Updated tutorial to include group assertions

I've added instructions on how to configure Azure Active Directory and cloudtamer.io for group assertions. This allows a user to inherit permissions based on membership in an Azure Active Directory group.

Author: ctjohnhall

articles/active-directory/saas-apps/cloudtamer-io-tutorial.md

@@ -175,7 +175,36 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 You can also use Microsoft My Apps to test the application in any mode. When you click the cloudtamer.io tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the cloudtamer.io for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).
 
+## Group Assertions
+
+In order to easily manage cloudtamer.io user permissions using existing Azure Active Directory groups, you can follow the steps below:
+
+### Azure Active Directory Configuration
+1. Within Azure Active Directory, navigate to Azure Active Directory > Enterprise Applications.
+2. Select the Enterprise Application for cloudtamer.io from the list.
+3. On the Overview screen that appears, select **Single sign-on** from the menu on the left.
+4. On the Single Sign-On screen, locate the User Attributes & Claims box and select **Edit**.
+5. Select **Add a group claim** from the top. (Note: You can only have one group claim. If this option is disabled, you may already have a group claim defined.)
+6. On the Group Claims screen that appears, make a selection for the groups that should be returned in the claim:
+	1. If you will always have every group you intend to use in cloudtamer.io assigned to this Enterprise Application, select **Groups assigned to the application**.
+	1. Otherwise, if you want all groups to appear (this can cause a large number of group assertions and may be subject to limits), select **Groups assigned to the application**.
+7. For **Source attribute**, leave Group ID by default.
+8. Place a checkmark in the box labeled **Customize the name of the group claim** and specify the name **memberOf** in the **Name** field.
+9. Select **Save** to complete the configuration with Azure Active Directory.
+
+### cloudtamer.io Configuration
+1. Within cloudtamer.io, navigate to Users > Identity Management Systems.
+2. Select the IDMS that you've created for Azure Active Directory.
+3. On the overview screen that appears, select the User Group Associations tab.
+4. For each user group mapping you desire, follow these steps:
+	1. Select Add > Add New.
+	1. On the dialog that appears:
+		1. In the Name field, specify **memberOf**.
+		1. In the Regex field, specify the Object Id (from Azure Active Directory) of the group you wish to match.
+		1. In the User Group field, select the cloudtamer.io internal group you wish to map to the group in the Regex field.
+		1. Place a checkmark in **Update on Login**.
+	1. Select **Add** to add the group association.
 
 ## Next steps
 
-Once you configure cloudtamer.io you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
+Once you configure cloudtamer.io you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).