Merge pull request #199641 from omondiatieno/freshness-pass

freshness pass

Author: denrea

articles/active-directory/manage-apps/admin-consent-workflow-faq.md

@@ -8,8 +8,8 @@ manager: CelesteDG
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
-ms.topic: how-to
-ms.date: 11/17/2021
+ms.topic: reference
+ms.date: 05/27/2022
 ms.author: ergreenl
 ms.reviewer: ergreenl
 ms.collection: M365-identity-device-management

articles/active-directory/manage-apps/configure-admin-consent-workflow.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/22/2021
+ms.date: 05/27/2022
 ms.author: ergreenl
 ms.reviewer: davidmu
 ms.collection: M365-identity-device-management

articles/active-directory/manage-apps/debug-saml-sso-issues.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.topic: troubleshooting
 ms.workload: identity
-ms.date: 02/18/2019
+ms.date: 05/27/2022
 ---
 
 # Debug SAML-based single sign-on to applications
@@ -19,7 +19,7 @@ Learn how to find and fix [single sign-on](what-is-single-sign-on.md) issues for
 
 ## Before you begin
 
-We recommend installing the [My Apps Secure Sign-in Extension](https://support.microsoft.com/account-billing/troubleshoot-problems-with-the-my-apps-portal-d228da80-fcb7-479c-b960-a1e2535cbdff#im-having-trouble-installing-the-my-apps-secure-sign-in-extension). This browser extension makes it easy to gather the SAML request and SAML response information that you need to resolving issues with single sign-on. In case you cannot install the extension, this article shows you how to resolve issues both with and without the extension installed.
+We recommend installing the [My Apps Secure Sign-in Extension](https://support.microsoft.com/account-billing/troubleshoot-problems-with-the-my-apps-portal-d228da80-fcb7-479c-b960-a1e2535cbdff#im-having-trouble-installing-the-my-apps-secure-sign-in-extension). This browser extension makes it easy to gather the SAML request and SAML response information that you need to resolve issues with single sign-on. In case you can't install the extension, this article shows you how to resolve issues both with and without the extension installed.
 
 To download and install the My Apps Secure Sign-in Extension, use one of the following links.
 
@@ -38,7 +38,7 @@ To test SAML-based single sign-on between Azure AD and a target application:
 
     ![Screenshot showing the test SAML SSO page](./media/debug-saml-sso-issues/test-single-sign-on.png)
 
-If you are successfully signed in, the test has passed. In this case, Azure AD issued a SAML response token to the application. The application used the SAML token to successfully sign you in.
+If you're successfully signed in, the test has passed. In this case, Azure AD issued a SAML response token to the application. The application used the SAML token to successfully sign you in.
 
 If you have an error on the company sign-in page or the application's page, use one of the next sections to resolve the error.
 
@@ -55,7 +55,7 @@ To debug this error, you need the error message and the SAML request. The My App
 1. When an error occurs, the extension redirects you back to the Azure AD **Test single sign-on** blade.
 1. On the **Test single sign-on** blade, select **Download the SAML request**.
 1. You should see specific resolution guidance based on the error and the values in the SAML request.
-1. You will see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue is not due to a misconfiguration on Azure AD.
+1. You'll see a **Fix it** button to automatically update the configuration in Azure AD to resolve the issue. If you don't see this button, then the sign-in issue isn't due to a misconfiguration on Azure AD.
 
 If no resolution is provided for the sign-in error, we suggest that you use the feedback textbox to inform us.
 
@@ -66,29 +66,29 @@ If no resolution is provided for the sign-in error, we suggest that you use the
     - A statement identifying the root cause of the problem.
 1. Go back to Azure AD and find the **Test single sign-on** blade.
 1. In the text box above **Get resolution guidance**, paste the error message.
-1. Click **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you're not using the  My Apps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
-1. Verify that the destination in the SAML request corresponds to the SAML Single Sign-On Service URL obtained from Azure AD.
-1. Verify the issuer in the SAML request is the same identifier you have configured for the application in Azure AD. Azure AD uses the issuer to find an application in your directory.
+1. Select **Get resolution guidance** to display steps for resolving the issue. The guidance might require information from the SAML request or SAML response. If you're not using the  My Apps Secure Sign-in Extension, you might need a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML request and response.
+1. Verify that the destination in the SAML request corresponds to the SAML Single Sign-on Service URL obtained from Azure AD.
+1. Verify the issuer in the SAML request is the same identifier you've configured for the application in Azure AD. Azure AD uses the issuer to find an application in your directory.
 1. Verify AssertionConsumerServiceURL is where the application expects to receive the SAML token from Azure AD. You can configure this value in Azure AD, but it's not mandatory if it's part of the SAML request.
 
 ## Resolve a sign-in error on the application page
 
-You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application does not accept the response.
+You might sign in successfully and then see an error on the application's page. This occurs when Azure AD issued a token to the application, but the application doesn't accept the response.
 
 To resolve the error, follow these steps, or watch this [short video about how to use Azure AD to troubleshoot SAML SSO](https://www.youtube.com/watch?v=poQCJK0WPUk&list=PLLasX02E8BPBm1xNMRdvP6GtA6otQUqp0&index=8):
 
 1. If the application is in the Azure AD Gallery, verify that you've followed all the steps for integrating the application with Azure AD. To find the integration instructions for your application, see the [list of SaaS application integration tutorials](../saas-apps/tutorial-list.md).
 1. Retrieve the SAML response.
-    - If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on** blade, click **download the SAML response**.
-    - If the extension is not installed, use a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML response.
+    - If the My Apps Secure Sign-in extension is installed, from the **Test single sign-on** blade, select **download the SAML response**.
+    - If the extension isn't installed, use a tool such as [Fiddler](https://www.telerik.com/fiddler) to retrieve the SAML response.
 1. Notice these elements in the SAML response token:
    - User unique identifier of NameID value and format
    - Claims issued in the token
    - Certificate used to sign the token.
 
      For more information on the SAML response, see [Single Sign-on SAML protocol](../develop/single-sign-on-saml-protocol.md?toc=/azure/active-directory/azuread-dev/toc.json&bc=/azure/active-directory/azuread-dev/breadcrumb/toc.json).
 
-1. Now that you have reviewed the SAML response, see [Error on an application's page after signing in](application-sign-in-problem-application-error.md) for guidance on how to resolve the problem.
+1. Now that you've reviewed the SAML response, see [Error on an application's page after signing in](application-sign-in-problem-application-error.md) for guidance on how to resolve the problem.
 1. If you're still not able to sign in successfully, you can ask the application vendor what is missing from the SAML response.
 
 ## Next steps

articles/active-directory/manage-apps/howto-saml-token-encryption.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 03/13/2020
+ms.date: 05/27/2022
 ms.author: alamaral
 ms.collection: M365-identity-device-management
 ---
@@ -134,7 +134,7 @@ When you configure a keyCredential using Graph, PowerShell, or in the applicatio
 
 1. From the Azure portal, go to **Azure Active Directory > App registrations**.
 
-1. Select **All apps** from the dropdown to show all apps, and then select the enterprise application that you want to configure.
+1. Select the **All apps** tab to show all apps, and then select the application that you want to configure.
 
 1. In the application's page, select **Manifest** to edit the [application manifest](../develop/reference-app-manifest.md).
 

articles/active-directory/manage-apps/media/configure-admin-consent-workflow/review-consent-requests.png

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/22/2021
+ms.date: 05/27/2022
 ms.author: ergreenl
 ms.reviewer: ergreenl
 
@@ -18,7 +18,7 @@ ms.reviewer: ergreenl
 ---
 # Review admin consent requests
 
-In this article, you learn how to review and take action on admin consent requests. To review and act on consent requests, you must be designated as a reviewer. As a reviewer, you only see admin consent requests that were created after you were designated as a reviewer.
+In this article, you learn how to review and take action on admin consent requests. To review and act on consent requests, you must be designated as a reviewer. As a reviewer, you can view all admin consent requests but you can only act on those requests that were created after you were designated as a reviewer.
 
 ## Prerequisites
 
@@ -36,12 +36,20 @@ To review the admin consent requests and take action:
 1. In the filter search box, type and select **Azure Active Directory**.
 1. From the navigation menu, select **Enterprise applications**.
 1. Under **Activity**, select **Admin consent requests**.
-1. Select the application that is being requested.
-1. Review details about the request:  
+1. Select **My Pending** tab to view and act on the pending requests. 
+1. Select the application that is being requested from the list.
+1. Review details about the request:
+   - To view the application details, select the **App details** tab.
    - To see who is requesting access and why, select the **Requested by** tab.
    - To see what permissions are being requested by the application, select **Review permissions and consent**.
 
+   :::image type="content" source="media/configure-admin-consent-workflow/review-consent-requests.png" alt-text="Screenshot of the admin consent requests in the portal.":::
+   
 1. Evaluate the request and take the appropriate action:
    - **Approve the request**. To approve a request, grant admin consent to the application. Once a request is approved, all requestors are notified that they have been granted access. Approving a request allows all users in your tenant to access the application unless otherwise restricted with user assignment. 
-   - **Deny the request**. To deny a request, you must provide a justification that will be provided to all requestors. Once a request is denied, all requestors are notified that they have been denied access to the application. Denying a request won't prevent users from requesting admin consent to the app again in the future.  
+   - **Deny the request**. To deny a request, you must provide a justification that will be provided to all requestors. Once a request is denied, all requestors are notified that they have been denied access to the application. Denying a request won't prevent users from requesting admin consent to the application again in the future.  
    - **Block the request**. To block a request, you must provide a justification that will be provided to all requestors. Once a request is blocked, all requestors are notified they've been denied access to the application. Blocking a request creates a service principal object for the application in your tenant in a disabled state. Users won't be able to request admin consent to the application in the future.
+
+## Next steps
+- [Review permissions granted to apps](manage-application-permissions.md)
+- [Grant tenant-wide admin consent](grant-admin-consent.md)

articles/active-directory/manage-apps/review-admin-consent-requests.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 03/31/2022
+ms.date: 05/27/2022
 ms.author: davidmu
 ms.reviewer: jeedes
 ms.collection: M365-identity-device-management
@@ -19,10 +19,25 @@ ms.collection: M365-identity-device-management
 
 # Tutorial: Manage certificates for federated single sign-on
 
-In this article, we cover common questions and information related to certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your software as a service (SaaS) applications. Add applications from the Azure AD app gallery or by using a non-gallery application template. Configure the application by using the federated SSO option.
+In this article, we cover common questions and information related to certificates that Azure Active Directory (Azure AD) creates to establish federated single sign-on (SSO) to your software as a service (SaaS) applications. Add applications from the Azure AD application gallery or by using a non-gallery application template. Configure the application by using the federated SSO option.
 
 This tutorial is relevant only to apps that are configured to use Azure AD SSO through [Security Assertion Markup Language](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) (SAML) federation.
 
+Using the information in this tutorial, an administrator of the application learns how to:
+
+> [!div class="checklist"]
+> * Generate certificates for gallery and non-gallery applications
+> * Customize the expiration dates for certificates
+> * Add email notification address for certificate expiration dates
+> * Renew certificates
+
+## Prerequisites
+
+- An Azure account with an active subscription. If you don't already have one, [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+- One of the following roles: Global Administrator, Privileged Role Administrator, Cloud Application Administrator, or Application Administrator.
+- An enterprise application that has been configured in your Azure AD tenant.
+
+
 ## Auto-generated certificate for gallery and non-gallery applications
 
 When you add a new application from the gallery and configure a SAML-based sign-on (by selecting **Single sign-on** > **SAML** from the application overview page), Azure AD generates a certificate for the application that is valid for three years. To download the active certificate as a security certificate (**.cer**) file, return to that page (**SAML-based sign-on**) and select a download link in the **SAML Signing Certificate** heading. You can choose between the raw (binary) certificate or the Base64 (base 64-encoded text) certificate. For gallery applications, this section might also show a link to download the certificate as federation metadata XML (an **.xml** file), depending on the requirement of the application.
@@ -75,7 +90,7 @@ Next, download the new certificate in the correct format, upload it to the appli
 1. When you want to roll over to the new certificate, go back to the **SAML Signing Certificate** page, and in the newly saved certificate row, select the ellipsis (**...**) and select **Make certificate active**. The status of the new certificate changes to **Active**, and the previously active certificate changes to a status of **Inactive**.
 1. Continue following the application's SAML sign-on configuration instructions that you displayed earlier, so that you can upload the SAML signing certificate in the correct encoding format.
 
-If your application doesn't have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate the certificate's expiration date.
+If your application doesn't have any validation for the certificate's expiration, and the certificate matches in both Azure Active Directory and your application, your application is still accessible despite having an expired certificate. Ensure your application can validate the certificate's expiration date.
 
 ## Add email notification addresses for certificate expiration
 
@@ -101,15 +116,14 @@ If a certificate is about to expire, you can renew it using a procedure that res
    1. In the newly saved certificate row, select the ellipsis (**...**) and then select **Make certificate active**.
    1. Skip the next two steps.
 
-1. If the app can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesn’t automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime.)
-1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. If your application certificate isn't updated after a new certificate is updated in Azure Active Directory, authentication on your app may fail.
+1. If the application can only handle one certificate at a time, pick a downtime interval to perform the next step. (Otherwise, if the application doesn’t automatically pick up the new certificate but can handle more than one signing certificate, you can perform the next step anytime.)
+1. Before the old certificate expires, follow the instructions in the [Upload and activate a certificate](#upload-and-activate-a-certificate) section earlier. If your application certificate isn't updated after a new certificate is updated in Azure Active Directory, authentication on your application may fail.
 1. Sign in to the application to make sure that the certificate works correctly.
 
-If your application doesn't validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your app is still accessible despite having an expired certificate. Ensure your application can validate certificate expiration.
+If your application doesn't validate the certificate expiration configured in Azure Active Directory, and the certificate matches in both Azure Active Directory and your application, your application is still accessible despite having an expired certificate. Ensure your application can validate certificate expiration.
 
 ## Related articles
 
-- [Tutorials for integrating SaaS applications with Azure Active Directory](../saas-apps/tutorial-list.md)
 - [Application management with Azure Active Directory](what-is-application-management.md)
 - [Single sign-on to applications in Azure Active Directory](what-is-single-sign-on.md)
 - [Debug SAML-based single sign-on to applications in Azure Active Directory](./debug-saml-sso-issues.md)