Merge pull request #238044 from MicrosoftDocs/main

5/12 PM Publish

Author: huypub

.openpublishing.redirection.virtual-desktop.json

@@ -174,6 +174,16 @@
             "source_path_from_root": "/articles/virtual-desktop/environment-setup.md",
             "redirect_url": "/azure/virtual-desktop/terminology",
             "redirect_document_id": false
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/app-attach-image-prep.md",
+            "redirect_url": "/azure/virtual-desktop/msix-app-attach-create-msix-image",
+            "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/virtual-desktop/app-attach-msixmgr.md",
+            "redirect_url": "/azure/virtual-desktop/msix-app-attach-create-msix-image",
+            "redirect_document_id": false
         }
     ]
 }

articles/active-directory/app-provisioning/on-premises-web-services-connector.md

@@ -0,0 +1,52 @@
+---
+title: Azure AD provisioning to applications via web services connector
+description: This document describes how to configure Azure AD to provision users with external systems that offer web services based APIs.
+services: active-directory
+author: billmath
+manager: amycolannino
+ms.service: active-directory
+ms.subservice: app-provisioning
+ms.topic: how-to
+ms.workload: identity
+ms.date: 05/11/2023
+ms.author: billmath
+ms.reviewer: arvinh
+---
+
+
+# Provisioning with the web services connector
+The following documentation provides information about the generic web services connector. Microsoft Entra Identity Governance supports provisioning accounts into various applications such as SAP ECC, Oracle eBusiness Suite, and line of business applications that expose REST or SOAP APIs. Customers that have previously deployed MIM to connect to these applications can easily switch to using the lightweight Azure AD provisioning agent, while reusing the same web services connector built for MIM.  
+
+## Capabilities supported
+
+> [!div class="checklist"]
+> - Create users in your application.
+> - Remove users in your application when they don't need access anymore.
+> - Keep user attributes synchronized between Azure AD and your application.
+> - Discover the schema for your application.
+
+The web services connector implements the following functionalities:
+
+- SOAP Discovery: Allows the administrator to enter the WSDL path exposed by the target web service. Discovery will produce a tree structure of its hosted web services with their inner  endpoint(s)/operations along with the operation’s Meta data description. There's no limit to the number of discovery operations that can be done (step by step). The discovered operations  are used later to configure the flow of operations that implement the connector’s operations against the data-source (as Import/Export).
+
+- REST Discovery: Allows the administrator to enter Restful service details i.e. Service Endpoint, Resource Path, Method and Parameter details. A user can add an unlimited number of Restful services. The rest services information will be stored in the ```discovery.xml``` file of the ```wsconfig``` project. They'll be used later by the user to configure the Rest Web Service activity in the workflow.
+
+- Connector Space Schema configuration: Allows the administrator to configure the connector space schema. The schema configuration will include a listing of Object Types and attributes for a specific implementation. The administrator can specify the object types that will be supported by the Web Service MA. The administrator may also choose here the attributes that will be part of the Connector space Schema.
+
+- Operation Flow configuration: Workflow designer UI for configuring the implementation of FIM operations (Import/Export) per object type through exposed web service operations functions such as:
+
+    - Assignment of parameters from connector space to web service functions.
+    - Assignment of parameters from web service functions to the connector space.
+
+
+##  Documentation for popular applications
+Integrations with popular applications such as SAP ECC and Oracle eBusiness Suite can be found [here](https://www.microsoft.com/download/details.aspx?id=51495). You can also configure a template to connect to your own [rest or SOAP API](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-ma-ws).
+
+
+For more information, see [the Overview of the generic Web Service connector](/microsoft-identity-manager/reference/microsoft-identity-manager-2016-ma-ws) in the MIM documentation library.
+
+## Next steps
+
+- [App provisioning](user-provisioning.md)
+- [ECMA Connector Host generic SQL connector](tutorial-ecma-sql-connector.md)
+- [ECMA Connector Host LDAP connector](on-premises-ldap-connector-configure.md)

articles/active-directory/app-provisioning/toc.yml

@@ -31,6 +31,8 @@ items:
         href: on-premises-ldap-connector-configure.md
       - name: Provisioning to PowerShell based apps
         href: on-premises-powershell-connector.md
+      - name: Provisioning with the web services connector
+        href: on-premises-web-services-connector.md
     - name: Customize attribute mappings
       href: customize-application-attributes.md
   - name: Concepts

articles/active-directory/develop/custom-extension-get-started.md

@@ -285,10 +285,6 @@ Next, you register the custom extension. You register the custom extension by as
             "@odata.type": "#microsoft.graph.azureAdTokenAuthentication",
             "resourceId": "{functionApp_IdentifierUri}"
         },
-        "clientConfiguration": {
-            "timeoutInMilliseconds": 2000,
-            "maximumRetries": 1
-        },
         "claimsForTokenConfiguration": [
             {
                 "claimIdInApiResponse": "DateOfBirth"

articles/active-directory/develop/howto-create-service-principal-portal.md

@@ -2,13 +2,13 @@
 title: Create an Azure AD app and service principal in the portal
 description: Create a new Azure Active Directory app and service principal to manage access to resources with role-based access control in Azure Resource Manager.
 services: active-directory
-author: rwike77
+author: cilwerner
 manager: CelesteDG
 
 ms.service: active-directory
 ms.subservice: develop
 ms.topic: how-to
-ms.date: 02/01/2023
+ms.date: 05/12/2023
 ms.author: cwerner
 ms.custom: aaddev, identityplatformtop40, subject-rbac-steps, devx-track-arm-template
 ---
@@ -81,11 +81,23 @@ When programmatically signing in, pass the tenant ID and the application ID in y
 
 ## Set up authentication
 
-There are two types of authentication available for service principals: password-based authentication (application secret) and certificate-based authentication. *We recommend using a certificate*, but you can also create an application secret.
+There are two types of authentication available for service principals: password-based authentication (application secret) and certificate-based authentication. *We recommend using a trusted certificate issued by a certificate authority*, but you can also create an application secret or create a self-signed certificate for testing.
 
-### Option 1 (recommended): Create and upload a self-signed certificate
+### Option 1 (recommended): Upload a trusted certificate issued by a certificate authority
 
-You can use an existing certificate if you've one.  Optionally, you can create a self-signed certificate for *testing purposes only*. To create a self-signed certificate, open Windows PowerShell and run [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate) with the following parameters to create the certificate in the user certificate store on your computer:
+To upload the certificate file:
+
+1. Search for and select **Azure Active Directory**.
+1. From **App registrations** in Azure AD, select your application.
+1. Select **Certificates & secrets**.
+1. Select **Certificates**, then select **Upload certificate** and then select the certificate file to upload.
+1. Select **Add**. Once the certificate is uploaded, the thumbprint, start date, and expiration values are displayed.
+
+After registering the certificate with your application in the application registration portal, enable the [confidential client application](authentication-flows-app-scenarios.md#single-page-public-client-and-confidential-client-applications) code to use the certificate.
+
+### Option 2: Testing only- create and upload a self-signed certificate
+
+Optionally, you can create a self-signed certificate for *testing purposes only*. To create a self-signed certificate, open Windows PowerShell and run [New-SelfSignedCertificate](/powershell/module/pki/new-selfsignedcertificate) with the following parameters to create the certificate in the user certificate store on your computer:
 
 ```powershell
 $cert=New-SelfSignedCertificate -Subject "CN=DaemonConsoleCert" -CertStoreLocation "Cert:\CurrentUser\My"  -KeyExportPolicy Exportable -KeySpec Signature
@@ -106,9 +118,9 @@ To upload the certificate:
 1. Select **Certificates**, then select **Upload certificate** and then select the certificate (an existing certificate or the self-signed certificate you exported).
 1. Select **Add**.
 
-After registering the certificate with your application in the application registration portal, enable the client application code to use the certificate.
+After registering the certificate with your application in the application registration portal, enable the [confidential client application](authentication-flows-app-scenarios.md#single-page-public-client-and-confidential-client-applications) code to use the certificate.
 
-### Option 2: Create a new application secret
+### Option 3: Create a new application secret
 
 If you choose not to use a certificate, you can create a new application secret.
 

articles/active-directory/governance/customize-workflow-email.md

@@ -55,7 +55,7 @@ When customizing an email sent via Lifecycle workflows, you can choose to custom
 
 1. Select the **Email Customization** tab.
 
-1. On the email customization screen, enter a custom subject, message body, and the email language translation option that will be used to translate the message body of the email.
+1. On the email customization screen, enter a custom subject, message body, and the email language translation option that will be used to translate the message body of the email. The custom subject and message body will not be translated.
     :::image type="content" source="media/customize-workflow-email/customize-workflow-email-example.png" alt-text="Screenshot of an example of a customized email from a workflow.":::
 1. After making changes, select **save** to capture changes to the customized email.
 

articles/active-directory/manage-apps/cloudflare-azure-ad-integration.md

@@ -152,4 +152,5 @@ See the [team domain](https://developers.cloudflare.com/cloudflare-one/glossary#
 ## Next steps
 
 - Go to developer.cloudflare.com for [Integrate SSO](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/)
+- [Tutorial: Configure Conditional Access policies for Cloudflare Access](cloudflare-conditional-access-policies.md)
 - [Tutorial: Configure Cloudflare Web Application Firewall with Azure AD B2C](../../active-directory-b2c/partner-cloudflare.md)

articles/active-directory/manage-apps/cloudflare-conditional-access-policies.md

@@ -0,0 +1,90 @@
+---
+title: Tutorial to configure Conditional Access policies in Cloudflare Access
+description: Configure Conditional Access to enforce application and user policies in Cloudflare Access
+services: active-directory
+author: gargi-sinha
+manager: martinco
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.topic: how-to
+ms.workload: identity
+ms.date: 05/11/2023
+ms.author: gasinh
+ms.collection: M365-identity-device-management
+ms.custom: not-enterprise-apps
+---
+
+# Tutorial: Configure Conditional Access policies in Cloudflare Access
+
+With Conditional Access, administrators enforce policies on application and user policies in Azure Active Directory (Azure AD). Conditional Access brings together identity-driven signals, to make decisions, and enforce organizational policies. Cloudflare Access creates access to self-hosted, software as a service (SaaS), or nonweb applications.
+
+Learn more: [What is Conditional Access?](../conditional-access/overview.md)
+
+## Prerequisites
+
+* An Azure AD subscription
+  * If you don't have one, get an [Azure free account](https://azure.microsoft.com/free/)
+* An Azure AD tenant linked to the Azure AD subscription
+  * See, [Quickstart: Create a new tenant in Azure AD](../fundamentals/active-directory-access-create-new-tenant.md)
+* Global Administrator permissions
+* Configured users in the Azure AD subscription  
+* A Cloudflare account
+  * Go to dash.cloudflare.com to [Get started with Cloudflare](https://dash.cloudflare.com/sign-up?https%3A%2F%2Fone.dash.cloudflare.com%2F)
+
+## Scenario architecture
+
+* **Azure AD** - Identity Provider (IdP) that verifies user credentials and Conditional Access
+* **Application** - You created for IdP integration
+* **Cloudflare Access** - Provides access to applications
+
+## Set up an identity provider
+
+Go to developers.cloudflare.com to [set up Azure AD as an IdP](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider).
+
+   > [!NOTE]
+   > It's recommended you name the IdP integration in relation to the target application. For example, **Azure AD - Customer management portal**.
+
+## Configure Conditional Access
+
+1. Go to the [Azure portal](https://portal.azure.com/).
+2. Select **Azure Active Directory**.
+3. Under **Manage**, select **App registrations**.
+4. Select the application you created.
+5. Go to **Branding & properties**.
+6. For **Home page URL**, enter the application hostname.
+
+   ![Screenshot of options and entries for branding and properties.](./media/cloudflare-conditional-access-policies/branding-properties.png)
+
+7. Under **Manage**, select **Enterprise applications**.
+8. Select your application.
+9. Select **Properties**.
+10. For **Visible to users**, select **Yes**. This action enables the app to appear in App Launcher and in [My Apps](https://myapplications.microsoft.com/).
+11. Under **Security**, select **Conditional Access**.
+12. See, [Building a Conditional Access policy](../conditional-access/concept-conditional-access-policies.md).
+13. Create and enable other policies for the application.
+
+## Create a Cloudflare Access application
+
+Enforce Conditional Access policies on a Cloudflare Access application.
+
+1. Go to dash.cloudflare.com to [sign in to Cloudflare](https://dash.cloudflare.com/login).
+2. In **Zero Trust**, go to **Access**.
+3. Select **Applications**.
+4. See, [Add a self-hosted application](https://developers.cloudflare.com/cloudflare-one/applications/configure-apps/self-hosted-apps/).
+5. In **Application domain**, enter the protected application target URL.
+6. For **Identity providers**, select the IdP integration.
+
+   ![Screenshot of the IdP integration selection on Identity providers.](./media/cloudflare-conditional-access-policies/identity-providers.png)
+
+7. Create an Access policy. See, [Access policies](https://developers.cloudflare.com/cloudflare-one/policies/access/) and the following example. 
+
+   ![Screenshot of an example policy.](./media/cloudflare-conditional-access-policies/access-policy-example.png)
+
+   > [!NOTE]
+   > Reuse the IdP integration for other applications if they require the same Conditional Access policies. For example, a baseline IdP integration with a Conditional Access policy requiring multifactor authentication and a modern authentication client. If an application requires specific Conditional Access policies, set up a dedicated IdP instance for that application.
+
+## Next steps
+
+* [What is Conditional Access?](../conditional-access/overview.md)
+* [Secure Hybrid Access with Azure AD partner integrations](secure-hybrid-access-integrations.md)
+* [Tutorial: Configure Cloudflare with Azure AD for secure hybrid access](cloudflare-azure-ad-integration.md)