Merge pull request #69156 from MicrosoftDocs/master

Merge master to live 2:59 AM

Author: ktoliver

.openpublishing.publish.config.json

@@ -8,7 +8,7 @@
       "locale": "en-us",
       "monikers": [],
       "moniker_ranges": [],
-      "open_to_public_contributors": false,
+      "open_to_public_contributors": true,
       "type_mapping": {
         "Conceptual": "Content",
         "ManagedReference": "Content",

articles/active-directory/conditional-access/technical-reference.md

@@ -13,7 +13,7 @@ ms.devlang: na
 ms.topic: article
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 01/30/2019
+ms.date: 03/12/2019
 ms.author: markvi
 ms.reviewer: spunukol
 
@@ -49,25 +49,43 @@ With conditional access policies, you control how your users access your [cloud
 
 You can assign a conditional access policy to the following cloud apps from Microsoft:
 
-- Azure Information Protection - [Learn more](/azure/information-protection/faqs#i-see-azure-information-protection-is-listed-as-an-available-cloud-app-for-conditional-accesshow-does-this-work)
-
-- Azure RemoteApp
-
-- Azure SQL Database - [Learn more](https://docs.microsoft.com/azure/sql-database/sql-database-conditional-access)
-
-- Microsoft Dynamics 365
-
-- Microsoft Office 365 Yammer
-
-- Microsoft Office 365 Exchange Online
-
-- Microsoft Office 365 SharePoint Online (includes OneDrive for Business and Project Online)
-
-- Microsoft Power BI 
 
+- Azure Analysis Services
 - Azure DevOps
+- Azure SQL Database and Data Warehouse - [Learn more](https://docs.microsoft.com/azure/sql-database/sql-database-conditional-access)
+- Dynamics CRM Online
+- Microsoft Application Insights Analytics
+- Microsoft Azure Information Protection - [Learn more](https://docs.microsoft.com/azure/information-protection/faqs#i-see-azure-information-protection-is-listed-as-an-available-cloud-app-for-conditional-accesshow-does-this-work)
+- Microsoft Azure Management - [Learn more](https://docs.microsoft.com/azure/role-based-access-control/conditional-access-azure-management)
+- Microsoft Azure RemoteApp
+- Microsoft Azure Subscription Management
+- Microsoft Cloud App Security
+- Microsoft Commerce Tools Access Control Portal
+- Microsoft Commerce Tools Authentication Service
+- Microsoft Flow
+- Microsoft Forms
+- Microsoft Intune
+- Microsoft Intune Enrollment
+- Microsoft Planner
+- Microsoft Power BI
+- Microsoft PowerApps
+- Microsoft Search in Bing
+- Microsoft StaffHub
+- Microsoft Stream
+- Microsoft Teams 
+- Office 365 Exchange Online
+- Office 365 SharePoint Online
+- Office 365 Yammer
+- Office Delve
+- Office Sway 
+- Outlook Groups
+- Project Online
+- Skype for Business Online
+- Virtual Private Network (VPN)
+- Visual Studio App Center
+- Windows Defender ATP
+
 
-- Microsoft Teams
 
 
 ### Other applications 

articles/active-directory/develop/TOC.yml

@@ -286,7 +286,7 @@
         href: quickstart-v2-uwp.md
       - name: Windows Desktop .NET
         href: quickstart-v2-windows-desktop.md
-      - name: .NET Core console (deamon)
+      - name: .NET Core console (daemon)
         href: quickstart-v2-netcore-daemon.md    
     - name: Service-to-service
       items:

articles/active-directory/develop/sample-v2-code.md

@@ -59,7 +59,7 @@ The following samples illustrate web applications that sign in users. Some sampl
 
  Platform | Only signs in users | Signs in users and calls Microsoft Graph
  -------- | ------------------- | ---------------------------------
-![ASP.NET Core](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core 2.1 | [aspnetcore-webapp-openidconnect-v2](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2) | Same sample in the [aspnetcore2-2-signInAndCallGraph](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/aspnetcore2-2-signInAndCallGraph) branch
+![ASP.NET Core](media/sample-v2-code/logo_NETcore.png)</p>ASP.NET Core 2.1 | [ASP.NET Core WebApp signs-in users tutorial](https://aka.ms/aspnetcore-webapp-sign-in) | Same sample in the [ASP.NET Core Web App calls Microsoft Graph](https://aka.ms/aspnetcore-webapp-call-msgraph) phase
 ![ASP.NET](media/sample-v2-code/logo_NETframework.png)</p> ASP.NET | [ASP.NET Quickstart](https://github.com/AzureAdQuickstarts/AppModelv2-WebApp-OpenIDConnect-DotNet) </p> [dotnet-webapp-openidconnect-v2](https://github.com/azure-samples/active-directory-dotnet-webapp-openidconnect-v2)  |  [dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2) </p>[msgraph-training-aspnetmvcapp](https://github.com/microsoftgraph/msgraph-training-aspnetmvcapp)
 ![Node.js](media/sample-v2-code/logo_nodejs.png)  |                   | [Node.js Quickstart](https://github.com/azureadquickstarts/appmodelv2-webapp-openidconnect-nodejs)
 ![Ruby](media/sample-v2-code/logo_ruby.png) |                   | [msgraph-training-rubyrailsapp](https://github.com/microsoftgraph/msgraph-training-rubyrailsapp)

articles/active-directory/manage-apps/application-proxy-add-on-premises-application.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 12/07/2018
+ms.date: 03/12/2019
 ms.author: celested
 ms.reviewer: japere
 ms.collection: M365-identity-device-management
@@ -35,17 +35,18 @@ To add an application to your tenant, you need:
 * An application administrator account.
 
 ### Windows server
+
 To use Application Proxy, you need a Windows server running Windows Server 2012 R2 or later. You'll install the Application Proxy connector on the server. This connector server needs to connect to the Application Proxy services in Azure, and the on-premises applications that you plan to publish.
 
 For high availability in your production environment, we recommend having more than one Windows server. For this tutorial, one Windows server is sufficient.
 
-**Recommendations for the connector server**
+#### Recommendations for the connector server
 
 1. Physically locate the connector server close to the application servers to optimize performance between the connector and the application. For more information, see [Network topology considerations](application-proxy-network-topology.md).
 
 2. The connector server and the web applications servers should belong to the same Active Directory domain. Having the servers in the same domain is a requirement for using single sign-on (SSO) with Integrated Windows Authentication (IWA) and Kerberos Constrained Delegation (KCD). If the connector server and web application servers are in different Active Directory domains, you need to use resource-based delegation for single sign-on. For more information, see [KCD for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md).
 
-**Software requirements**
+#### Software requirements
 
 The Windows connector server needs to have TLS 1.2 enabled before you install the Application Proxy connector. Existing connectors with versions below 1.5.612.0 will continue to work on prior versions of TLS until further notice. 
 
@@ -62,8 +63,8 @@ To enable TLS 1.2:
 
 2. Restart the server
 
-  
 ## Prepare your on-premises environment
+
 To prepare your environment for Azure AD Application Proxy, you first need to enable communication to Azure data centers. If there's a firewall in the path, make sure it's open so the connector can make HTTPS (TCP) requests to the Application Proxy.
 
 ### Open ports
@@ -92,6 +93,7 @@ Allow access to the following URLs:
 If your firewall or proxy allows DNS whitelisting, you can whitelist connections to \*.msappproxy.net and \*.servicebus.windows.net. If not, you need to allow access to the [Azure DataCenter IP ranges](https://www.microsoft.com/download/details.aspx?id=41653). The IP ranges are updated each week.
 
 ## Install and register a connector
+
 To use Application Proxy, you need to install a connector on each Windows server you choose to use with the Application Proxy service. The connector is an agent that manages the outbound connection from the on-premises application servers to Application Proxy in Azure AD. You can install a connector on servers that also have other authentication agents installed such as Azure AD Connect.
 
 To install the connector:
@@ -117,12 +119,12 @@ For information about connectors, capacity planning, and how they stay up-to-dat
 
 If you're using the Qlik Sense application, always install the latest connector. Qlik Sense uses WebSockets, which is only supported on connector versions 1.5.612.0 or later.
 
-
 ## Verify the connector installed and registered correctly
 
 You can use the Azure portal or your Windows server to confirm that a new connector installed correctly.
 
 ### Verify - Azure portal
+
 To confirm the connector installed and registered correctly:
 
 1. Sign in to your tenant directory in the [Azure portal](https://portal.azure.com).
@@ -134,6 +136,7 @@ To confirm the connector installed and registered correctly:
 For more help with installing a connector, see [Problems installing an Application Proxy Connector](application-proxy-connector-installation-problem.md).
 
 ### Verify - Windows server
+
 To confirm the connector installed and registered correctly:
 
 1. Open the Windows Services Manager by clicking the **Windows** key and entering *services.msc*.
@@ -160,7 +163,7 @@ Now that you've prepared your environment and installed a connector, you're read
 
 4. In the **Add your own on-premises application** blade, provide the following information about your application:
 
-    ![Configure your application](./media/application-proxy-publish-azure-portal/configure-app.png)
+    ![Configure your on-premises application](./media/application-proxy-add-on-premises-application/add-on-premises-app-with-application-proxy-updated.png)
 
     | Field | Description |
     | :---- | :---------- |
@@ -181,15 +184,14 @@ Now that you've prepared your environment and installed a connector, you're read
     | **Translate URLs in Headers** | Keep this value as **Yes** unless your application required the original host header in the authentication request. |
     | **Translate URLs in Application Body** | Keep this value as **No** unless you have hardcoded HTML links to other on-premises applications, and don't use custom domains. For more information, see [Link translation with Application Proxy](application-proxy-configure-hard-coded-link-translation.md).<br><br>Set this value to **Yes** if you plan to monitor this application with Microsoft Cloud App Security (MCAS). For more information, see [Configure real-time application access monitoring with Microsoft Cloud App Security and Azure Active Directory](application-proxy-integrate-with-microsoft-cloud-application-security.md) |
    
-
-
 6. Select **Add**.
 
 ## Test the application
 
 You're ready to test the application is added correctly. In the following steps, you'll add a user account to the application, and try signing in.
 
 ### Add a user for testing
+
 Before adding a user to the application, verify the user account already has permissions to access the application from inside the corporate network.
 
 To add a test user:
@@ -218,6 +220,7 @@ To test sign-on to the application:
 For troubleshooting, see [Troubleshoot Application Proxy problems and error messages](application-proxy-troubleshoot.md).
 
 ## Next steps
+
 In this tutorial, you prepared your on-premises environment to work with Application Proxy, and then installed and registered the Application Proxy connector. Next, you added an application to your Azure AD tenant. You verified that a user can sign on to the application by using an Azure AD account.
 
 You did these things:
@@ -232,8 +235,3 @@ You're ready to configure the application for single sign-on. Use the following
 
 > [!div class="nextstepaction"]
 >[Configure single sign-on](what-is-single-sign-on.md#choosing-a-single-sign-on-method)
-
-
-
-
-

articles/active-directory/manage-apps/application-proxy-config-sso-how-to.md

@@ -13,9 +13,9 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 10/22/2018
+ms.date: 03/12/2019
 ms.author: celested
-ms.reviewer: asteen
+ms.reviewer: japere, asteen
 
 ms.collection: M365-identity-device-management
 ---
@@ -40,11 +40,16 @@ Configure the specific type of single sign-on. The sign-on methods are classifie
 
 -   **Header-based Sign-On**: Header-based sign-on is enabled through a partnership and does require some additional configuration. For details on the partnership and step-by-step instructions for configuring single sign-on to an application that uses headers for authentication, see the [PingAccess for Azure AD documentation](application-proxy-configure-single-sign-on-with-ping-access.md).
 
-Each of these options can be found by going to your application in “Enterprise Applications”, and opening the **Single Sign-On** page on the left menu. note that if your application was created in the old portal, you may not see all these options.
+-   **SAML single sign-on**: With SAML single sign-on, Azure AD authenticates to the application by using the user's Azure AD account. Azure AD communicates the sign-on information to the application through a connection protocol. With SAML-based single sign-on, you can map users to specific application roles based on rules you define in your SAML claims. For information about setting up SAML single sign-on, see [SAML for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-on-premises-apps.md).
+
+Each of these options can be found by going to your application in “Enterprise Applications”, and opening the **Single Sign-On** page on the left menu. Note that if your application was created in the old portal, you may not see all these options.
 
 On this page, you also see one additional Sign-On option: Linked Sign-On. This option is also supported by Application Proxy. However, this option does not add single sign-on to the application. That said the application may already have single sign-on implemented using another service such as Active Directory Federation Services. 
 
 This option allows an admin to create a link to an application that users first land on when accessing the application. For example, if there is an application that is configured to authenticate users using Active Directory Federation Services 2.0, an administrator can use the “Linked Sign-On” option to create a link to it on the access panel.
 
 ## Next steps
-[Provide single sign-on to your apps with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md)
+- [Password vaulting for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-password-vaulting.md)
+- [Kerberos Constrained Delegation for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-with-kcd.md)
+- [Header-based authentication for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-with-ping-access.md) 
+- [SAML for single sign-on with Application Proxy](application-proxy-configure-single-sign-on-on-premises-apps.md).

articles/active-directory/manage-apps/application-proxy-configure-single-sign-on-on-premises-apps.md

@@ -0,0 +1,67 @@
+---
+title: SAML single sign-on for on-premises applications with Azure Active Directory Application Proxy (Preview) | Microsoft Docs 
+description: Learn how to provide single sign-on for on-premises applications published through Application Proxy that are secured with SAML authentication.
+services: active-directory
+documentationcenter: ''
+author: CelesteDG
+manager: mtillman
+
+ms.service: active-directory
+ms.subservice: app-mgmt
+ms.workload: identity
+ms.tgt_pltfrm: na
+ms.devlang: na
+ms.topic: conceptual
+ms.date: 03/12/2019
+ms.author: celested
+ms.reviewer: japere
+ms.custom: it-pro
+ms.collection: M365-identity-device-management
+---
+
+# SAML single sign-on for on-premises applications with Application Proxy (Preview)
+
+You can provide single sign-on (SSO) for on-premises applications published through Application Proxy that are secured with SAML authentication. With SAML single sign-on, Azure Active Directory (Azure AD) authenticates to the application by using the user's Azure AD account. Azure AD communicates the sign-on information to the application through a connection protocol. With SAML-based single sign-on, you can map users to specific application roles based on rules you define in your SAML claims.
+
+The applications must be able to consume SAML tokens issued by **Azure Active Directory**. 
+This configuration does not apply to applications using an on-premises identity provider. For these scenarios we recommend reviewing [Resources for migrating applications to Azure AD](migration-resources.md).
+
+SAML SSO with Application Proxy also works with the SAML token encryption feature. For more info, see [Configure Azure AD SAML token encryption](howto-saml-token-encryption.md).
+
+## Publish the on-premises application with Application Proxy
+
+Before you can provide SSO for on-premises applications, make sure you have enabled Application Proxy and you have a connector installed. See [Add an on-premises application for remote access through Application Proxy in Azure AD](application-proxy-add-on-premises-application.md) to learn how.
+
+Keep the following in mind when you're going through the tutorial:
+
+* Publish your application according to the instructions in the tutorial. Make sure to select **Azure Active Directory** as the **Pre Authentication** method for your application (step 4 in [Add an on-premises app to Azure AD](application-proxy-add-on-premises-application.md#add-an-on-premises-app-to-azure-ad
+)).
+* Copy the **External URL** for the application.
+* As a best practice, use custom domains whenever possible for an optimized user experience. Learn more about [Working with custom domains in Azure AD Application Proxy](application-proxy-configure-custom-domain.md).
+* Add at least one user to the application and make sure the test account has access to the on-premises application.
+
+## Set up SAML SSO
+
+1. In the Azure portal, select **Azure Active Directory > Enterprise applications** and select the application from the list.
+1. From the app's **Overview** page, select **Single sign-on**.
+1. Select **SAML** as the single sign-on method.
+1. In the **Set up Single Sign-On with SAML** page, edit the **Basic SAML Configuration** data and follow the steps in [Enter basic SAML configuration](configure-single-sign-on-non-gallery-applications.md#saml-based-single-sign-on) to configure SAML-based authentication for the application.
+
+    * Make sure the **Reply URL** root matches or is a path under the **External URL** for the on-premises application that you added for remote access through Application Proxy in Azure AD.
+
+    ![Enter basic SAML configuration data](./media/application-proxy-configure-single-sign-on-on-premises-apps/basic-saml-configuration.png)
+
+    > [!NOTE]
+    > If the backend application expects the **Reply URL** to be the internal URL, you'll need to install the My Apps secure sign-in extension on users' devices. This extension will automatically redirect to the appropriate Application Proxy Service. To install the extension, see [My Apps secure sign-in extension](../user-help/active-directory-saas-access-panel-introduction.md#my-apps-secure-sign-in-extension).
+
+## Test your app
+
+When you've completed all these steps, your app should be up and running. To test the app:
+
+1. Open a browser and navigate to the external URL that you created when you published the app. 
+1. Sign in with the test account that you assigned to the app.
+
+## Next steps
+
+- [How does Azure AD Application Proxy provide single sign-on?](application-proxy-single-sign-on.md)
+- [Troubleshoot Application Proxy](application-proxy-troubleshoot.md)