Merge pull request #218062 from billmath/onpremGA

staging

Author: JamesJBarnett

articles/active-directory/app-provisioning/on-premises-application-provisioning-architecture.md

@@ -13,7 +13,7 @@ ms.author: billmath
 ms.collection: M365-identity-device-management
 ---
 
-# Azure AD on-premises application identity provisioning architecture (preview)
+# Azure AD on-premises application identity provisioning architecture 
 
 ## Overview
 
@@ -95,7 +95,7 @@ You can define one or more matching attribute(s) and prioritize them based on th
 - The agent must communicate with both Azure and your application, so the placement of the agent affects the latency of those two connections. You can minimize the latency of the end-to-end traffic by optimizing each network connection. Each connection can be optimized by:
   - Reducing the distance between the two ends of the hop.
   - Choosing the right network to traverse. For example, traversing a private network rather than the public internet might be faster because of dedicated links.
-- The agent and ECMA Host rely on a certificate for communication. The self-signed certificate generated by the ECMA host should only be used for testing purposes. The self-signed certificate expires in two years by default and cannot be revoked. Microsoft recommends using a certificiate from a trusted CA for production use cases.  
+- The agent and ECMA Host rely on a certificate for communication. The self-signed certificate generated by the ECMA host should only be used for testing purposes. The self-signed certificate expires in two years by default and cannot be revoked. Microsoft recommends using a certificate from a trusted CA for production use cases.  
 
 
 ## Provisioning agent questions

articles/active-directory/app-provisioning/on-premises-ldap-connector-prepare-directory.md

@@ -212,11 +212,11 @@ New-ADUser -name "svcAccountLDAP" -accountpassword  (ConvertTo-SecureString -AsP
 Write-Output "Creating service account"
 
 # Enable the new service account
-Enable-ADAccount -Identity "CN=svcAccount,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab" -Server "APP3:389"
+Enable-ADAccount -Identity "CN=svcAccountLDAP,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab" -Server "APP3:389"
 Write-Output "Enabling service account"
 
 # Add the service account to the Administrators role
-Get-ADGroup -Server "APP3:389" -SearchBase "CN=Administrators,CN=Roles,CN=App,DC=contoso,DC=lab" -Filter "name -like 'Administrators'" | Add-ADGroupMember -Members "CN=svcAccount,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab"
+Get-ADGroup -Server "APP3:389" -SearchBase "CN=Administrators,CN=Roles,CN=App,DC=contoso,DC=lab" -Filter "name -like 'Administrators'" | Add-ADGroupMember -Members "CN=svcAccountLDAP,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab"
 Write-Output "Adding service accounnt to Administrators role"
 
 

includes/active-directory-app-provisioning-ldap.md

@@ -70,7 +70,7 @@ Before deploying the connector to an existing directory server, you'll need to d
  |-----|-----|-----|
  | hostname of the directory server | Configuration wizard **Connectivity** page | `APP3` |
  | port number of the directory server| Configuration wizard **Connectivity** page | 636. For LDAP over SSL or TLS (LDAPS), use port 636.  For `Start TLS`, use port 389. |
- | account for the connector to identify itself to the directory server |Configuration wizard **Connectivity** page | `CN=svcAccount,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab`|
+ | account for the connector to identify itself to the directory server |Configuration wizard **Connectivity** page | `CN=svcAccountLDAP,CN=ServiceAccounts,CN=App,DC=contoso,DC=lab`|
  | password for the connector to authenticate itself to the directory server |Configuration wizard **Connectivity** page | |
  | structural object class for a user in the directory server | Configuration wizard **Object Types** page | `User` |
  | auxiliary object classes for a user in the directory server | Azure portal **Provisioning** page attribute mappings | No  auxiliary classes are used in this example |
@@ -244,7 +244,9 @@ Depending on the options you select, some of the wizard screens might not be ava
       Once all the relevant attributes have been added, select **Next**.
  
  16. On the **Deprovisioning** page, under **Disable flow**, select **Delete**. If `Set attribute value` is chosen, the attributes selected on the previous page won't be available to select on the Deprovisioning page.
- 17. Select **Finish**.
+ >[!NOTE]
+ >If you use the **Set attribute value** be aware that only boolean values are allowed.
+ 15. Select **Finish**.
 
 ## Ensure ECMA2Host service is running
  1. On the server running the Azure AD ECMA Connector Host, select **Start**.

includes/active-directory-app-provisioning-sql.md

@@ -333,14 +333,18 @@ In the last step of the SQL connection settings, configure how attributes are su
      |Autogenerated|Checked|      
 
  15. The ECMA connector host discovers the attributes supported by the target database. You can choose which of those attributes you want to expose to Azure AD. These attributes can then be configured in the Azure portal for provisioning. On the **Select Attributes** page, add all the attributes in the dropdown list one at a time.
+
+ The **Attribute** dropdown list shows any attribute that was discovered in the target database and *wasn't* chosen on the previous **Select Attributes** page. Once all the relevant attributes have been added, select **Next**.
+ 
 
-     [![Screenshot that shows the Select Attributes page.](.\media\active-directory-app-provisioning-sql\conn-13.png)](.\media\active-directory-app-provisioning-sql\conn-13.png#lightbox)
+   :::image type="content" source="media/active-directory-app-provisioning-sql/attribute-1.png" alt-text="Screenshot of attribute dropdown list." lightbox="media/active-directory-app-provisioning-sql/attribute-1.png":::
 
-      The **Attribute** dropdown list shows any attribute that was discovered in the target database and *wasn't* chosen on the previous **Select Attributes** page. Once all the relevant attributes have been added, select **Next**.
 
  16. On the **Deprovisioning** page, under **Disable flow**, select **Delete**. The attributes selected on the previous page won't be available to select on the Deprovisioning page. Select **Finish**.
-
-     [![Screenshot that shows the Deprovisioning page.](.\media\active-directory-app-provisioning-sql\conn-14.png)](.\media\active-directory-app-provisioning-sql\conn-14.png#lightbox)
+ >[!NOTE]
+ >If you use the **Set attribute value** be aware that only boolean values are allowed.
+     
+ [![Screenshot that shows the Deprovisioning page.](.\media\active-directory-app-provisioning-sql\conn-14.png)](.\media\active-directory-app-provisioning-sql\conn-14.png#lightbox)
 
 
 ## 7. Ensure the ECMA2Host service is running
@@ -399,7 +403,20 @@ You'll use the Azure portal to configure the mapping between the Azure AD user's
      ![Screenshot that shows provisioning a user.](.\media\active-directory-app-provisioning-sql\configure-10.png)
 
  1. To confirm that the schema of the database is available in Azure AD, select the **Show advanced options** checkbox and select **Edit attribute list for ScimOnPremises**. Ensure that all the attributes selected in the configuration wizard are listed.  If not, then wait several minutes for the schema to refresh, and then reload the page.  Once you see the attributes listed, then cancel from this page to return to the mappings list.
- 4. Select **Add New Mapping**, and repeat the next step for each mapping.
+ 2. Now, on the click on the **userPrincipalName** PLACEHOLDER mapping.  This mapping is added by default when you first configure on-premises provisioning.  
+ 
+   :::image type="content" source="media/active-directory-app-provisioning-sql/configure-11.png" alt-text="Screenshot of placeholder." lightbox="media/active-directory-app-provisioning-sql/configure-11.png":::
+ Change the value to match the following:
+ 
+ |Mapping type|Source attribute|Target attribute|
+ |-----|-----|-----|
+ |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:ContosoLogin|
+ 
+:::image type="content" source="media/active-directory-app-provisioning-sql/attribute-2.png" alt-text="Screenshot of changing value." lightbox="media/active-directory-app-provisioning-sql/attribute-2.png":::
+ 
+
+ 4. Now select **Add New Mapping**, and repeat the next step for each mapping.
+ 
 
      [![Screenshot that shows Add New Mapping.](.\media\active-directory-app-provisioning-sql\configure-11.png)](.\media\active-directory-app-provisioning-sql\configure-11.png#lightbox)
 
@@ -410,10 +427,10 @@ You'll use the Azure portal to configure the mapping between the Azure AD user's
      |Mapping type|Source attribute|Target attribute|
      |-----|-----|-----|
      |Direct|userPrincipalName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:ContosoLogin|
-     |Direct|objectID|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:AzureID|
+     |Direct|objectId|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:AzureID|
      |Direct|mail|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:Email|
      |Direct|givenName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:FirstName|
-     |Direct|surName|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:LastName|
+     |Direct|surname|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:LastName|
      |Direct|mailNickname|urn:ietf:params:scim:schemas:extension:ECMA2Host:2.0:User:textID|
 
  6. Once all of the mappings have been added, select **Save**.