simon in Netvision Compas. Work with [Netvision Compas support team](mailto:[email protected]) to add the users in the Netvision Compas platform. Users must be created and activated before you use single sign-on.
+1. Locate the **System** area and select **Identity Providers**.
+
+    ![Admin IDPs](media/netvision-compas-tutorial/admin-idps.png)
+
+1. Select the **Add** action to register Azure AD as a new IDP.
+
+    ![Add IDP](media/netvision-compas-tutorial/idps-add.png)
+
+1. Select **SAML** for the **Provider type**.
+1. Enter meaningful values for the **Display name** and **Description** fields.
+1. Assign **Netvision Compas** users to the IDP by selecting from the **Available users** list and then selecting the **Add selected** button. Users can also be assigned to the IDP while following the provisioning procedure.
+1. For the **Metadata** SAML option click the **Choose File** button and select the metadata file previously saved on your computer.
+1. Click **Save**.
+
+    ![Edit IDP](media/netvision-compas-tutorial/idp-edit.png)
+
+
+### Configure Netvision Compas test user
+
+In this section, you configure an existing user in **Netvision Compas** to use Azure AD for SSO.
+1. Follow the **Netvision Compas** user provisioning procedure, as defined by your company or edit an existing user account.
+1. While defining the user's profile, make sure that the user's **Email (Personal)** address matches the Azure AD username: [email protected]. For example, `[email protected]`.
+
+    ![Edit user](media/netvision-compas-tutorial/user-config.png)
+
+Users must be created and activated before you use single sign-on.
 
 ## Test SSO 
 
-In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+In this section, you test your Azure AD single sign-on configuration.
+
+### Using the Access Panel (IDP initiated).
 
 When you click the Netvision Compas tile in the Access Panel, you should be automatically signed in to the Netvision Compas for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
 
+### Directly accessing Netvision Compas (SP initiated).
+
+1. Access the **Netvision Compas** URL. For example, `https://tenant.compas.cloud`.
+1. Enter the **Netvision Compas** username and select **Next**.
+
+    ![Login user](media/netvision-compas-tutorial/login-user.png)
+
+1. **(optional)** If the user is assigned multiple IDPs within **Netvision Compas**, a list of available IDPs is presented. Select the Azure AD IDP configured previously in **Netvision Compas**.
+
+    ![Login choose](media/netvision-compas-tutorial/login-choose.png)
+
+1. You are redirected to Azure AD to perform the authentication. Once you are successfully authenticated, you should be automatically signed in to **Netvision Compas** for which you set up SSO.
+
 ## Additional resources
 
 - [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
@@ -157,4 +196,4 @@ When you click the Netvision Compas tile in the Access Panel, you should be auto
 
 - [Try Netvision Compas with Azure AD](https://aad.portal.azure.com/)
 
-- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)