Merge pull request #226921 from MicrosoftDocs/main

2/09 PM Publish

Author: huypub

articles/active-directory/app-proxy/application-proxy-configure-complex-application.md

@@ -22,11 +22,11 @@ When applications are made up of multiple individual web application using diffe
 
 The following figure shows an example for complex application domain structure.
 
-![Diagram of domain structure for a complex application showing resource sharing between primary and secondary application.](./media/application-proxy-configure-complex-application/complex-app-structure.png)
+:::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-structure-1.png" alt-text="Diagram of domain structure for a complex application showing resource sharing between primary and secondary application.":::
 
 With [Azure AD Application Proxy](application-proxy.md), you can address this issue by using complex application publishing that is made up of multiple URLs across various domains. 
 
-![Diagram of a Complex application with multiple application segments definition.](./media/application-proxy-configure-complex-application/complex-app-flow.png)
+:::image type="content" source="./media/application-proxy-configure-complex-application/complex-app-flow-1.png" alt-text="Diagram of a Complex application with multiple application segments definition.":::
 
 A complex app has multiple app segments, with each app segment being a pair of an internal & external URL.
 There is one conditional access policy associated with the app and access to any of the external URLs work with pre-authentication with the same set of policies that are enforced for all.
@@ -42,7 +42,7 @@ This article provides you with the information you need to configure wildcard ap
 ## Characteristics of application segment(s) for complex application. 
 1. Application segments can be configured only for a wildcard application.
 2. External and alternate URL should match the wildcard external and alternate URL domain of the application respectively.
-3. Application segment URL’s (internal and external) need to maintain uniqueness across complex applications.
+3. Application segment URLs (internal and external) need to maintain uniqueness across complex applications.
 4. CORS Rules (optional) can be configured per application segment.
 5. Access will only be granted to defined application segments for a complex application.
     - Note - If all application segments are deleted, a complex application will behave as a wildcard application opening access to all valid URL by specified domain. 
@@ -56,61 +56,48 @@ Before you get started with Application Proxy Complex application scenario apps,
 
 ## Configure application segment(s) for complex application. 
 
-To configure (and update) Application Segments for a complex app using the API, you first [create a wildcard application](application-proxy-wildcard.md#create-a-wildcard-application), and then update the application's onPremisesPublishing property to configure the application segments and respective CORS settings.
-
 > [!NOTE]
-> 2 application segment per complex application are supported for [Microsoft Azure AD premium subscription](https://azure.microsoft.com/pricing/details/active-directory). Licence requirement for more than 2 application segments per complex application to be announced soon.
-
-If successful, this method returns a `204 No Content` response code and does not return anything in the response body.
-## Example
-
-##### Request
-Here is an example of the request.
-
-```http
-PATCH https://graph.microsoft.com/beta/applications/{<object-id-of--the-complex-app-under-APP-Registrations}
-Content-type: application/json
-
-{
-    "onPremisesPublishing": {
-		"onPremisesApplicationSegments": [
-			{
-				"externalUrl": "https://home.contoso.net/",
-				"internalUrl": "https://home.test.com/",
-				"alternateUrl": "",
-				"corsConfigurations": []
-			},
-			{
-				"externalUrl": "https://assets.constoso.net/",
-				"internalUrl": "https://assets.test.com",
-				"alternateUrl": "",
-				"corsConfigurations": [
-					{
-						"resource": "/",
-						"allowedOrigins": [
-							"https://home.contoso.net/"
-						],
-						"allowedHeaders": [
-							"*"
-						],
-						"allowedMethods": [
-							"*"
-						],
-						"maxAgeInSeconds": 0
-					}
-				]
-			}	
-		]
-	}
-}
-
-```
-##### Response
-
-```http
-HTTP/1.1 204 No Content
-```
+> Two application segment per complex distributed application are supported for [Microsoft Azure AD premium subscription](https://azure.microsoft.com/pricing/details/active-directory). License requirement for more than two application segments per complex application to be announced soon.
+
+To publish complex distributed app through Application Proxy with application segments:
+
+1. [Create a wildcard application.](application-proxy-wildcard.md#create-a-wildcard-application)
+
+1. On the Application Proxy Basic settings page, select "Add application segments".
+
+    :::image type="content" source="./media/application-proxy-configure-complex-application/add-application-segments.png" alt-text="Screenshot of link to add an application segment.":::
+
+3. On the Manage and configure application segments page, select "+ Add app segment"
+
+    :::image type="content" source="./media/application-proxy-configure-complex-application/add-application-segment-1.png" alt-text="Screenshot pf Manage and configure application segment blade.":::
+
+4. In the Internal Url field, enter the internal URL for your app.
+
+5. In the External Url field, drop down the list and select the custom domain you want to use.
+
+6. Add CORS Rules (optional).  For more information see [Configuring CORS Rule](https://learn.microsoft.com/graph/api/resources/corsconfiguration_v2?view=graph-rest-beta)
+
+7. Select Create.
+
+    :::image type="content" source="./media/application-proxy-configure-complex-application/create-app-segment.png" alt-text="Screenshot of add or edit application segment context plane.":::
+
+Your application is now set up to use the configured application segments. Be sure to assign users to your application before you test or release it.
+
+To edit/update an application segment, select respective application segment from the list in Manage and configure application segments page. Upload a certificate for the updated domain, if necessary, and update the DNS record. 
+
+## DNS updates
+
+When using custom domains, you need to create a DNS entry with a CNAME record for the external URL (for example,  `*.adventure-works.com`) pointing to the external URL of the application proxy endpoint. For wildcard applications, the CNAME record needs to point to the relevant external URL:
+
+> `<yourAADTenantId>.tenant.runtime.msappproxy.net`
+
+Alternatively, a DNS entry with a CNAME record for every individual application segment can be created as follows:
+
+> `'External URL of application segment'` > `'<External URL without domain>-<tenantname>.msapproxy.net'` <br>
+for example in above instance  >`'home.contoso.ashcorp.us'` points to > `home-ashcorp1.msappproxy.net`
+
 
+For more detailed instructions for Application Proxy, see [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md).
 
 ## See also
 - [Tutorial: Add an on-premises application for remote access through Application Proxy in Azure Active Directory](../app-proxy/application-proxy-add-on-premises-application.md) 

articles/active-directory/app-proxy/media/application-proxy-configure-complex-application/add-application-segment-1.png

@@ -95,6 +95,8 @@
       href: application-proxy-configure-cookie-settings.md
     - name: Publish using wildcards
       href: application-proxy-wildcard.md
+    - name: Publish complex distributed application using application segments
+      href: application-proxy-configure-complex-application.md
     - name: Configure custom domain
       href: application-proxy-configure-custom-domain.md
     - name: Translate inline links

articles/active-directory/app-proxy/media/application-proxy-configure-complex-application/add-application-segments.png

@@ -216,7 +216,10 @@ Use the **Activity triggers** dashboard to view information and set alerts and t
     -   See data for **identity governance** to ensure inactive users are decommissioned because they left the company or to remove vendor accounts that have been left behind, old consultant accounts, or users who as parts of the Joiner/Mover/Leaver process have moved onto another role and are no longer using their access. Consider this a fail-safe to ensure dormant accounts are removed.
     -   Identify over-permissioned access to later use the Remediation to pursue **Zero Trust and least privileges.**
 
-    **Example of** [**Permissions Management Report**](https://microsoft.sharepoint.com/:v:/t/MicrosoftEntraPermissionsManagementAssets/EQWmUsMsdkZEnFVv-M9ZoagBd4B6JUQ2o7zRTupYrfxbGA)                                 
+    **Example of Permissions Management Analytics Report**
+
+    > [!div class="mx-imgBorder"] 
+    > :::image type="content" source="media/permissions-management-trial-user-guide/permissions-management-report-example.png" alt-text="Example of Permissions Management Analytics Report." lightbox="media/permissions-management-trial-user-guide/permissions-management-report-example.png":::                          
                
     **Actions to try**    
     - [View system reports in the Reports dashboard](../cloud-infrastructure-entitlement-management/product-reports.md)  

articles/active-directory/app-proxy/media/application-proxy-configure-complex-application/complex-app-flow-1.png

@@ -14,7 +14,7 @@
     href: tutorial-single-forest.md
   - name: Integrate an existing forest and a new forest with a single Azure AD tenant
     href: tutorial-existing-forest.md
-  - name: Pilot cloud sync for an existing synced AD forest 
+  - name: Migrate to Azure AD Connect cloud sync for an existing synced AD forest 
     href: tutorial-pilot-aadc-aadccp.md
 
 
@@ -54,6 +54,8 @@
       href: how-to-sso.md
     - name: Directory extensions and custom attributes
       href: custom-attribute-mapping.md
+    - name: Migrate from Azure AD Connect
+      href: migrate-azure-ad-connect-to-cloud-sync.md
   - name: Plan and design
     items:
     - name: Topologies and scenarios for Azure AD Connect cloud sync