Merge pull request #180585 from MicrosoftDocs/master

11/19 PM Publish

Author: huypub

articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md

@@ -7,17 +7,14 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 05/28/2021
+ms.date: 11/18/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Azure AD on-premises application provisioning architecture
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability (GA).
-
 ## Overview
 
 The following diagram shows an overview of how on-premises application provisioning works.
@@ -91,8 +88,8 @@ You can define one or more matching attribute(s) and prioritize them based on th
 
 
 ## Agent best practices
-- Ensure the auto Azure AD Connect Provisioning Agent Auto Update service is running. It's enabled by default when you install the agent. Auto-update is required for Microsoft to support your deployment.
-- Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
+- Using the same agent for the on-prem provisioning feature along with Workday / SuccessFactors / Azure AD Connect Cloud Sync is currently unsupported. We are actively working to support on-prem provisioning on the same agent as the other provisioning scenarios.
+- - Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
 - The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by:
   - Reducing the distance between the two ends of the hop.
   - Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links.
@@ -112,10 +109,6 @@ For the latest GA version of the provisioning agent, see [Azure AD connect provi
  2. Go to **Control Panel** > **Uninstall or Change a Program**.
  3. Look for the version that corresponds to the entry for **Microsoft Azure AD Connect Provisioning Agent**.
 
-### Does Microsoft automatically push provisioning agent updates?
-
-Yes. Microsoft automatically updates the provisioning agent if the Windows service Microsoft Azure AD Connect Agent Updater is up and running. Ensuring that your agent is up to date is required for support to troubleshoot issues.
-
 ### Can I install the provisioning agent on the same server running Azure AD Connect or Microsoft Identity Manager?
 
 Yes. You can install the provisioning agent on the same server that runs Azure AD Connect or Microsoft Identity Manager, but they aren't required.

articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md

@@ -7,17 +7,14 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 10/21/2021
+ms.date: 11/19/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Troubleshoot on-premises application provisioning
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 ## Troubleshoot test connection issues
 After you configure the provisioning agent and ECMA host, it's time to test connectivity from the Azure Active Directory (Azure AD) provisioning service to the provisioning agent, the ECMA host, and the application. To perform this end-to-end test, select **Test connection** in the application in the Azure portal. When the test connection fails, try the following troubleshooting steps:
 

articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md

@@ -7,7 +7,7 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/11/2021
+ms.date: 11/17/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -16,9 +16,6 @@ ms.collection: M365-identity-device-management
 
 # Export a Microsoft Identity Manager connector for use with the Azure AD ECMA Connector Host
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 You can import into the Azure Active Directory (Azure AD) ECMA Connector Host a configuration for a specific connector from a Forefront Identity Manager Synchronization Service or Microsoft Identity Manager Synchronization Service (MIM Sync) installation. The MIM Sync installation is only used for configuration, not for the ongoing synchronization from Azure AD.
 
 >[!IMPORTANT]

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -8,16 +8,13 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 10/16/2021
+ms.date: 11/17/2021
 ms.author: billmath
 ms.reviewer: arvinh
 ---
 
 # Azure AD on-premises application provisioning to SCIM-enabled apps
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Azure AD provisioning service to provision users into an on-premises application that's SCIM enabled. If you want to provision users into non-SCIM on-premises applications that use SQL as a data store, see the [Azure AD ECMA Connector Host Generic SQL Connector tutorial](tutorial-ecma-sql-connector.md). If you want to provision users into cloud apps such as DropBox and Atlassian, review the app-specific [tutorials](../../active-directory/saas-apps/tutorial-list.md).
 
 ![Diagram that shows SCIM architecture.](./media/on-premises-scim-provisioning/scim-4.png)
@@ -30,21 +27,19 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 ## On-premises app provisioning to SCIM-enabled apps
 To provision users to SCIM-enabled apps:
 
- 1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
- 1. Go to your app and select **Provisioning** > **Download the provisioning agent**.
- 1. Select **On-Premises Connectivity**, and download the provisioning agent.
+ 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
  1. Copy the agent onto the virtual machine or server that your SCIM endpoint is hosted on.
  1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
  1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
  1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
  1. Select **Confirm** to confirm the installation was successful.
- 1. Go back to your application, and select **On-Premises Connectivity**.
+ 1. Navigate to the Azure Portal and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
+ 1. Select **On-Premises Connectivity**, and download the provisioning agent. 1. Go back to your application, and select **On-Premises Connectivity**.
  1. Select the agent that you installed from the dropdown list, and select **Assign Agent(s)**.
- 1. Wait 10 minutes or restart the Azure AD Connect Provisioning agent service on your server or VM.
- 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim.
- 
+ 1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
+ 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim. 
      ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
- 1. Select **Test Connection**, and save the credentials.
+ 1. Select **Test Connection**, and save the credentials. Use the steps [here](https://docs.microsoft.com/azure/active-directory/app-provisioning/on-premises-ecma-troubleshoot#troubleshoot-test-connection-issues) if you run into connectivity issues. 
  1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
  1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
  1. Test provisioning a few users [on demand](provision-on-demand.md).

articles/active-directory/app-provisioning/toc.yml

@@ -18,8 +18,14 @@
       href: customize-application-attributes.md
     - name: App specific provisioning tutorials
       href: /azure/active-directory/saas-apps/tutorial-list
-    - name: Provisioning to SQL based apps
-      href: tutorial-ecma-sql-connector.md
+    - name: On-prem app provisioning tutorials
+      items:
+      - name: Provisioning to On-premises SCIM-enabled apps
+        href: on-premises-scim-provisioning.md
+      - name: Provisioning to SQL based apps
+        href: on-premises-sql-connector-configure.md
+      - name: Provisioning to LDAP based apps
+        href: on-premises-ldap-connector-configure.md
   - name: Concepts
     expanded: true
     items: 
@@ -62,10 +68,6 @@
         href: export-import-provisioning-configuration.md  
       - name: Provisioning reports
         href: ../reports-monitoring/concept-provisioning-logs.md?context=%2fazure%2factive-directory%2fapp-provisioning%2fcontext%2fapp-provisioning-context
-    - name: Automate configuration using MS Graph
-      href: application-provisioning-configuration-api.md
-    - name: Enable accidental deletions prevention
-      href: accidental-deletions.md
     - name: Troubleshoot application provisioning
       items:
       - name: Known issues
@@ -82,16 +84,6 @@
         href: on-premises-ecma-troubleshoot.md
       - name: Provisioning logs
         href: ../reports-monitoring/concept-provisioning-logs.md?context=%2fazure%2factive-directory%2fapp-provisioning%2fcontext%2fapp-provisioning-context
-    - name: On-premises app provisioning
-      items:
-      - name: Provisioning to SQL based apps
-        href: on-premises-sql-connector-configure.md
-      - name: Generic LDAP Connector configuration
-        href: on-premises-ldap-connector-configure.md
-      - name: On-premises application provisioning to SCIM-enabled apps
-        href: on-premises-scim-provisioning.md
-      - name: Migrate connector from MIM Sync
-        href: on-premises-migrate-microsoft-identity-manager.md
     - name: Troubleshoot HR provisioning
       items:
       - name: Attribute retrieval issues
@@ -104,14 +96,18 @@
         href: hr-manager-update-issues.md
       - name: HR writeback issues
         href: hr-writeback-issues.md
+    - name: Enable accidental deletions prevention
+      href: accidental-deletions.md
+    - name: Automate configuration using MS Graph
+      href: application-provisioning-configuration-api.md
   - name: Reference
     items:
+    - name: Function reference for writing expressions for attribute mappings
+      href: functions-for-customizing-application-data.md
     - name: SCIM 2.0 protocol compliance
       href: application-provisioning-config-problem-scim-compatibility.md
     - name: SCIM and Graph scenarios
       href: scim-graph-scenarios.md
-    - name: Function reference for writing expressions for attribute mappings
-      href: functions-for-customizing-application-data.md
     - name: Cloud HR provisioning
       items:
       - name: SuccessFactors attribute reference
@@ -120,6 +116,8 @@
         href: workday-attribute-reference.md
       - name: Provisioning Agent version history
         href: provisioning-agent-release-version-history.md
+      - name: Migrate connector from MIM Sync
+        href: on-premises-migrate-microsoft-identity-manager.md
   - name: Resources
     items:
     - name: Support and help options for developers