Merge pull request #201518 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: v-ccolin

articles/active-directory/app-proxy/application-proxy-network-topology.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-proxy
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/27/2021
+ms.date: 06/13/2022
 ms.author: kenwith
 ms.reviewer: ashishj
 ---
@@ -27,7 +27,7 @@ When an application is published through Azure AD Application Proxy, traffic fro
 
 :::image type="content" source="./media/application-proxy-network-topology/application-proxy-three-hops.png" alt-text="Diagram showing traffic flow from user to target application." lightbox="./media/application-proxy-network-topology/application-proxy-three-hops.png":::
 
-## Optimize connector groups to use closest Application Proxy cloud service (Preview)
+## Optimize connector groups to use closest Application Proxy cloud service
 
 When you sign up for an Azure AD tenant, the region of your tenant is determined by the country/region you specify. When you enable Application Proxy, the **default** Application Proxy cloud service instances for your tenant are chosen in the same region as your Azure AD tenant, or the closest region to it.
 
@@ -176,15 +176,15 @@ The connector can be placed in the Azure datacenter. Since the connector still h
 
 **Scenario:** The app is in an organization's network in Europe, default tenant region is US, with most users in the Europe.
 
-**Recommendation:** Place the connector near the app. Update the connector group so it is optimized to use Europe Application Proxy service instances. For steps see, [Optimize connector groups to use closest Application Proxy cloud service](application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service-preview).
+**Recommendation:** Place the connector near the app. Update the connector group so it is optimized to use Europe Application Proxy service instances. For steps see, [Optimize connector groups to use closest Application Proxy cloud service](application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service).
 
 Because Europe users are accessing an Application Proxy instance that happens to be in the same region, hop 1 is not expensive. Hop 3 is optimized. Consider using ExpressRoute to optimize hop 2.
 
 ### Use case 6
 
 **Scenario:** The app is in an organization's network in Europe, default tenant region is US, with most users in the US.
 
-**Recommendation:** Place the connector near the app. Update the connector group so it is optimized to use Europe Application Proxy service instances. For steps see, [Optimize connector groups to use closest Application Proxy cloud service](application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service-preview). Hop 1 can be more expensive since all US users must access the Application Proxy instance in Europe.
+**Recommendation:** Place the connector near the app. Update the connector group so it is optimized to use Europe Application Proxy service instances. For steps see, [Optimize connector groups to use closest Application Proxy cloud service](application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service). Hop 1 can be more expensive since all US users must access the Application Proxy instance in Europe.
 
 You can also consider using one other variant in this situation. If most users in the organization are in the US, then chances are that your network extends to the US as well. Place the connector in the US, continue to use the default US region for your connector groups, and use the dedicated internal corporate network line to the application in Europe. This way hops 2 and 3 are optimized.
 

articles/active-directory/app-proxy/application-proxy-wildcard.md

@@ -66,7 +66,7 @@ When using custom domains, you need to create a DNS entry with a CNAME record fo
 To confirm that you have configured your CNAME correctly, you can use [nslookup](/windows-server/administration/windows-commands/nslookup) on one of the target endpoints, for example, `expenses.adventure-works.com`.  Your response should include the already mentioned alias (`<yourAADTenantId>.tenant.runtime.msappproxy.net`).
 
 ### Using connector groups assigned to an App Proxy cloud service region other than the default region
-If you have connectors installed in regions different from your default tenant region, it may be beneficial to change which region your connector group is optimized for to improve performance accessing these applications. To learn more see, [Optimize connector groups to use closest Application Proxy cloud service](application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service-preview).
+If you have connectors installed in regions different from your default tenant region, it may be beneficial to change which region your connector group is optimized for to improve performance accessing these applications. To learn more see, [Optimize connector groups to use closest Application Proxy cloud service](application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service).
 
 If the connector group assigned to the wildcard application uses a **different region than your default region**, you will need to update the CNAME record to point to a regional specific external URL. Use the following table to determine the relevant URL:
 

articles/active-directory/develop/msal-overview.md

@@ -31,7 +31,7 @@ MSAL gives you many ways to get tokens, with a consistent API for a number of pl
 > [!VIDEO https://www.youtube.com/embed/zufQ0QRUHUk]
 
 ## Application types and scenarios
-Using MSAL, a token can be acquired from a number of application types: web applications, web APIs, single-page apps (JavaScript), mobile and native applications, and daemons and server-side applications.
+Using MSAL, a token can be acquired for a number of application types: web applications, web APIs, single-page apps (JavaScript), mobile and native applications, and daemons and server-side applications.
 
 MSAL can be used in many application scenarios, including the following:
 

articles/active-directory/fundamentals/whats-new-archive.md

@@ -1657,7 +1657,7 @@ Currently, this user action only allows you to enable Azure AD MFA as a control
 **Service category:** App Proxy  
 **Product capability:** Access Control
 
-With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant’s region. [Learn more](../app-proxy/application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service-preview). 
+With this new capability, connector groups can be assigned to the closest regional Application Proxy service an application is hosted in. This can improve app performance in scenarios where apps are hosted in regions other than the home tenant’s region. [Learn more](../app-proxy/application-proxy-network-topology.md#optimize-connector-groups-to-use-closest-application-proxy-cloud-service). 
 
 ---
 

articles/active-directory/saas-apps/hive-learning-tutorial.md

@@ -0,0 +1,145 @@
+---
+title: 'Tutorial: Azure AD SSO integration with Hive Learning'
+description: Learn how to configure single sign-on between Azure Active Directory and Hive Learning.
+services: active-directory
+author: jeevansd
+manager: CelesteDG
+ms.reviewer: CelesteDG
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 06/13/2022
+ms.author: jeedes
+
+---
+
+# Tutorial: Azure AD SSO integration with Hive Learning
+
+In this tutorial, you'll learn how to integrate Hive Learning with Azure Active Directory (Azure AD). When you integrate Hive Learning with Azure AD, you can:
+
+* Control in Azure AD who has access to Hive Learning.
+* Enable your users to be automatically signed-in to Hive Learning with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Hive Learning single sign-on (SSO) enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Hive Learning supports **SP** and **IDP** initiated SSO.
+* Hive Learning supports **Just In Time** user provisioning.
+
+## Add Hive Learning from the gallery
+
+To configure the integration of Hive Learning into Azure AD, you need to add Hive Learning from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Hive Learning** in the search box.
+1. Select **Hive Learning** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Hive Learning
+
+Configure and test Azure AD SSO with Hive Learning using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Hive Learning.
+
+To configure and test Azure AD SSO with Hive Learning, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Hive Learning SSO](#configure-hive-learning-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Hive Learning test user](#create-hive-learning-test-user)** - to have a counterpart of B.Simon in Hive Learning that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Hive Learning** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+    ![Screenshot shows to edit Basic S A M L Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, perform the following steps:
+
+    a. In the **Identifier** textbox, type a URL using the following pattern:
+    `https://auth.hivelearning.com/saml/<ID>/metadata`
+
+    b. In the **Reply URL** textbox, type a URL using the following pattern:
+    `https://auth.hivelearning.com/saml/<ID>/login`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:    
+
+    In the **Sign on URL** text box, type a URL using the following pattern:
+    `https://<ID>.hivelearning.com`
+
+    > [!Note]
+    > These values are not real. Update these values with the actual Identifier, Reply URL and Sign on URL. Contact [Hive Learning support team](mailto:[email protected]) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+	![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate") 
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Hive Learning.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Hive Learning**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Hive Learning SSO
+
+To configure single sign-on on **Hive Learning** side, you need to send the **App Federation Metadata Url** to [Hive Learning support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Hive Learning test user
+
+In this section, a user called B.Simon is created in Hive Learning. Hive Learning supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Hive Learning, a new one is created after authentication.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration with following options. 
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Hive Learning Sign on URL where you can initiate the login flow.  
+
+* Go to Hive Learning Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Hive Learning for which you set up the SSO. 
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Hive Learning tile in the My Apps, if configured in SP mode you would be redirected to the application sign-on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Hive Learning for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Hive Learning you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).