Merge pull request #210179 from MicrosoftDocs/main

9/5/2022 AM Publish

Author: Taojunshen

.openpublishing.redirection.active-directory.json

@@ -10831,11 +10831,6 @@
       "redirect_url": "/azure/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on",
       "redirect_document_id": false
     },
-    {
-      "source_path": "articles/active-directory/manage-apps/howto-enforce-signed-saml-authentication.md",
-      "redirect_url": "/azure/active-directory/manage-apps/howto-saml-token-encryption",
-      "redirect_document_id": true
-    },
     {
       "source_path": "articles/active-directory/manage-apps/recover-deleted-apps-faq.md",
       "redirect_url": "/azure/active-directory/manage-apps/delete-recover-faq",

articles/active-directory/app-provisioning/use-scim-to-provision-users-and-groups.md

@@ -196,7 +196,8 @@ Use the general guidelines when implementing a SCIM endpoint to ensure compatibi
 * Microsoft Azure AD makes requests to fetch a random user and group to ensure that the endpoint and the credentials are valid. It's also done as a part of the **Test Connection** flow in the [Azure portal](https://portal.azure.com). 
 * Support HTTPS on your SCIM endpoint.
 * Custom complex and multivalued attributes are supported but Azure AD doesn't have many complex data structures to pull data from in these cases. Simple paired name/value type complex attributes can be mapped to easily, but flowing data to complex attributes with three or more subattributes aren't well supported at this time.
-* The "type" subattribute values of multivalued complex attributes must be unique. For example, there can't be two different email addresses with the "work" subtype. 
+* The "type" subattribute values of multivalued complex attributes must be unique. For example, there can't be two different email addresses with the "work" subtype.
+* The header for all the responses should be of content-Type: application/scim+json 
 
 ### Retrieving Resources:
 

articles/active-directory/develop/single-sign-on-saml-protocol.md

@@ -10,7 +10,7 @@ ms.service: active-directory
 ms.subservice: develop
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 02/05/2022
+ms.date: 08/31/2022
 ms.author: kenwith
 ms.custom: aaddev
 ms.reviewer: paulgarn
@@ -43,7 +43,7 @@ To request a user authentication, cloud services send an `AuthnRequest` element
 
 | Parameter | Type | Description |
 | --- | --- | --- |
-| ID | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "id" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. |
+| ID | Required | Azure AD uses this attribute to populate the `InResponseTo` attribute of the returned response. ID must not begin with a number, so a common strategy is to prepend a string like "ID" to the string representation of a GUID. For example, `id6c1c178c166d486687be4aaf5e482730` is a valid ID. |
 | Version | Required | This parameter should be set to **2.0**. |
 | IssueInstant | Required | This is a DateTime string with a UTC value and [round-trip format ("o")](/dotnet/standard/base-types/standard-date-and-time-format-strings). Azure AD expects a DateTime value of this type, but doesn't evaluate or use the value. |
 | AssertionConsumerServiceURL | Optional | If provided, this parameter must match the `RedirectUri` of the cloud service in Azure AD. |
@@ -97,7 +97,7 @@ If provided, don't include the `ProxyCount` attribute, `IDPListOption` or `Reque
 
 ### Signature
 
-A `Signature` element in `AuthnRequest` elements is optional. Azure AD does not validate signed authentication requests if a signature is present. Requestor verification is provided for by only responding to registered Assertion Consumer Service URLs. 
+A `Signature` element in `AuthnRequest` elements is optional. Azure AD can be configured (Preview) to enforce the requirement of signed authentication requests. If enabled, only signed authentication requests are accepted, otherwise the requestor verification is provided for by only responding to registered Assertion Consumer Service URLs.
 
 ### Subject
 
@@ -217,7 +217,7 @@ To generate this digital signature, Azure AD uses the signing key in the `IDPSSO
 
 #### Subject
 
-This specifies the principal that is the subject of the statements in the assertion. It contains a `NameID` element, which represents the authenticated user. The `NameID` value is a targeted identifier that is directed only to the service provider that is the audience for the token. It is persistent - it can be revoked, but is never reassigned. It is also opaque, in that it does not reveal anything about the user and cannot be used as an identifier for attribute queries.
+This specifies the principle that is the subject of the statements in the assertion. It contains a `NameID` element, which represents the authenticated user. The `NameID` value is a targeted identifier that is directed only to the service provider that is the audience for the token. It is persistent - it can be revoked, but is never reassigned. It is also opaque, in that it does not reveal anything about the user and cannot be used as an identifier for attribute queries.
 
 The `Method` attribute of the `SubjectConfirmation` element is always set to `urn:oasis:names:tc:SAML:2.0:cm:bearer`.
 

articles/active-directory/manage-apps/howto-enforce-signed-saml-authentication.md

@@ -0,0 +1,79 @@
+--- 
+title: Enforce signed SAML authentication requests 
+description: Learn how to enforce signed SAML authentication requests. 
+services: active-directory 
+author: AllisonAm 
+manager: CelesteDG 
+ms.service: active-directory 
+ms.subservice: app-mgmt 
+ms.workload: identity 
+ms.topic: conceptual 
+ms.date: 06/29/2022 
+ms.author: alamaral 
+ms.collection: M365-identity-device-management 
+--- 
+
+
+# SAML Request Signature Verification (Preview)  
+
+SAML Request Signature Verification is a functionality that validates the signature of signed authentication requests. An App Admin now can enable and disable the enforcement of signed requests and upload the public keys that should be used to do the validation.  
+
+If enabled Azure Active Directory will validate the requests against the public keys configured. There are some scenarios where the authentication requests can fail:  
+
+- Protocol not allowed for signed requests. Only SAML protocol is supported.  
+- Request not signed, but verification is enabled.  
+- No verification certificate configured for SAML request signature verification.  
+- Signature verification failed.  
+- Key identifier in request is missing and two most recently added certificates don't match with the request signature.  
+- Request signed but algorithm missing.  
+- No certificate matching with provided key identifier.  
+- Signature algorithm not allowed. Only RSA-SHA256 is supported.  
+
+## To configure SAML Request Signature Verification in the Azure portal 
+
+1. Inside the Azure portal, navigate to **Azure Active Directory** from the Search bar or Azure Services. 
+    
+    ![Screenshot of Azure Active Directory inside the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation1.png) 
+    
+2. Navigate to **Enterprise applications** from the left menu.  
+    
+    ![Screenshot of Enterprise Application option inside the Azure portal Navigation.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation2.png) 
+    
+3. Select the application you wish to apply the changes.  
+
+4. Navigate to **Single sign-on.**  
+
+5. In the **Single sign-on** screen, there's a new subsection called **Verification certificates** under **SAML Certificates.** 
+    
+    ![Screenshot of verification certificates under SAML Certificates on the Enterprise Application page in the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation3.png) 
+    
+6. Click on **Edit.**  
+
+7. In the new blade, you'll be able to enable the verification of signed requests and opt-in for weak algorithm verification in case your application still uses RSA-SHA1 to sign the authentication requests.   
+
+8. To enable the verification of signed requests, click **Enable verification certificates** and upload a verification public key that matches with the private key used to sign the request. 
+    
+    ![Screenshot of enable verification certificates in Enterprise Application within the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation4.png) 
+    
+    ![Screenshot of upload certificates in Enterprise Application within the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation5.png) 
+    
+    ![Screenshot of certificate upload success in Enterprise Application within the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation6.png) 
+
+9. Once you have your verification certificate uploaded, click **Save.** 
+    
+    ![Screenshot of certificate verification save in Enterprise Application within the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation7.png) 
+       
+    ![Screenshot of certificate update success in Enterprise Application within the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation8.png) 
+
+10. When the verification of signed requests is enabled, the test experience is disabled as the requests requires to be signed by the service provider.  
+    
+    ![Screenshot of testing disabled warning when signed requests enabled in Enterprise Application within the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation9.png) 
+    
+11. If you want to see the current configuration of an enterprise application, you can navigate to the **Single Sign-on** screen and see the summary of your configuration under **SAML Certificates**. There you'll be able to see if the verification of signed requests is enabled and the count of Active and Expired verification certificates. 
+    
+    ![Screenshot of enterprise application configuration in single sign-on screen within the Azure portal.](./media/howto-enforce-signed-saml-authentication/samlsignaturevalidation10.png) 
+
+## Next steps  
+
+* Find out [How Azure AD uses the SAML protocol](../develop/active-directory-saml-protocol-reference.md) 
+* Learn the format, security characteristics, and contents of [SAML tokens in Azure AD](../develop/reference-saml-tokens.md) 

articles/active-directory/manage-apps/toc.yml

@@ -57,6 +57,8 @@
         href: certificate-signing-options.md
       - name: Tenant restrictions
         href: tenant-restrictions.md
+      - name: Enforce signed SAML authentication requests
+        href: howto-enforce-signed-saml-authentication.md
       - name: Configure SAML token encryption
         href: howto-saml-token-encryption.md
       - name: End-user portals

articles/app-service/overview-vnet-integration.md

@@ -203,7 +203,7 @@ Gateway-required virtual network integration is built on top of point-to-site VP
 
 ### Access on-premises resources
 
-Apps can access on-premises resources by integrating with virtual networks that have site-to-site connections. If you use gateway-required virtual network integration, update your on-premises VPN gateway routes with your point-to-site address blocks. When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. Details on how to do that vary per gateway and aren't described here. You can't have BGP configured with a site-to-site VPN connection.
+Apps can access on-premises resources by integrating with virtual networks that have site-to-site connections. If you use gateway-required virtual network integration, update your on-premises VPN gateway routes with your point-to-site address blocks. When the site-to-site VPN is first set up, the scripts used to configure it should set up routes properly. If you add the point-to-site addresses after you create your site-to-site VPN, you need to update the routes manually. Details on how to do that vary per gateway and aren't described here. BGP routes won't be propagated automatically.
 
 No extra configuration is required for the regional virtual network integration feature to reach through your virtual network to on-premises resources. You simply need to connect your virtual network to on-premises resources by using ExpressRoute or a site-to-site VPN.
 

articles/automation/TOC.yml

@@ -168,7 +168,7 @@
               href: troubleshoot/runbooks.md
             - name: Data to collect when opening a case for Microsoft Azure Automation
               href: troubleshoot/collect-data-microsoft-azure-automation-case.md
-        - name: Work with a Hybrid Runbook Worker
+        - name: Work with Hybrid Runbook Worker
           items:
             - name: Deploy extension-based worker
               href: extension-based-hybrid-runbook-worker-install.md

articles/automation/extension-based-hybrid-runbook-worker-install.md

@@ -257,11 +257,13 @@ You can delete an empty Hybrid Runbook Worker group from the portal.
 
    The hybrid worker group will be deleted.
 
-## Use Azure Resource Manager template
+## Manage Hybrid Worker extension using ARM template, REST API, and Azure CLI
+
+#### [ARM template](#tab/arm-template)
 
 You can use an Azure Resource Manager (ARM) template to create a new Azure Windows VM and connect it to an existing Automation account and Hybrid Worker Group. To learn more about ARM templates, see [What are ARM templates?](../azure-resource-manager/templates/overview.md)
 
-### Review the template
+**Review the template**
 
 ```json
 {
@@ -546,7 +548,7 @@ The following Azure resources are defined in the template:
 - [hybridRunbookWorkerGroups/hybridRunbookWorkers](/azure/templates/microsoft.automation/automationaccounts/hybridrunbookworkergroups/hybridrunbookworkers)
 - [Microsoft.Compute/virtualMachines/extensions](/azure/templates/microsoft.compute/virtualmachines/extensions)
 
-### Review parameters
+**Review parameters**
 
 Review the parameters used in this template.
 
@@ -563,14 +565,14 @@ Review the parameters used in this template.
 | osVersion | The OS for the new Windows VM. The default value is `2019-Datacenter`. |
 | dnsNameForPublicIP | The DNS name for the public IP. |
 
+ 
+#### [REST API](#tab/rest-api)
 
-## Install Hybrid worker extension using REST API
-
-### Prerequisites
+**Prerequisites**
 
 You would require an Azure VM or Arc-enabled server. You can follow the steps [here](../azure-arc/servers/onboard-portal.md) to create an Arc connected machine.
 
-### Install and use Hybrid Worker extension using REST API
+**Install and use Hybrid Worker extension**
 
 To install and use Hybrid Worker extension using REST API, follow these steps. The West Central US region is considered in this example.
 
@@ -676,6 +678,14 @@ To install and use Hybrid Worker extension using REST API, follow these steps. T
     ```
    Response of the *PUT* call will confirm if the extension is successfully installed or not on the targeted VM. You can also go to the VM in the Azure portal, and check status of extensions installed on the target VM under **Extensions** tab.
 
+#### [Azure CLI](#tab/cli)
+
+**Manage Hybrid Worker Extension**
+
+- To create, delete, and manage extension-based Hybrid Runbook Worker groups, see [az automation hrwg | Microsoft Docs](/cli/azure/automation/hrwg?view=azure-cli-latest)
+- To create, delete, and manage extension-based Hybrid Runbook Worker, see [az automation hrwg hrw | Microsoft Docs](/cli/azure/automation/hrwg/hrw?view=azure-cli-latest)
+
+---
 
 ## Manage Role permissions for Hybrid Worker Groups and Hybrid Workers
 

articles/automation/whats-new.md

@@ -22,6 +22,14 @@ Azure Automation receives improvements on an ongoing basis. To stay up to date w
 This page is updated monthly, so revisit it regularly. If you're looking for items older than six months, you can find them in [Archive for What's new in Azure Automation](whats-new-archive.md).
 
 
+## August 2022
+
+### Azure Automation Hybrid Worker Extension (preview) now supports Arc-enabled VMware VMs
+
+**Type:** Enhancement to an existing feature
+
+In addition to the support for Azure VMs and Arc-enabled Servers, Azure Automation Hybrid Worker Extension (preview) now supports Arc-enabled VMware VMs as a target. You can now orchestrate management tasks using PowerShell and Python runbooks on Azure VMs, Arc-enabled Servers, and Arc-enabled VMWare VMs with an identical experience. Read [here](extension-based-hybrid-runbook-worker-install.md) for more information.
+
 ## March 2022
 
 ###  Forward diagnostic audit data to Azure Monitor logs