Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into release-marmalade

Author: v-alje

articles/active-directory/app-provisioning/functions-for-customizing-application-data.md

@@ -519,11 +519,11 @@ SelectUniqueValue(uniqueValueRule1, uniqueValueRule2, uniqueValueRule3, …)
 **Description:**<br> 
 Requires a minimum of two arguments, which are unique value generation rules defined using expressions. The function evaluates each rule and then checks the value generated for uniqueness in the target app/directory. The first unique value found will be the one returned. If all of the values already exist in the target, the entry will get escrowed and the reason gets logged in the audit logs. There is no upper bound to the number of arguments that can be provided.
 
-> [!NOTE]
-> - This is a top-level function, it cannot be nested.
-> - This function cannot be applied to attributes that have a matching precedence. 	
-> - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
-> - This function is currently only supported for "Workday to Active Directory User Provisioning". It cannot be used with other provisioning applications. 
+
+ - This is a top-level function, it cannot be nested.
+ - This function cannot be applied to attributes that have a matching precedence. 	
+ - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
+ - This function is currently only supported for "Workday to Active Directory User Provisioning". It cannot be used with other provisioning applications. 
 
 
 **Parameters:**<br> 

articles/active-directory/app-provisioning/media/user-provisioning/scim-graph.png

@@ -0,0 +1,121 @@
+---
+title: Using SCIM, the Microsoft Graph, and the Azure AD provisioning service to provision users and enrich your application with the data it needs | Microsoft Docs
+description: Using SCIM and the Microsoft Graph together to provision users and enrich your application with the data it needs .
+services: active-directory
+documentationcenter: ''
+author: msmimart
+manager: CelesteDG
+
+ms.assetid: 
+ms.service: active-directory
+ms.subservice: app-provisioning
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 04/06/2020
+ms.author: mimart
+ms.reviewer: arvinh
+
+ms.collection: M365-identity-device-management
+---
+
+
+# Using SCIM and Microsoft Graph together to provision users and enrich your application with the data it needs
+
+**Target audience:** This document is targeted towards developers building applications integrated with Azure AD. For others looking to integrate an existing application such as Zoom, ServiceNow, and DropBox you can skip this and review the application specific [tutorials](https://docs.microsoft.com/azure/active-directory/saas-apps/tutorial-list). 
+
+**Common scenarios**
+
+> [!div class="checklist"]
+> * Automatically create users in my application
+> * Automatically remove users from my application when they shouldn't have access anymore
+> * Integrate my application with multiple identity providers for provisioning
+> * Enrich my application with data from Microsoft services such as Sharepoint, Outlook, and Office.
+> * Automatically create, update, and delete users and groups in Azure AD and Active Directory
+
+![SCIM Graph decision tree](./media/user-provisioning/scim-graph.png)
+
+## Scenario 1: Automatically create users in my app
+Today, IT admins manually create user accounts in my application each time someone needs access or periodically upload CSV files. The process is time consuming for customers and slows down adoption of my application. All I need is basic [user](https://docs.microsoft.com/graph/api/resources/user?view=graph-rest-1.0) information such as name, email, and userPrincipalName to create a user. Furthermore, my customers use various IdPs and I don't have the resources to maintain a sync engine and custom integrations with each IdP. 
+
+**Recommendation**: Support a SCIM compliant [/Users](https://aka.ms/scimreferencecode) endpoint. Your customers will be able to easily use this endpoint to integrate with the Azure AD provisioning service and automatically create user accounts when they need access. You can build the endpoint once and it will be compatible with all IdPs, without having to maintain a sync engine. Check out the example request below for how a user would be created.
+
+```json
+POST /Users
+{
+	"schemas": [
+	    "urn:ietf:params:scim:schemas:core:2.0:User",
+	    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"],
+	"externalId": "0a21f0f2-8d2a-4f8e-bf98-7363c4aed4ef",
+	"userName": "BillG",
+	"active": true,
+	"meta": {
+		"resourceType": "User"
+	},
+	"name": {
+		"formatted": "Bill Gates",
+		"familyName": "Gates",
+		"givenName": "Bill"
+	},
+	"roles": []
+}
+```
+    
+## Scenario 2: Automatically remove users from my app
+The customers using my application are security focused and have governance requirements to remove accounts when employees don't need them anymore. How can I automate deprovisioning from my application?
+
+**Recommendation:** Support a SCIM compliant /Users endpoint. The Azure AD provisioning service will send requests to disable and delete when the user shouldn't have access anymore. We recommend supporting both disabling and deleting users. See the examples below for what a disable and delete request look like. 
+
+Disable user
+```json
+PATCH /Users/5171a35d82074e068ce2 HTTP/1.1
+{
+    "Operations": [
+        {
+            "op": "Replace",
+            "path": "active",
+            "value": false
+        }
+    ],
+    "schemas": [
+        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
+    ]
+}
+```
+Delete user
+```json
+DELETE /Users/5171a35d82074e068ce2 HTTP/1.1
+```
+
+## Scenario 3: Automate managing group memberships in my app
+My application relies on groups for access to various resources, and customers want to reuse the groups that they have in Azure AD. How can I import groups from Azure AD and keep them updated as the memberships change?  
+
+**Recommendation:** Support a SCIM compliant /Groups [endpoint](https://aka.ms/scimreferencecode). The Azure AD provisioning service will take care of creating groups and managing membership updates in your application. 
+
+## Scenario 4: Enrich my app with data from Microsoft services such as Teams, Outlook, and OneDrive.
+My application is built into Microsoft Teams and relies on message data. In addition, we store files for users in OneDrive. How can I enrich my application with the data from these services and across Microsoft?
+
+**Recommendation:** The [Microsoft Graph](https://docs.microsoft.com/graph/) is your entry point to access Microsoft data. Each workload exposes APIs with the data that you need. The Microsoft graph can be used along with [SCIM provisioning](https://docs.microsoft.com/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups) for the scenarios above. You can use SCIM to provision basic user attributes into your application while calling into graph to get any other data that you need. 
+
+## Scenario 5: Track changes in Microsoft services such as Teams, Outlook, and Azure AD.
+I need to be able to track changes to Teams and Outlook messages and react to them in real time. How can I get these changes pushed to my application?
+
+**Recommendation:** The Microsoft Graph provides [change notifications](https://docs.microsoft.com/graph/webhooks) and change tracking for various resources. Note the following limitations of change notifications:
+- If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
+- If an event receiver acknowledges an event, but fails to act on it for any reason, the event may be lost
+- Change notifications don't always contain the [resource data](https://docs.microsoft.com/graph/webhooks-with-resource-data)
+For the reasons above, developers often use change notifications along with change tracking for synchronization scenarios. 
+
+## Scenario 6: Provision users and groups in Azure AD.
+My application creates information about a user that customers need in Azure AD. This could be an HR application than manages hiring, a communications app that creates phone numbers for users, or some other app that generates data that would be valuable in Azure AD. How do I populate the user record in Azure AD with that data? 
+
+**Recommendation** The Microsoft graph exposes /Users and /Groups endpoints that you can integrate with today to provision users into Azure AD. Please note that Azure Active Directory doesn't support writing those users back into Active Directory. 
+
+> [!NOTE]
+> Microsoft has a provisioning service that pulls in data from HR applications such as Workday and SuccessFactors. These integrations are built and managed by Microsoft. For onboarding a new HR application to our service, you can request it on [UserVoice](https://feedback.azure.com/forums/374982-azure-active-directory-application-requests). 
+
+## Related articles
+
+- [Review the synchronization Microsoft Graph documentation](https://docs.microsoft.com/graph/api/resources/synchronization-overview?view=graph-rest-beta)
+- [Integrating a custom SCIM app with Azure AD](use-scim-to-provision-users-and-groups.md)

articles/active-directory/app-provisioning/scim-graph-scenarios.md

@@ -79,6 +79,8 @@
     items:
     - name: SCIM 2.0 protocol compliance
       href: application-provisioning-config-problem-scim-compatibility.md
+    - name: SCIM and Graph scenarios
+      href: scim-graph-scenarios.md
     - name: Choose a provisioning method
       href: isv-automatic-provisioning-multi-tenant-apps.md
     - name: Cloud HR provisioning
@@ -106,4 +108,4 @@
         - name: Stack Overflow
           href: https://stackoverflow.com/questions/tagged/azure-active-directory
         - name: Videos
-          href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory
+          href: https://azure.microsoft.com/documentation/videos/index/?services=active-directory

articles/active-directory/app-provisioning/toc.yml

@@ -172,7 +172,7 @@ If you don't yet have a library for your chosen language, you might want to use
 
 #### First case: Access the token request by using a shared secret
 
-```Text
+```HTTP
 POST /{tenant}/oauth2/v2.0/token HTTP/1.1           //Line breaks for clarity.
 Host: login.microsoftonline.com
 Content-Type: application/x-www-form-urlencoded
@@ -185,7 +185,7 @@ client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
 
 #### Second case: Access the token request by using a certificate
 
-```Text
+```HTTP
 POST /{tenant}/oauth2/v2.0/token HTTP/1.1               // Line breaks for clarity.
 Host: login.microsoftonline.com
 Content-Type: application/x-www-form-urlencoded
@@ -215,7 +215,7 @@ If you get an error message telling you that you used an invalid scope, you prob
 If you get an **Insufficient privileges to complete the operation** error when you call the API, the tenant administrator needs to grant permissions to the application. See step 6 of Register the client app above.
 You'll typically see an error that looks like this error:
 
-```JSon
+```json
 Failed to call the web API: Forbidden
 Content: {
   "error": {

articles/active-directory/develop/scenario-daemon-acquire-token.md

@@ -58,7 +58,7 @@ The configuration file defines:
 
 [appsettings.json](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2/blob/master/1-Call-MSGraph/daemon-console/appsettings.json) from the [.NET Core console daemon](https://github.com/Azure-Samples/active-directory-dotnetcore-daemon-v2) sample.
 
-```JSon
+```json
 {
   "Instance": "https://login.microsoftonline.com/{0}",
   "Tenant": "[Enter here the tenantID or domain name for your Azure AD tenant]",

articles/active-directory/develop/scenario-daemon-app-configuration.md

@@ -111,7 +111,7 @@ To learn more about how to configure an MSAL.NET desktop application:
 
 Imagine a .NET Core console application that has the following `appsettings.json` configuration file:
 
-```JSon
+```json
 {
   "Authentication": {
     "AzureCloudInstance": "AzurePublic",
@@ -213,7 +213,7 @@ Objective-C:
 ```objc
 NSError *msalError = nil;
 
-MSALPublicClientApplicationConfig *config = [[MSALPublicClientApplicationConfig alloc] initWithClientId:@"<your-client-id-here>"];    
+MSALPublicClientApplicationConfig *config = [[MSALPublicClientApplicationConfig alloc] initWithClientId:@"<your-client-id-here>"];
 MSALPublicClientApplication *application = [[MSALPublicClientApplication alloc] initWithConfiguration:config error:&msalError];
 ```
 

articles/active-directory/develop/scenario-desktop-app-configuration.md

@@ -265,7 +265,7 @@ When you use the protocol to get tokens for mobile apps, make two requests:
 
 #### Get an authorization code
 
-```Text
+```
 https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
 client_id=<CLIENT_ID>
 &response_type=code
@@ -277,7 +277,7 @@ client_id=<CLIENT_ID>
 
 #### Get access and refresh the token
 
-```Text
+```HTTP
 POST /{tenant}/oauth2/v2.0/token HTTP/1.1
 Host: https://login.microsoftonline.com
 Content-Type: application/x-www-form-urlencoded

articles/active-directory/develop/scenario-mobile-acquire-token.md

@@ -105,7 +105,7 @@ To expose application permissions, you need to edit the manifest.
 
 The following sample shows the contents of `appRoles`, where the value of `id` can be any unique GUID.
 
-```JSon
+```json
 "appRoles": [
 	{
 	"allowedMemberTypes": [ "Application" ],

articles/active-directory/develop/scenario-protected-web-api-app-registration.md

@@ -23,7 +23,7 @@ Now that you have a token, you can call a protected web API.
 
 Here's simplified code for the action of the `HomeController`. This code gets a token to call Microsoft Graph. Code has been added to show how to call Microsoft Graph as a REST API. The URL for the Microsoft Graph API is provided in the appsettings.json file and is read in a variable named `webOptions`:
 
-```JSon
+```json
 {
   "AzureAd": {
     "Instance": "https://login.microsoftonline.com/",