Merge pull request #193635 from MicrosoftDocs/main

3/31 PM Publish

Author: huypub

articles/active-directory/external-identities/b2b-direct-connect-overview.md

@@ -14,7 +14,7 @@ manager: celestedg
 ms.collection: M365-identity-device-management
 ---
 
-# B2B direct connect overview
+# B2B direct connect overview (Preview)
 
 Azure Active Directory (Azure AD) B2B direct connect is a feature of External Identities that lets you set up a mutual trust relationship with another Azure AD organization for seamless collaboration. With B2B direct connect, users from both organizations can work together using their home credentials and B2B direct connect-enabled apps, without having to be added to each other’s organizations as guests. Use B2B direct connect to share resources with external Azure AD organizations. Or use it to share resources across multiple Azure AD tenants within your own organization.
 

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-direct-connect.md

@@ -14,7 +14,7 @@ ms.custom: "it-pro"
 ms.collection: M365-identity-device-management
 ---
 
-# Configure cross-tenant access settings for B2B direct connect
+# Configure cross-tenant access settings for B2B direct connect (Preview)
 
 > [!NOTE]
 > Cross-tenant access settings are preview features of Azure Active Directory. For more information about previews, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).

articles/active-directory/external-identities/external-identities-pricing.md

@@ -6,7 +6,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: conceptual
-ms.date: 07/13/2021
+ms.date: 03/29/2022
 
 ms.author: mimart
 author: msmimart
@@ -36,17 +36,17 @@ To take advantage of MAU billing, your Azure AD tenant must be linked to an Azur
 
 In your Azure AD tenant, guest user collaboration usage is billed based on the count of unique guest users with authentication activity within a calendar month. This model replaces the 1:5 ratio billing model, which allowed up to five guest users for each Azure AD Premium license in your tenant. When your tenant is linked to a subscription and you use External Identities features to collaborate with guest users, you'll be automatically billed using the MAU-based billing model.
 
+Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
+
 The pricing tier that applies to your guest users is based on the highest pricing tier assigned to your Azure AD tenant. For more information, see [Azure Active Directory External Identities Pricing](https://azure.microsoft.com/pricing/details/active-directory/external-identities/).
 
 ## Link your Azure AD tenant to a subscription
 
-An Azure AD tenant must be linked to an Azure subscription for proper billing and access to features. If the directory doesn't already have a subscription you can link to, you'll have the opportunity to add one during this process.
+An Azure AD tenant must be linked to a resource group within an Azure subscription for proper billing and access to features.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) with an Azure account that's been assigned at least the [Contributor](../../role-based-access-control/built-in-roles.md) role within the subscription or a resource group within the subscription.
 
-2. Select the directory you want to link: In the Azure portal toolbar, select the **Directory + Subscription** icon, and then select the directory.
-
-    ![Select the Directory + Subscription icon](media/external-identities-pricing/portal-mau-pick-directory.png)
+2. Select the directory you want to link: In the Azure portal toolbar, select the **Directories + subscriptions** icon in the portal toolbar. Then on the **Portal settings | Directories + subscriptions** page, find your directory in the **Directory name** list, and then select **Switch**.
 
 3. Under **Azure Services**, select **Azure Active Directory**.
 
@@ -58,17 +58,23 @@ An Azure AD tenant must be linked to an Azure subscription for proper billing an
 
     ![Select the tenant and link a subscription](media/external-identities-pricing/linked-subscriptions.png)
 
-7. In the Link a subscription pane, select a **Subscription** and a **Resource group**. Then select **Apply**.
-
-   > [!NOTE]
-   >
-   > * Your first 50,000 MAUs per month are free for both Premium P1 and Premium P2 features. To determine the total number of MAUs, we combine MAUs from all your tenants (both Azure AD and Azure AD B2C) that are linked to the same subscription.
-    >* If there are no subscriptions listed, you can [associate a subscription to your tenant](../fundamentals/active-directory-how-subscriptions-associated-directory.md). Or, you can add a new subscription by selecting the link **if you don't already have a subscription you may create one here**.
+7. In the **Link a subscription** pane, select a **Subscription** and a **Resource group**. Then select **Apply**. (If there are no subscriptions listed, see [What if I can't find a subscription?](#what-if-i-cant-find-a-subscription).)
 
     ![Select a subscription and resource group](media/external-identities-pricing/link-subscription-resource.png)
 
 After you complete these steps, your Azure subscription is billed based on your Azure Direct or Enterprise Agreement details, if applicable.
 
+## What if I can't find a subscription?
+
+If no subscriptions are available in the **Link a subscription** pane, here are some possible reasons:
+
+- You don't have the appropriate permissions. Be sure to sign in with an Azure account that's been assigned at least the [Contributor](../../role-based-access-control/built-in-roles.md) role within the subscription or a resource group within the subscription.
+
+- A subscription exists, but it hasn't been associated with your directory yet. You can [associate an existing subscription to your tenant](../fundamentals/active-directory-how-subscriptions-associated-directory.md) and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription).
+
+- No subscription exists. In the **Link a subscription** pane, you can create a subscription by selecting the link **if you don't already have a subscription you may create one here**. After you create a new subscription, you'll need to [create a resource group](../../azure-resource-manager/management/manage-resource-groups-portal.md) in the new subscription, and then repeat the steps for [linking it to your tenant](#link-your-azure-ad-tenant-to-a-subscription).
+
 ## Next steps
 
-For the latest pricing information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+For the latest pricing information, see [Azure Active Directory pricing](https://www.microsoft.com/security/business/identity-access-management/azure-ad-pricing).
+Learn more about [managing Azure resources](../../azure-resource-manager/management/overview.md).

articles/active-directory/external-identities/index.yml

@@ -24,7 +24,7 @@ landingContent:
             url: external-identities-overview.md
           - text: What is Azure AD B2B collaboration?
             url: what-is-b2b.md
-          - text: What is Azure AD B2B direct connect?
+          - text: What is Azure AD B2B direct connect? (preview)
             url: b2b-direct-connect-overview.md
           - text: What is Azure AD B2C (business-to-consumer) identity?
             url: ../../active-directory-b2c/overview.md

articles/active-directory/external-identities/toc.yml

@@ -34,7 +34,7 @@
     href: external-identities-pricing.md
   - name: Best practices
     href: b2b-fundamentals.md
-  - name: Cross-tenant access overview
+  - name: Cross-tenant access overview (Preview)
     href: cross-tenant-access-overview.md
   - name: B2B collaboration
     expanded: false
@@ -53,7 +53,7 @@
       href: user-token.md
     - name: B2B collaboration for hybrid organizations
       href: hybrid-organizations.md
-  - name: B2B direct connect
+  - name: B2B direct connect (Preview)
     href: b2b-direct-connect-overview.md
   - name: Self-service sign-up
     expanded: false

articles/active-directory/external-identities/troubleshoot.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: troubleshooting
-ms.date: 03/21/2022
+ms.date: 03/31/2022
 tags: active-directory
 ms.author: mimart
 author: msmimart
@@ -24,6 +24,10 @@ Here are some remedies for common problems with Azure Active Directory (Azure AD
    > - **Starting July 2022**, we'll begin rolling out a change to turn on the email one-time passcode feature for all existing tenants and enable it by default for new tenants. As part of this change, Microsoft will stop creating new, unmanaged ("viral") Azure AD accounts and tenants during B2B collaboration invitation redemption. We're enabling the email one-time passcode feature because it provides a seamless fallback authentication method for your guest users. However, if you don't want to allow this feature to turn on automatically, you can [disable it](one-time-passcode.md#disable-email-one-time-passcode).
 
 
+## Guest sign-in fails with error code AADSTS50020
+
+When a guest user from an identity provider (IdP) can't sign in to a resource tenant in Azure AD and receives an error code AADSTS50020, there are several possible causes. See the troubleshooting article for error [AADSTS50020](/troubleshoot/azure/active-directory/error-code-aadsts50020-user-account-identity-provider-does-not-exist).
+
 ## B2B direct connect user is unable to access a shared channel (error AADSTS90071)
 
 When a B2B direct connect sees the following error message when trying to access another organization's Teams shared channel, multi-factor authentication trust settings haven't been configured by the external organization:

articles/active-directory/manage-apps/admin-consent-workflow-overview.md

@@ -0,0 +1,82 @@
+---
+title: Overview of admin consent workflow
+titleSuffix: Azure AD
+description: Learn about the admin consent workflow in Azure Active Directory 
+services: active-directory
+author: eringreenlee
+manager: CelesteDG
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.workload: identity
+ms.topic: how-to
+ms.date: 03/30/2022
+ms.author: ergreenl
+ms.reviewer: davidmu
+ms.collection: M365-identity-device-management
+
+#customer intent: As an admin, I want to learn about the admin consent workflow and how it affects end-user and admin consent experience
+---
+
+# Overview of admin consent workflow
+
+There may be situations where your end-users need to consent to permissions for applications that they're creating or using with their work accounts. However, non-admin users aren't allowed to consent to permissions that require admin consent. Also, users can’t consent to applications when [user consent](configure-user-consent.md) is disabled in the user’s tenant.
+ 
+In such situations where user consent is disabled, an admin can grant users the ability to make requests for gaining access to applications by enabling the admin consent workflow. In this article, you’ll learn about the user and admin experience when the admin consent workflow is disabled vs when it's enabled.
+
+When attempting to sign in,  users may see a consent prompt like the one in the following screenshot: 
+
+:::image type="content" source="media/configure-admin-consent-workflow/admin-consent-workflow-off.png" alt-text="Screenshot of consent prompt when workflow is disabled.":::
+
+If the user doesn’t know who to contact to grant them access, they may be unable to use the application. This situation also requires administrators to create a separate workflow to track requests for applications if they're open to receiving them.
+As an admin, the following options exist for you to determine how users consent to applications:
+- Disable user consent. For example, a high school may want to turn off user consent so that the school IT administration has full control over all the applications that are used in their tenant. 
+- Allow users to consent to the required permissions. It's NOT recommended to keep user consent open if you have sensitive data in your tenant. 
+- If you still want to retain admin-only consent for certain permissions but want to assist your end-users in onboarding their application, you can use the admin consent workflow to evaluate and respond to admin consent requests. This way, you can have a queue of all the requests for admin consent for your tenant and can track and respond to them directly through the Azure portal. 
+To learn how to configure the admin consent workflow, see [configure-admin-consent-workflow.md](configure-admin-consent-workflow.md).
+
+## How the admin consent workflow works
+
+When you configure the admin consent workflow, your end users can request for consent directly through the prompt. The users may see a consent prompt like the one in the following screenshot:
+
+:::image type="content" source="media/configure-admin-consent-workflow/consent prompt-workflow-on.png" alt-text="Screenshot of consent prompt when workflow is enabled.":::
+
+When an administrator responds to a request, the user receives an email alert informing them that the request has been processed.
+
+When the user submits a consent request, the request shows up in the admin consent request page in the Azure portal. Administrators and designated reviewers sign in to [view and act on the new requests](review-admin-consent-requests.md). Reviewers only see consent requests that were created after they were designated as reviewers. Requests show up in the following two tabs in the admin consent requests blade.
+- My pending: This shows any active requests that have the signed-in user designated as a reviewer. Although reviewers can block or deny requests, only people with the correct RBAC permissions to consent to the requested permissions can do so. 
+- All(Preview): All requests, active or expired, that exist in the tenant.
+Each request includes information about the application and the user(s) requesting the application. 
+
+## Email notifications
+
+If configured, all reviewers will receive email notifications when:
+
+- A new request has been created
+- A request has expired
+- A request is nearing the expiration date.
+
+Requestors will receive email notifications when:
+
+- They submit a new request for access
+- Their request has expired
+- Their request has been denied or blocked
+- Their request has been approved
+
+## Audit logs
+
+The table below outlines the scenarios and audit values available for the admin consent workflow.
+
+|Scenario  |Audit Service  |Audit Category  |Audit Activity  |Audit Actor  |Audit log limitations  |
+|---------|---------|---------|---------|---------|---------|
+|Admin enabling the consent request workflow        |Access Reviews           |UserManagement           |Create governance policy template          |App context            |Currently you can’t find the user context            |
+|Admin disabling the  consent request workflow       |Access Reviews           |UserManagement           |Delete governance policy template          |App context            |Currently you can’t find the user context           |
+|Admin updating the consent workflow configurations        |Access Reviews           |UserManagement           |Update governance policy template          |App context            |Currently you can’t find the user context           |
+|End user creating an admin consent request for an app       |Access Reviews           |Policy         |Create request           |App context            |Currently you can’t find the user context           |
+|Reviewers approving an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            |Currently you can’t find the user context or the app ID that was granted admin consent.           |
+|Reviewers denying an admin consent request       |Access Reviews           |UserManagement           |Approve all requests in business flow          |App context            | Currently you can’t find the user context of the actor that denied an admin consent request          |
+
+## Next steps
+
+- [Enable the admin consent request workflow](configure-admin-consent-workflow.md)
+- [Review admin consent request](review-admin-consent-requests.md)
+- [Manage consent requests](manage-consent-requests.md)