Merge branch 'main' of https://github.com/microsoftdocs/azure-docs-pr into acl-misc

Author: msmbaldwin

.openpublishing.redirection.active-directory.json

@@ -55,6 +55,11 @@
       "redirect_url": "/azure/active-directory/saas-apps/tutorial-list",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/active-directory/saas-apps/trello-tutorial.md",
+      "redirect_url": "/azure/active-directory/saas-apps/atlassian-cloud-tutorial",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/active-directory/saas-apps/iauditor-tutorial.md",
       "redirect_url": "/azure/active-directory/saas-apps/safety-culture-tutorial",

articles/active-directory/authentication/concept-authentication-oath-tokens.md

@@ -16,6 +16,7 @@ ms.collection: M365-identity-device-management
 
 # Customer intent: As an identity administrator, I want to understand how to use OATH tokens in Azure AD to improve and secure user sign-in events.
 ---
+
 # Authentication methods in Azure Active Directory - OATH tokens 
 
 OATH TOTP (Time-based One Time Password) is an open standard that specifies how one-time password (OTP) codes are generated. OATH TOTP can be implemented using either software or hardware to generate the codes. Azure AD doesn't support OATH HOTP, a different code generation standard.
@@ -48,7 +49,7 @@ Once tokens are acquired they must be uploaded in a comma-separated values (CSV)
 ```csv
 upn,serial number,secret key,time interval,manufacturer,model
 [email protected],1234567,2234567abcdef2234567abcdef,60,Contoso,HardwareKey
-```  
+```
 
 > [!NOTE]
 > Make sure you include the header row in your CSV file. 
@@ -61,9 +62,11 @@ Once any errors have been addressed, the administrator then can activate each ke
 
 Users may have a combination of up to five OATH hardware tokens or authenticator applications, such as the Microsoft Authenticator app, configured for use at any time. Hardware OATH tokens cannot be assigned to guest users in the resource tenant. 
 
-.[!IMPORTANT]
->Make sure to only assign each token to a single user.
->In the future, support for the assignment of a single token to multiple users will stop to prevent a security risk.
+> [!IMPORTANT]
+> Make sure to only assign each token to a single user.
+> In the future, support for the assignment of a single token to multiple users will stop to prevent a security risk.
+
+
 
 
 ## Determine OATH token registration type in mysecurityinfo 
@@ -75,7 +78,9 @@ OATH software token   | <img width="63" alt="Software OATH token" src="media/con
 OATH hardware token | <img width="63" alt="Hardware OATH token" src="media/concept-authentication-methods/hardware-oath-token-icon.png">
 
 
+
 ## Next steps
 
 Learn more about configuring authentication methods using the [Microsoft Graph REST API](/graph/api/resources/authenticationmethods-overview).
 Learn about [FIDO2 security key providers](concept-authentication-passwordless.md#fido2-security-key-providers) that are compatible with passwordless authentication.
+

articles/active-directory/cloud-infrastructure-entitlement-management/ui-autopilot.md

@@ -8,13 +8,13 @@ ms.service: active-directory
 ms.subservice: ciem
 ms.workload: identity
 ms.topic: overview
-ms.date: 02/23/2022
+ms.date: 02/16/2023
 ms.author: jfields
 ---
 
 # View rules in the Autopilot dashboard
 
-The **Autopilot** dashboard in Permissions Management provides a table of information about **Autopilot rules** for administrators.
+The **Autopilot** dashboard in Permissions Management provides a table of information about Autopilot rules for administrators. Creating Autopilot rules allows you to automate right-sizing policies so you can automatically remove unused roles and permissions assigned to identities in your authorization system.
 
 
 > [!NOTE]
@@ -30,13 +30,13 @@ The **Autopilot** dashboard in Permissions Management provides a table of inform
     The following information displays in the **Autopilot Rules** table:
 
     - **Rule Name**: The name of the rule.
-    - **State**: The status of the rule: idle (not being use) or active (being used).
-    - **Rule Type**: The type of rule being applied.
+    - **State**: The status of the rule: idle (not in use) or active (in use).
+    - **Rule Type**: The type of rule that's applied.
     - **Mode**: The status of the mode: on-demand or not.
     - **Last Generated**: The date and time the rule was last generated.
     - **Created By**: The email address of the user who created the rule.
     - **Last Modified**: The date and time the rule was last modified.
-    - **Subscription**: Provides an **On** or **Off** subscription that allows you to receive email notifications when recommendations have been generated, applied, or unapplied.
+    - **Subscription**: Provides an **On** or **Off** subscription that allows you to receive email notifications when recommendations are generated, applied, or unapplied.
 
 ## View other available options for rules
 
@@ -48,7 +48,7 @@ The **Autopilot** dashboard in Permissions Management provides a table of inform
     - **Delete Rule**: Select to delete the rule. Only the user who created the selected rule can delete the rule.
     - **Generate Recommendations**: Creates recommendations for each user and the authorization system. Only the user who created the selected rule can create recommendations.
     - **View Recommendations**: Displays the recommendations for each user and authorization system.
-    - **Notification Settings**: Displays the users subscribed to this rule. Only the user who created the selected rule can add other users to be notified.
+    - **Notification Settings**: Displays the users subscribed to this rule. Only the user who created the selected rule can add other users to receive notifications.
 
 You can also select:
 

articles/active-directory/develop/workload-identity-federation.md

@@ -9,9 +9,9 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 10/31/2022
+ms.date: 02/16/2023
 ms.author: ryanwi
-ms.reviewer: shkhalid, udayh, vakarand
+ms.reviewer: shkhalid, udayh
 ms.custom: aaddev 
 #Customer intent: As a developer, I want to learn about workload identity federation so that I can securely access Azure AD protected resources from external apps and services without needing to manage secrets. 
 ---
@@ -23,6 +23,9 @@ You can use workload identity federation in scenarios such as GitHub Actions, wo
 
 ## Why use workload identity federation?
 
+Watch this video to learn why you would use workload identity federation.
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWXamJ]
+
 Typically, a software workload (such as an application, service, script, or container-based application) needs an identity in order to authenticate and access resources or communicate with other services.  When these workloads run on Azure, you can use [managed identities](../managed-identities-azure-resources/overview.md) and the Azure platform manages the credentials for you.  For a software workload running outside of Azure, you need to use application credentials (a secret or certificate) to access Azure AD protected resources (such as Azure, Microsoft Graph, Microsoft 365, or third-party resources).  These credentials pose a security risk and have to be stored securely and rotated regularly. You also run the risk of service downtime if the credentials expire.
 
 You use workload identity federation to configure an Azure AD app registration or [user-assigned managed identity](../managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md) to trust tokens from an external identity provider (IdP), such as GitHub.  Once that trust relationship is created, your software workload can exchange trusted tokens from the external IdP for access tokens from Microsoft identity platform.  Your software workload then uses that access token to access the Azure AD protected resources to which the workload has been granted access. This eliminates the maintenance burden of manually managing credentials and eliminates the risk of leaking secrets or having certificates expire.

articles/active-directory/saas-apps/anaplan-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 02/16/2023
 ms.author: jeedes
 ---
 # Tutorial: Azure AD SSO integration with Anaplan
@@ -65,28 +65,70 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 1. In the Azure portal, on the **Anaplan** application integration page, find the **Manage** section and select **single sign-on**.
 1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click the copy icon to copy the **App Federation Metadata URL** and save this to use in the Anaplan SSO configuration.
+
+    ![The Certificate download link.](common/copy-metadataurl.png)
+
+## Configure Anaplan SSO
+
+1. Log in to Anaplan website as an administrator.
+
+1. In the Administration page, navigate to **Security > Single Sign-On**.
+
+1. Click **New**.
+
+1. Perform the following steps in the **Metadata** tab:
+
+    ![Screenshot for the security page.](./media/anaplan-tutorial/security.png)
+
+    a. Enter a **Connection Name**, should match the name of your connection in the identity provider interface.
+
+    b. Select **Load from XML file** and paste the App Federation Metadata URL you copied from Azure portal into the **Metadata URL** textbox.
+
+    c. Click **Save** to create the connection.
+    
+    d. Enable the connection by setting the **Enabled** toggle.
+
+1. From the **Config** tab, copy the following values to save them back to the Azure portal:
+
+    a. **Service Provider URL**.
+    b. **Assertion Consumer Service URL**.
+    c. **Entity ID**.
+    
+### Complete the Azure AD SSO Configuration
+
 1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
 
-   ![Edit Basic SAML Configuration](common/edit-urls.png)
+   ![Edit Basic SAML Configuration.](common/edit-urls.png)
 
-4. On the **Basic SAML Configuration** section, perform the following steps:
+1. On the **Basic SAML Configuration** section, perform the following steps:
 
-    a. In the **Sign on URL** text box, type a URL using the following pattern:
-    `https://sdp.anaplan.com/frontdoor/saml/<tenant name>`
+    a. In the **Identifier (Entity ID)** text box, paste the Entity ID that you copied from above, in the format:
+    `https://sdp.anaplan.com/<optional extension>`
 
-    b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:
-    `https://<subdomain>.anaplan.com`
+    b. In the **Sign on URL** text box, paste the Service Provider URL that you copied from above, in the format:
+    `https://us1a.app.anaplan.com/samlsp/<connection name>`
+    
+    c. In the **Reply URL (Assertion Consumer Service URL)** text box, paste the Assertion Consumer Service URL that you copied from above, in the format:
+    `https://us1a.app.anaplan.com/samlsp/login/callback?connection=<connection name>`
 
-    > [!NOTE]
-    > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Anaplan Client support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+### Complete the Anaplan SSO Configuration
+
+1. Perform the following steps in the **Advanced** tab:
+
+    ![Screenshot for the Advanced page.](./media/anaplan-tutorial/advanced.png)
+
+    a. Select **Name ID Format** as Email Address from the dropdown and keep the remaining values as default.
 
-5. On the **Set up Single Sign-On with SAML** page, in the **SAML Signing Certificate** section, click **Download** to download the **Federation Metadata XML** from the given options as per your requirement and save it on your computer.
+    b. Click **Save**.
 
-    ![The Certificate download link](common/metadataxml.png)
+1. In the **Workspaces** tab, specify the workspaces that will use the identity provider from the dropdown and Click **Save**. 
 
-6. On the **Set up Anaplan** section, copy the appropriate URL(s) as per your requirement.
+    ![Screenshot for the Workspaces page.](./media/anaplan-tutorial/workspaces.png)
 
-    ![Copy configuration URLs](common/copy-configuration-urls.png)
+    > [!NOTE]
+    > Workspace connections are unique. If you have another connection already configured with a workspace, you cannot associate that workspace with a new connection.
+To access the original connection and update it, remove the workspace from the connection and then reassociate it with the new connection.
 
 ### Create an Azure AD test user 
 
@@ -112,49 +154,9 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
 1. In the **Add Assignment** dialog, click the **Assign** button.
 
-## Configure Anaplan SSO
-
-1. Login to Anaplan website as an administrator.
-
-1. In Administration page, navigate to **Security > Single Sign-On**.
-
-1. Click **New**.
-
-1. Perform the following steps in the **Metadata** tab:
-
-    ![Screenshot for the security page](./media/anaplan-tutorial/security.png)
-
-    a. Enter a **Connection Name**, should match the name of your connection in the identity provider interface.
-
-    b. Select **Load from XML file** and enter the URL of the metadata XML file with your configuration information in the **Metadata URL** textbox.
-
-    C. Enabled the **Signed** toggle.
-
-    d. Click **Save** to create the connection.
-
-1. When you upload a **metadata XML** file in the **Metadata** tab, the values in **Config** tab pre-populate with the information from that upload. You can skip this tab in your connection setup and click **Save**.
-
-    ![Screenshot for the configuration page](./media/anaplan-tutorial/configuration.png)
-
-1. Perform the following steps in the **Advanced** tab:
-
-    ![Screenshot for the Advanced page](./media/anaplan-tutorial/advanced.png)
-
-    a. Select **Name ID Format** as Email Address from the dropdown and keep the remaining values as default.
-
-    b. Click **Save**.
-
-1. In the **Workspaces** tab, specify the workspaces that will use the identity provider from the dropdown and Click **Save**. 
-
-    ![Screenshot for the Workspaces page](./media/anaplan-tutorial/Workspaces.png)
-
-    > [!NOTE]
-    > Workspace connections are unique. If you have another connection already configured with a workspace, you cannot associate that workspace with a new connection.
-To access the original connection and update it, remove the workspace from the connection and then reassociate it with the new connection.
-
 ### Create Anaplan test user
 
-In this section, you create a user called Britta Simon in Anaplan. Work with [Anaplan support team](mailto:[email protected]) to add the users in the Anaplan platform. Users must be created and activated before you use single sign-on.
+In this section, you create a user called Britta Simon in Anaplan. Work with [Anaplan support team](mailto:[email protected]) to add the users in the Anaplan platform. Users must be created and activated before you use single sign-on.
 
 ## Test SSO
 
@@ -168,4 +170,4 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 ## Next steps
 
-Once you configure Anaplan you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).
+Once you configure Anaplan you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

articles/active-directory/saas-apps/beeline-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 02/15/2023
 ms.author: jeedes
 ---
 # Tutorial: Azure Active Directory integration with Beeline
@@ -75,7 +75,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     `https://projects.beeline.com/<ProjInstance_Name>`
 
     b. In the **Reply URL** text box, type a URL using the following pattern: 
-    `https://projects.beeline.com/<ProjInstance_Name>/SSO_External.ashx`
+    `https://azure-prj.auth.beeline.com/login/callback?connection=<ProjInstance_Namee>-SSO`
 
     > [!NOTE]
     > These values are not real. Update these values with the actual Identifier and Reply URL. Contact [Beeline Client support team](https://www.beeline.com/contact-support/) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.