Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into rolyon-rbac-best-practices

Author: rolyon

articles/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned.md

@@ -1,5 +1,5 @@
 ---
-title: No users are being provisioned to an Azure AD Gallery application
+title: Users are not being provisioned in my application
 description: How to troubleshoot common issues faced when you don't see users appearing in an Azure AD Gallery Application you have configured for user provisioning with Azure AD
 services: active-directory
 documentationcenter: ''
@@ -12,19 +12,23 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 09/03/2019
+ms.date: 04/20/2020
 ms.author: mimart
 ms.reviewer: arvinh
 ms.collection: M365-identity-device-management
 ---
 
-# No users are being provisioned to an Azure AD Gallery application
+# No users are being provisioned 
+>[!NOTE]
+>Starting 04/16/2020 we have changed the behavior for users assigned the default access role. Please see the section below for details. 
+>
 After automatic provisioning has been configured for an application (including verifying that the app credentials provided to Azure AD to connect to the app are valid), then users and/or groups are provisioned to the app. Provisioning is determined by the following things:
 
 -   Which users and groups have been **assigned** to the application. Note that provisioning nested groups or Office 365 groups is not supported. For more information on assignment, see [Assign a user or group to an enterprise app in Azure Active Directory](../manage-apps/assign-user-or-group-access-portal.md).
 -   Whether or not **attribute mappings** are enabled, and configured to sync valid attributes from Azure AD to the app. For more information on attribute mappings, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Azure Active Directory](customize-application-attributes.md).
 -   Whether or not there is a **scoping filter** present that is filtering users based on specific attribute values. For more information on scoping filters, see [Attribute-based application provisioning with scoping filters](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
 
+  
 If you observe that users are not being provisioned, consult the [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context) in Azure AD. Search for log entries for a specific user.
 
 You can access the provisioning logs in the Azure portal by selecting **Azure Active Directory** > **Enterprise Apps** > **Provisioning logs (preview)** in the **Activity** section. You can search the provisioning data based on the name of the user or the identifier in either the source system or the target system. For details, see [Provisioning logs (preview)](../reports-monitoring/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context). 
@@ -53,7 +57,16 @@ When a user shows up as “skipped” in the provisioning logs, it is important
 - **The user is “not effectively entitled”.** If you see this specific error message, it is because there is a problem with the user assignment record stored in Azure AD. To fix this issue, unassign the user (or group) from the app, and reassign it again. For more information on assignment, see [Assign user or group access](../manage-apps/assign-user-or-group-access-portal.md).
 - **A required attribute is missing or not populated for a user.** An important thing to consider when setting up provisioning is to review and configure the attribute mappings and workflows that define which user (or group) properties flow from Azure AD to the application. This configuration includes setting the “matching property” that is used to uniquely identify and match users/groups between the two systems. For more information on this important process, see [Customizing User Provisioning Attribute Mappings for SaaS Applications in Azure Active Directory](customize-application-attributes.md).
 - **Attribute mappings for groups:** Provisioning of the group name and group details, in addition to the members, if supported for some applications. You can enable or disable this functionality by enabling or disabling the **Mapping** for group objects shown in the **Provisioning** tab. If provisioning groups is enabled, be sure to review the attribute mappings to ensure an appropriate field is being used for the “matching ID”. The matching ID can be the display name or email alias. The group and its members are not provisioned if the matching property is empty or not populated for a group in Azure AD.
+## Provisioning users assigned to the default access role
+The default role on an application from the gallery is called the "default access" role. Historically, users assigned to this role are not provisioned and are marked as skipped in the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) due to being "not effectively entitled." 
+
+**Behavior for provisioning configurations created after 04/16/2020:**
+Users assigned to the default access role will be evaluated the same as all other roles. A user that is assigned the default access will not be skipped as "not effectively entitled." 
+
+**Behavior for provisioning configurations created before 04/16/2020:**
+For the next 3 months, the behavior will continue as it is today. Users with the default access role will be skipped as not effectively entitled. After July 2020, the behavior will be uniform for all applications. We will not skip provisioning users with the default access role due to being "not effectively entitled." This change will be made by Microsoft, with no customer action required. If you would like to ensure that these users continue to be skipped, even after this change, please apply the appropriate scoping filters or unassign the user from the application to ensure they are out of scope.  
 
+For questions about these changes, please reach out to [email protected]
 ## Next steps
 
 [Azure AD Connect sync: Understanding Declarative Provisioning](../hybrid/concept-azure-ad-connect-sync-declarative-provisioning.md)

articles/active-directory/managed-identities-azure-resources/TOC.yml

@@ -136,13 +136,13 @@
   - name: Java
     href: https://github.com/Azure/azure-libraries-for-java#ready-to-run-code-samples-for-virtual-machines
   - name: Python
-    href: /python/api/azure.mgmt.msi
+    href: https://docs.microsoft.com/windows/python/
   - name: Ruby
     href: https://rubygems.org/gems/azure_mgmt_msi
   - name: Node.js
-    href: /javascript/api/ms-rest-azure
+    href: https://nodejs.org/en/docs/
   - name: Go
-    href: https://godoc.org/github.com/Azure/azure-sdk-for-go/services/msi/mgmt/2015-08-31-preview/msi
+    href: https://golang.org/doc/
 
 - name: Resources
   items:

articles/active-directory/managed-identities-azure-resources/overview.md

@@ -12,7 +12,7 @@ ms.subservice: msi
 ms.devlang:
 ms.topic: overview
 ms.custom: mvc
-ms.date: 03/25/2020
+ms.date: 04/18/2020
 ms.author: markvi
 
 #As a developer, I'd like to securely manage the credentials that my application uses for authenticating to cloud services without having the credentials in my code or checked into source control.

articles/active-directory/reports-monitoring/howto-integrate-activity-logs-with-log-analytics.md

@@ -57,6 +57,10 @@ To use this feature, you need:
 * A user who's a *global administrator* or *security administrator* for the Azure AD tenant.
 * A Log Analytics workspace in your Azure subscription. Learn how to [create a Log Analytics workspace](https://docs.microsoft.com/azure/log-analytics/log-analytics-quick-create-workspace).
 
+## Licensing requirements
+
+Using this feature requires an Azure AD Premium P1 or P2 license. To find the right license for your requirements, see [Comparing generally available features of the Free, Basic, and Premium editions](https://azure.microsoft.com/pricing/details/active-directory/).
+
 ## Send logs to Azure Monitor
 
 1. Sign in to the [Azure portal](https://portal.azure.com). 
@@ -80,4 +84,4 @@ To use this feature, you need:
 ## Next steps
 
 * [Analyze Azure AD activity logs with Azure Monitor logs](howto-analyze-activity-logs-log-analytics.md)
-* [Install and use the log analytics views for Azure Active Directory](howto-install-use-log-analytics-views.md)
+* [Install and use the log analytics views for Azure Active Directory](howto-install-use-log-analytics-views.md)

articles/active-directory/saas-apps/alertmedia-tutorial.md

@@ -0,0 +1,176 @@
+---
+title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with AlertMedia | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and AlertMedia.
+services: active-directory
+documentationCenter: na
+author: jeevansd
+manager: mtillman
+ms.reviewer: barbkess
+
+ms.assetid: 5c77f6fc-807c-47e8-8e49-eece5ebd7f09
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.topic: tutorial
+ms.date: 04/17/2020
+ms.author: jeedes
+
+ms.collection: M365-identity-device-management
+---
+
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with AlertMedia
+
+In this tutorial, you'll learn how to integrate AlertMedia with Azure Active Directory (Azure AD). When you integrate AlertMedia with Azure AD, you can:
+
+* Control in Azure AD who has access to AlertMedia.
+* Enable your users to be automatically signed-in to AlertMedia with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/manage-apps/what-is-single-sign-on).
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* AlertMedia single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* AlertMedia supports **IDP** initiated SSO
+* AlertMedia supports **Just In Time** user provisioning
+* Once you configure AlertMedia you can enforce session control, which protect exfiltration and infiltration of your organization’s sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/proxy-deployment-any-app).
+
+## Adding AlertMedia from the gallery
+
+To configure the integration of AlertMedia into Azure AD, you need to add AlertMedia from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **AlertMedia** in the search box.
+1. Select **AlertMedia** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+
+## Configure and test Azure AD single sign-on for AlertMedia
+
+Configure and test Azure AD SSO with AlertMedia using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in AlertMedia.
+
+To configure and test Azure AD SSO with AlertMedia, complete the following building blocks:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure AlertMedia SSO](#configure-alertmedia-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create AlertMedia test user](#create-alertmedia-test-user)** - to have a counterpart of B.Simon in AlertMedia that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the [Azure portal](https://portal.azure.com/), on the **AlertMedia** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
+
+    a. In the **Identifier** text box, type a URL using the following pattern:
+    `https://<SUBDOMAIN>.alertmedia.com`
+
+    b. In the **Reply URL** text box, type a URL using the following pattern:
+    `https://<SUBDOMAIN>.alertmedia.com/api/sso/saml/`
+
+	> [!NOTE]
+	> These values are not real. Update these values with the actual Identifier and Reply URL. Contact [AlertMedia Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. AlertMedia application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
+
+	![image](common/default-attributes.png)
+
+1. In addition to above, AlertMedia application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+	
+	| Name |   |  Source Attribute|
+	| ---------------| --------------- | --------- |
+	| email |  | user.userprincipalname |
+	| firstname |  | user.givenname |
+	| lastname |  | user.surname |
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+	![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to AlertMedia.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **AlertMedia**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+
+   ![The "Users and groups" link](common/users-groups-blade.png)
+
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+
+	![The Add User link](common/add-assign-user.png)
+
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure AlertMedia SSO
+
+1. In a new web browser window, sign in to your AlertMedia company site as an administrator.
+1. Navigate to **Company** and select **Single Sign-On**.
+
+    ![The Account button](./media/alertmedia-tutorial/Configure1.png)
+1. In the **Authentication Method**, select **Remote SAML Metadata**
+1. Toggle ON the **Sign Request**
+1. Toggle ON the **Allow Passive Requests**
+1. In the **MetaData URL** textbox,  paste the **App Federation Metadata Url** value, which you have copied fro the Azure portal.
+1. Select **Requested Authentication Context Comparison** as **exact**
+1. In **IDP Login URL** textbox,  paste the **Login URL** value, which you have copied from the Azure portal.
+1. Click **Save**
+
+### Create AlertMedia test user
+
+In this section, a user called Britta Simon is created in AlertMedia. AlertMedia supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in AlertMedia, a new one is created after authentication.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration using the Access Panel.
+
+When you click the AlertMedia tile in the Access Panel, you should be automatically signed in to the AlertMedia for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://docs.microsoft.com/azure/active-directory/active-directory-saas-access-panel-introduction).
+
+## Additional resources
+
+- [ List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory ](https://docs.microsoft.com/azure/active-directory/active-directory-saas-tutorial-list)
+
+- [What is application access and single sign-on with Azure Active Directory? ](https://docs.microsoft.com/azure/active-directory/active-directory-appssoaccess-whatis)
+
+- [What is conditional access in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview)
+
+- [Try AlertMedia with Azure AD](https://aad.portal.azure.com/)
+
+- [What is session control in Microsoft Cloud App Security?](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+
+- [How to protect AlertMedia with advanced visibility and controls](https://docs.microsoft.com/cloud-app-security/proxy-intro-aad)
+