Merge pull request #180238 from ArvindHarinder1/patch-224

Update on-premises-scim-provisioning.md

Author: johne2021

articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md

@@ -7,17 +7,14 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 05/28/2021
+ms.date: 11/18/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Azure AD on-premises application provisioning architecture
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability (GA).
-
 ## Overview
 
 The following diagram shows an overview of how on-premises application provisioning works.
@@ -91,8 +88,8 @@ You can define one or more matching attribute(s) and prioritize them based on th
 
 
 ## Agent best practices
-- Ensure the auto Azure AD Connect Provisioning Agent Auto Update service is running. It's enabled by default when you install the agent. Auto-update is required for Microsoft to support your deployment.
-- Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
+- Using the same agent for the on-prem provisioning feature along with Workday / SuccessFactors / Azure AD Connect Cloud Sync is currently unsupported. We are actively working to support on-prem provisioning on the same agent as the other provisioning scenarios.
+- - Avoid all forms of inline inspection on outbound TLS communications between agents and Azure. This type of inline inspection causes degradation to the communication flow.
 - The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by:
   - Reducing the distance between the two ends of the hop.
   - Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links.
@@ -112,10 +109,6 @@ For the latest GA version of the provisioning agent, see [Azure AD connect provi
  2. Go to **Control Panel** > **Uninstall or Change a Program**.
  3. Look for the version that corresponds to the entry for **Microsoft Azure AD Connect Provisioning Agent**.
 
-### Does Microsoft automatically push provisioning agent updates?
-
-Yes. Microsoft automatically updates the provisioning agent if the Windows service Microsoft Azure AD Connect Agent Updater is up and running. Ensuring that your agent is up to date is required for support to troubleshoot issues.
-
 ### Can I install the provisioning agent on the same server running Azure AD Connect or Microsoft Identity Manager?
 
 Yes. You can install the provisioning agent on the same server that runs Azure AD Connect or Microsoft Identity Manager, but they aren't required.

articles/active-directory/app-provisioning/on-premises-ecma-troubleshoot.md

@@ -7,17 +7,14 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: overview
-ms.date: 10/21/2021
+ms.date: 11/19/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
 # Troubleshoot on-premises application provisioning
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 ## Troubleshoot test connection issues
 After you configure the provisioning agent and ECMA host, it's time to test connectivity from the Azure Active Directory (Azure AD) provisioning service to the provisioning agent, the ECMA host, and the application. To perform this end-to-end test, select **Test connection** in the application in the Azure portal. When the test connection fails, try the following troubleshooting steps:
 

articles/active-directory/app-provisioning/on-premises-migrate-microsoft-identity-manager.md

@@ -7,7 +7,7 @@ manager: karenh444
 ms.service: active-directory
 ms.workload: identity
 ms.topic: how-to
-ms.date: 11/11/2021
+ms.date: 11/17/2021
 ms.subservice: hybrid
 ms.author: billmath
 ms.collection: M365-identity-device-management
@@ -16,9 +16,6 @@ ms.collection: M365-identity-device-management
 
 # Export a Microsoft Identity Manager connector for use with the Azure AD ECMA Connector Host
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 You can import into the Azure Active Directory (Azure AD) ECMA Connector Host a configuration for a specific connector from a Forefront Identity Manager Synchronization Service or Microsoft Identity Manager Synchronization Service (MIM Sync) installation. The MIM Sync installation is only used for configuration, not for the ongoing synchronization from Azure AD.
 
 >[!IMPORTANT]

articles/active-directory/app-provisioning/on-premises-scim-provisioning.md

@@ -8,16 +8,13 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 10/16/2021
+ms.date: 11/17/2021
 ms.author: billmath
 ms.reviewer: arvinh
 ---
 
 # Azure AD on-premises application provisioning to SCIM-enabled apps
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability.
-
 The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0](https://techcommunity.microsoft.com/t5/identity-standards-blog/provisioning-with-scim-getting-started/ba-p/880010) client that can be used to automatically provision users into cloud or on-premises applications. This article outlines how you can use the Azure AD provisioning service to provision users into an on-premises application that's SCIM enabled. If you want to provision users into non-SCIM on-premises applications that use SQL as a data store, see the [Azure AD ECMA Connector Host Generic SQL Connector tutorial](tutorial-ecma-sql-connector.md). If you want to provision users into cloud apps such as DropBox and Atlassian, review the app-specific [tutorials](../../active-directory/saas-apps/tutorial-list.md).
 
 ![Diagram that shows SCIM architecture.](./media/on-premises-scim-provisioning/scim-4.png)
@@ -30,21 +27,19 @@ The Azure Active Directory (Azure AD) provisioning service supports a [SCIM 2.0]
 ## On-premises app provisioning to SCIM-enabled apps
 To provision users to SCIM-enabled apps:
 
- 1. Add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
- 1. Go to your app and select **Provisioning** > **Download the provisioning agent**.
- 1. Select **On-Premises Connectivity**, and download the provisioning agent.
+ 1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that your SCIM endpoint is hosted on.
  1. Copy the agent onto the virtual machine or server that your SCIM endpoint is hosted on.
  1. Open the provisioning agent installer, agree to the terms of service, and select **Install**.
  1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
  1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
  1. Select **Confirm** to confirm the installation was successful.
- 1. Go back to your application, and select **On-Premises Connectivity**.
+ 1. Navigate to the Azure Portal and add the **On-premises SCIM app** from the [gallery](../../active-directory/manage-apps/add-application-portal.md).
+ 1. Select **On-Premises Connectivity**, and download the provisioning agent. 1. Go back to your application, and select **On-Premises Connectivity**.
  1. Select the agent that you installed from the dropdown list, and select **Assign Agent(s)**.
- 1. Wait 10 minutes or restart the Azure AD Connect Provisioning agent service on your server or VM.
- 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim.
- 
+ 1. Wait 20 minutes prior to completing the next step, to provide time for the agent assignment to complete.
+ 1. Provide the URL for your SCIM endpoint in the **Tenant URL** box. An example is https://localhost:8585/scim. 
      ![Screenshot that shows assigning an agent.](./media/on-premises-scim-provisioning/scim-2.png)
- 1. Select **Test Connection**, and save the credentials.
+ 1. Select **Test Connection**, and save the credentials. Use the steps [here](https://docs.microsoft.com/azure/active-directory/app-provisioning/on-premises-ecma-troubleshoot#troubleshoot-test-connection-issues) if you run into connectivity issues. 
  1. Configure any [attribute mappings](customize-application-attributes.md) or [scoping](define-conditional-rules-for-provisioning-user-accounts.md) rules required for your application.
  1. Add users to scope by [assigning users and groups](../../active-directory/manage-apps/add-application-portal-assign-users.md) to the application.
  1. Test provisioning a few users [on demand](provision-on-demand.md).

includes/active-directory-app-provisioning-ldap.md

@@ -4,10 +4,6 @@ For important details on what this service does, how it works, and frequently as
 
 ## Prerequisites for provisioning users into an LDAP directory
 
->[!IMPORTANT]
-> The on-premises provisioning preview is currently in an invitation-only preview. To request access to the capability, use the [access request form](https://aka.ms/onpremprovisioningpublicpreviewaccess). We'll open the preview to more customers and connectors over the next few months as we prepare for general availability. Provisioning users into Active Directory Domain Services is not supported through this preview. 
-
-
 ### On-premises prerequisites
 
  - A target system, such as Active Directory Lightweight Services (AD LDS), in which users can be created, updated, and deleted. This AD LDS instance should not be used to provision users into Azure AD because it may create a loop with Azure AD Connect. 
@@ -122,35 +118,21 @@ Now that we have configured the certificate and granted the network service acco
 
 ## Download, install, and configure the Azure AD Connect Provisioning Agent Package
 
- 1. Sign in to the Azure portal.
- 2. Go to **Enterprise applications** > **Add a new application**.
- 3. Search for the **On-premises ECMA app** application, and add it to your tenant.
- 4. Select the **on-premises ECMA app** that was added.
- 5. Under **Getting Started**, on the **3. Provision user accounts** box, select **Get started**.
- 6. At the top, from the drop-down, change provisioning to **automatic**.  This action will bring up **on-premises connectivity** below.
- 7. Under **On-Premises Connectivity**, download the agent installer.
- 8. Run the Azure AD Connect provisioning installer **AADConnectProvisioningAgentSetup.msi**.
- 9. On the **Microsoft Azure AD Connect Provisioning Agent Package** screen, accept the licensing terms, and select **Install**.
-     [![Microsoft Azure AD Connect Provisioning Agent Package screen.](media/active-directory-app-provisioning-sql/install-1.png)](media/active-directory-app-provisioning-sql/install-1.png#lightbox)</br>
- 10. After this operation finishes, the configuration wizard starts. Select **Next**.
-     [![Screenshot that shows the Welcome screen.](media/active-directory-app-provisioning-sql/install-2.png)](media/active-directory-app-provisioning-sql/install-2.png#lightbox)</br>
- 11. On the **Select Extension** screen, select **On-premises application provisioning (Azure AD to application)**. Select **Next**.
-     [![Screenshot that shows Select extension.](media/active-directory-app-provisioning-sql/install-3.png)](media/active-directory-app-provisioning-sql/install-3.png#lightbox)</br>
- 12. Use your global administrator account to sign in to Azure AD.
-     [![Screenshot that shows Azure sign-in.](media/active-directory-app-provisioning-sql/install-4.png)](media/active-directory-app-provisioning-sql/install-4.png#lightbox)</br>
- 13. On the **Agent configuration** screen, select **Confirm**.
-     [![Screenshot that shows Confirm installation.](media/active-directory-app-provisioning-sql/install-5.png)](media/active-directory-app-provisioning-sql/install-5.png#lightbox)</br>
- 14. After the installation is complete, you should see a message at the bottom of the wizard. Select **Exit**.
-     [![Screenshot that shows finishing.](media/active-directory-app-provisioning-sql/install-6.png)](media/active-directory-app-provisioning-sql/install-6.png#lightbox)</br>
- 15. Go to back to the Azure portal under the **On-premises ECMA app** application, and back to **Edit Provisioning**.
- 16. On the **Provisioning** page, change the mode to **Automatic**.
-     [![Screenshot that shows changing the mode to Automatic.](.\media\active-directory-app-provisioning-sql\configure-7.png)](.\media\active-directory-app-provisioning-sql\configure-7.png#lightbox)</br>
- 17. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.
-     [![Screenshot that shows restarting an agent.](.\media\active-directory-app-provisioning-ldap\assign-1.png)](.\media\active-directory-app-provisioning-ldap\assign-1.png#lightbox)</br>
+1. [Download](https://aka.ms/OnPremProvisioningAgent) the provisioning agent and copy it onto the virtual machine or server that has connectivity to your SQL server.
      >[!NOTE]
-     >After you add the agent, wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes.
-     >
-     >Alternatively, you can force the agent registration to complete by restarting the provisioning agent on your server. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.
+     >Please use different provisioning agents for on-premises application provisioning and Azure AD Connect Cloud Sync / HR-driven provisioning. All three scenarios should not be managed on the same agent. 
+ 1. Open the provisioning agent installer, agree to the terms of service, and select **next**.
+ 1. Open the provisioning agent wizard, and select **On-premises provisioning** when prompted for the extension you want to enable.
+ 1. Provide credentials for an Azure AD administrator when you're prompted to authorize. Hybrid administrator or global administrator is required.
+ 1. Select **Confirm** to confirm the installation was successful.
+ 1. Sign in to the Azure portal.
+ 1. Go to **Enterprise applications** > **Add a new application**.
+ 1. Search for the **On-premises ECMA app** application, and add it to your tenant.
+ 1. Navigate to the provisioning page of your application.
+ 1. Select **Get started**.
+ 1. On the **Provisioning** page, change the mode to **Automatic**.
+     ![Screenshot that shows changing the mode to Automatic.](.\media\active-directory-app-provisioning-sql\configure-7.png)</br>
+ 1. On the **On-Premises Connectivity** section, select the agent that you just deployed and select **Assign Agent(s)**.
 
  ## Configure the Azure AD ECMA Connector Host certificate
  1. On the desktop, select the ECMA shortcut.
@@ -236,9 +218,11 @@ Now that we have configured the certificate and granted the network service acco
     |Property|Value|
     |-----|-----|
     |Tenant URL|https://localhost:8585/ecma2host_connectorName/scim|
- 
+
  5. Enter the **Secret Token** value that you defined when you created the connector.
- 6. Select **Test Connection**, and wait one minute.
+     >[!NOTE]
+     >If you just assigned the agent to the application, please wait 10 minutes for the registration to complete. The connectivity test won't work until the registration completes. Forcing the agent registration to complete by restarting the provisioning agent on your server can speed up the registration process. Go to your server, search for **services** in the Windows search bar, identify the **Azure AD Connect Provisioning Agent Service**, right-click the service, and restart.
+ 7. Select **Test Connection**, and wait one minute.
      [![Screenshot that shows assigning an agent.](.\media\active-directory-app-provisioning-ldap\test-1.png)](.\media\active-directory-app-provisioning-ldap\test-1.png#lightbox)
  7. After the connection test is successful, select **Save**.</br>
      [![Screenshot that shows testing an agent.](.\media\active-directory-app-provisioning-sql\configure-9.png)](.\media\active-directory-app-provisioning-sql\configure-9.png#lightbox)