Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr

Author: MicrosoftGuyJFlo

articles/active-directory/b2b/add-user-without-invite.md

@@ -9,12 +9,12 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 05/21/2018
+ms.date: 06/12/2019
 
 ms.author: mimart
 author: msmimart
 manager: celestedg
-ms.reviewer: sasubram
+ms.reviewer: elisol
 
 ms.collection: M365-identity-device-management
 ---
@@ -29,7 +29,7 @@ Before this new method was available, you could invite guest users without requi
 2. The administrator in the host organization [sets up policies](delegate-invitations.md) that allow Sam to identify and add other users from the partner organization (Litware). (Sam must be added to the **Guest inviter** role.)
 3. Now, Sam can add other users from Litware to the WoodGrove directory, groups, or applications without needing invitations to be redeemed. If Sam has the appropriate enumeration privileges in Litware, it happens automatically.
 
-This  original method still works. However, there's a small difference in behavior. If you use PowerShell, you'll notice that an invited guest account now has a **PendingAcceptance** status instead of immediately showing **Accepted**. Although the status is pending, the guest user can still sign in and access the app without clicking an email invitation link. The pending status means that the user has not yet gone through the [consent experience](redemption-experience.md#privacy-policy-agreement), where they accept the privacy terms of the inviting organization. The guest user sees this consent screen when they sign in for the first time. 
+This  original method still works. However, there's a small difference in behavior. If you use PowerShell, you'll notice that an invited guest account now has a **PendingAcceptance** status instead of immediately showing **Accepted**. Although the status is pending, the guest user can still sign in and access the app without clicking an email invitation link. The pending status means that the user has not yet gone through the [consent experience](redemption-experience.md#consent-experience-for-the-guest), where they accept the privacy terms of the inviting organization. The guest user sees this consent screen when they sign in for the first time. 
 
 If you invite a user to the directory, the guest user must access the resource tenant-specific Azure portal URL directly (such as https://portal.azure.com/*resourcetenant*.onmicrosoft.com) to view and agree to the privacy terms.
 

articles/active-directory/b2b/media/redemption-experience/ConsentScreen.PNG

@@ -7,57 +7,70 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 12/14/2018
+ms.date: 06/12/2019
 
 ms.author: mimart
 author: msmimart
 manager: celestedg
-ms.reviewer: mal
+ms.reviewer: elisol
 
 ms.collection: M365-identity-device-management
 ---
 
 # Azure Active Directory B2B collaboration invitation redemption
 
-To collaborate with users from partner organizations through Azure Active Directory (Azure AD) B2B collaboration, you can invite guest users to access shared apps. After a guest user is added to the directory through the user interface, or the user is invited through PowerShell, guest users must go through a first-time consent process where they agree to [privacy terms](#privacy-policy-agreement). This process happens in either of the following ways:
+This article describes the ways guest users can access your resources and the consent process they'll encounter. If you send an invitation email to the guest, the invitation includes a link the guest can redeem to get access your app or portal. The invitation email is just one of the ways guests can get access to your resources. As an alternative, you can add guests to your directory and give them a direct link to the portal or app you want to share. Regardless of the method they use, guests are guided through a first-time consent process. This process ensures that your guests agree to privacy terms and accept any [terms of use](https://docs.microsoft.com/azure/active-directory/governance/active-directory-tou) you've set up.
 
-- The guest inviter sends out a direct link to a shared app. The invitee clicks the link to sign in, accepts the privacy terms, and seamlessly accesses the shared resource. (The guest user still receives an invitation email with a redemption URL, but other than some special cases, it's no longer required to use the invitation email.)  
-- The guest user receives an invitation email and clicks the redemption URL. As part of first-time sign-in, they're prompted to accept the privacy terms.
+When you add a guest user to your directory, the guest user account has a consent status (viewable in PowerShell) that’s initially set to **PendingAcceptance**. This setting remains until the guest accepts your invitation and agrees to your privacy policy and terms of use. After that, the consent status changes to **Accepted**, and the consent pages are no longer presented to the guest.
+
+## Redemption through the invitation email
+
+When you add a guest user to your directory by [using the Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal), an invitation email is sent to the guest in the process. You can also choose to send invitation emails when you’re [using PowerShell](https://docs.microsoft.com/azure/active-directory/b2b/b2b-quickstart-invite-powershell) to add guest users to your directory. Here’s a description of the guest’s experience when they redeem the link in the email.
+
+1. The guest receives an [invitation email](https://docs.microsoft.com/azure/active-directory/b2b/invitation-email-elements) that's sent from **Microsoft Invitations**.
+2. The guest selects **Get Started** in the email.
+3. If the guest doesn't have an Azure AD account, a Microsoft Account (MSA), or an email account in a federated organization, they're prompted to create an MSA (unless the [one-time passcode](https://docs.microsoft.com/azure/active-directory/b2b/one-time-passcode) feature is enabled, which doesn’t require an MSA).
+4. The guest is guided through the [consent experience](#consent-experience-for-the-guest) described below.
 
 ## Redemption through a direct link
 
-A guest inviter can invite a guest user by sending out a [direct link to a shared app](../manage-apps/end-user-experiences.md#direct-sign-on-links). For the guest user, the redemption experience is as easy as signing in to the app that was shared with them. They can click a link to the app, review and accept the privacy terms, and then seamlessly access the app. In most cases, guest users no longer need to click a redemption URL in an invitation email.
+As an alternative to the invitation email, you can give a guest a direct link to your app or portal. You first need to add the guest user to your directory via the [Azure portal](https://docs.microsoft.com/azure/active-directory/b2b/b2b-quickstart-add-guest-users-portal) or [PowerShell](https://docs.microsoft.com/azure/active-directory/b2b/b2b-quickstart-invite-powershell). Then you can use any of the [customizable ways to deploy applications to users](https://docs.microsoft.com/azure/active-directory/manage-apps/end-user-experiences), including direct sign-on links. When a guest uses a direct link instead of the invitation email, they’ll still be guided through the first-time consent experience.
 
-If you invited guest users through the user interface, or chose to send the invitation email as part of the PowerShell invitation experience, the invited user still receives an invitation email. This email is useful for the following special cases:
+> [!IMPORTANT]
+> The direct link must be tenant-specific. In other words, it must include a tenant ID or verified domain so the guest can be authenticated in your tenant, where the shared app is located. A common URL like https://myapps.microsoft.com won’t work for a guest because it will redirect to their home tenant for authentication. Here are some examples of direct links with tenant context:
+ > - Apps access panel: https://myapps.microsoft.com/?tenantid=<tenant id> 
+ > - Apps access panel for a verified domain: https://myapps.microsoft.com/<verified domain>
+ > - Azure portal: https://portal.azure.com/<tenant id>
+ > - Individual app: see how to use a [direct sign-on link](../manage-apps/end-user-experiences.md#direct-sign-on-links)
 
-- The user doesn’t have an Azure AD account or a Microsoft account (MSA). In this case, the user must create an MSA before they click the link, or they can use the redemption URL in the invitation email. The redemption process automatically prompts the user to create an MSA.
-- Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). In this case, the user must click the redemption URL in the invitation email.
-- The user may sign in with an alias of the email address that was invited. (An alias is an additional email address associated with an email account.) In this case, the user must click the redemption URL in the invitation email.
+There are some cases where the invitation email is recommended over a direct link. If these special cases are important to your organization, we recommend that you invite users by using methods that still send the invitation email:
+ - The user doesn’t have an Azure AD account, an MSA, or an email account in a federated organization. Unless you're using the one-time passcode feature, the guest needs to redeem the invitation email to be guided through the steps for creating an MSA.
+ - Sometimes the invited user object may not have an email address because of a conflict with a contact object (for example, an Outlook contact object). In this case, the user must click the redemption URL in the invitation email.
+ - The user may sign in with an alias of the email address that was invited. (An alias is an additional email address associated with an email account.) In this case, the user must click the redemption URL in the invitation email.
 
-If these special cases are important to your organization, we recommend that you invite users by using methods that still send the invitation email. Also, if a user doesn't fall under one of these special cases, they can still click the URL in an invitation email to get access.
+## Consent experience for the guest
 
-## Redemption through the invitation email
+When a guest signs in to access resources in a partner organization for the first time, they're guided through the following pages. 
 
-If invited through a method that sends an invitation email, users can also redeem an invitation through the invitation email. An invited user can click the redemption URL in the email, and then review and accept the privacy terms. The process is described in more detail here:
+1. The guest reviews the **Review permissions** page describing the inviting organization's privacy statement. A user must **Accept** the use of their information in accordance to the inviting organization's privacy policies to continue.
 
-1.	After being invited, the invitee receives an invitation through email that's sent from **Microsoft Invitations**.
-2.	The invitee selects **Get Started** in the email.
-3.	If the invitee doesn't have an Azure AD account or an MSA, they're prompted to create an MSA.
-4.	The invitee is redirected to the **Review permissions** screen, where they can review the inviting organization's privacy statement and accept the terms.
+   ![Screenshot showing the Review permissions page](media/redemption-experience/review-permissions.png) 
 
-## Privacy policy agreement
+   > [!NOTE]
+   > For information about how you as a tenant administrator can link to your organization's privacy statement, see [How-to: Add your organization's privacy info in Azure Active Directory](https://aka.ms/adprivacystatement).
 
-After any guest user signs in to access resources in a partner organization for the first time, they see a **Review permissions** screen. Here, they can review the inviting organization's privacy statement. A user must accept the use of their information in accordance to the inviting organization's privacy policies to continue.
+2. If terms of use are configured, the guest opens and reviews the terms of use, and then selects **Accept**. 
 
-![Screenshot showing user settings in Access Panel](media/redemption-experience/ConsentScreen.png) 
+   ![Screenshot showing new terms of use](media/redemption-experience/terms-of-use-accept.png) 
 
-For information about how you as a tenant administrator can link to your organization's privacy statement, see [How-to: Add your organization's privacy info in Azure Active Directory](https://aka.ms/adprivacystatement).
+   > [!NOTE]
+   > You can configure see [terms of use](../governance/active-directory-tou.md) in **Manage** > **Organizational relationships** > **Terms of use**.
 
-## Terms of use
+3. Unless otherwise specified, the guest is redirected to the Apps access panel, which lists the applications the guest can access.
 
-You can present terms of use to the guest user during the initial redemption process by using the Azure AD terms of use feature. In Azure Active Directory, you can access this feature under **Manage** > **Organizational relationships** > **Terms of use** or under **Security** > **Conditional Access** > **Terms of use**. For details, see [Azure AD terms of use feature](../conditional-access/terms-of-use.md).
+   ![Screenshot showing the Apps access panel](media/redemption-experience/myapps.png) 
 
-![Screenshot showing new terms of use](media/redemption-experience/organizational-relationships-terms-of-use.png) 
+In your directory, the guest's **Invitation accepted** value changes to **Yes**. If an MSA was created, the guest’s **Source** shows **Microsoft Account**. For more information about guest user account properties, see [Properties of an Azure AD B2B collaboration user](user-properties.md). 
 
 ## Next steps
 

articles/active-directory/b2b/media/redemption-experience/myapps.png

@@ -25,9 +25,9 @@ Exceptions in Microsoft Authentication Library (MSAL) are intended for app devel
 When processing exceptions and errors, you can use the exception type itself and the error code to distinguish between exceptions.  For a list of error codes, see [Authentication and authorization error codes](reference-aadsts-error-codes.md).
 
 ## .NET exceptions
-When processing exceptions, you can use the exception type itself and the `ErrorCode` member to distinguish between exceptions. The values of `ErrorCode` are constants of type [MsalError](/dotnet/api/microsoft.identity.client.msalerror?view=azure-dotnet#fields).
+When processing exceptions, you can use the exception type itself and the `ErrorCode` member to distinguish between exceptions. The values of `ErrorCode` are constants of type [MsalError](/dotnet/api/microsoft.identity.client.msalerror?view=azure-dotnet).
 
-You can also have a look at the fields of [MsalClientException](/dotnet/api/microsoft.identity.client.msalexception?view=azure-dotnet#fields), [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception?view=azure-dotnet#fields), [MsalUIRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception?view=azure-dotnet#fields).
+You can also have a look at the fields of [MsalClientException](/dotnet/api/microsoft.identity.client.msalexception?view=azure-dotnet), [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception?view=azure-dotnet), [MsalUIRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception?view=azure-dotnet).
 
 If [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception?view=azure-dotnet) is thrown, the error code might contain a code that you can find in [Authentication and authorization error codes](reference-aadsts-error-codes.md).
 
@@ -38,8 +38,8 @@ Here are the common exceptions that might be thrown and some possible mitigation
 | --- | --- | --- |
 | [MsalUiRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception?view=azure-dotnet) | AADSTS65001: The user or administrator has not consented to use the application with ID '{appId}' named '{appName}'. Send an interactive authorization request for this user and resource.| You need to get user consent first. If you are not using .NET Core (which does not have any Web UI), call (once only) `AcquireTokeninteractive`. If you are using .NET core or don't want to do an `AcquireTokenInteractive`, the user can navigate to a URL to give consent: https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={clientId}&response_type=code&scope=user.read . To call `AcquireTokenInteractive`: `app.AcquireTokenInteractive(scopes).WithAccount(account).WithClaims(ex.Claims).ExecuteAsync();`|
 | [MsalUiRequiredException](/dotnet/api/microsoft.identity.client.msaluirequiredexception?view=azure-dotnet) | AADSTS50079: The user is required to use multi-factor authentication.| There is no mitigation - if MFA is configured for your tenant and AAD decides to enforce it, you need to fallback to an interactive flow such as `AcquireTokenInteractive` or `AcquireTokenByDeviceCode`.|
-| [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception?view=azure-dotnet#fields) |AADSTS90010: The grant type is not supported over the */common* or */consumers* endpoints. Use the */organizations* or tenant-specific endpoint. You used */common*.| As explained in the message from Azure AD, the authority needs to have a tenant or otherwise */organizations*.|
-| [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception?view=azure-dotnet#fields) | AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.| This can happen if your application was not registered as a public client application in Azure AD. In the Azure portal, edit the manifest for your application and set the `allowPublicClient` to `true`. |
+| [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception?view=azure-dotnet) |AADSTS90010: The grant type is not supported over the */common* or */consumers* endpoints. Use the */organizations* or tenant-specific endpoint. You used */common*.| As explained in the message from Azure AD, the authority needs to have a tenant or otherwise */organizations*.|
+| [MsalServiceException](/dotnet/api/microsoft.identity.client.msalserviceexception?view=azure-dotnet) | AADSTS70002: The request body must contain the following parameter: 'client_secret or client_assertion'.| This can happen if your application was not registered as a public client application in Azure AD. In the Azure portal, edit the manifest for your application and set the `allowPublicClient` to `true`. |
 | [MsalClientException](/dotnet/api/microsoft.identity.client.msalclientexception?view=azure-dotnet)| unknown_user Message: Could not identify logged in user| The library was unable to query the current Windows logged-in user or this user is not AD or AAD joined (work-place joined users are not supported). Mitigation 1: on UWP, check that the application has the following capabilities: Enterprise Authentication, Private Networks (Client and Server), User Account Information. Mitigation 2: Implement your own logic to fetch the username (for example, [email protected]) and use the `AcquireTokenByIntegratedWindowsAuth` form that takes in the username.|
 | [MsalClientException](/dotnet/api/microsoft.identity.client.msalclientexception?view=azure-dotnet)|integrated_windows_auth_not_supported_managed_user| This method relies on a protocol exposed by Active Directory (AD). If a user was created in Azure Active Directory without AD backing ("managed" user), this method will fail. Users created in AD and backed by AAD ("federated" users) can benefit from this non-interactive method of authentication. Mitigation: Use interactive authentication.|