Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into app-articles-batch-22

Author: paulth1

articles/active-directory/app-provisioning/plan-auto-user-provisioning.md

@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-provisioning
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 04/11/2023
+ms.date: 04/12/2023
 ms.author: kenwith
 ms.reviewer: arvinh
 ---
@@ -57,7 +57,7 @@ This article uses the following terms:
 
 * Target system - The repository of users that the Azure AD provisions to. The Target system is typically a SaaS application such as ServiceNow, Zscaler, and Slack. The target system can also be an on-premises system such as AD.
 
-* [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview) -  An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers such as Microsoft, and service providers like Salesforce or other SaaS apps that require user identity information.
+* [System for Cross-domain Identity Management (SCIM)](https://aka.ms/scimoverview) -  An open standard that allows for the automation of user provisioning. SCIM communicates user identity data between identity providers and service providers. Microsoft is an example of an identity provider. Salesforce is an example of a service provider. Service providers require user identity information and an identity provider fulfills that need. SCIM is the mechanism the identity provider and service provider use to send information back and forth.
 
 ### Training resources
 
@@ -128,7 +128,7 @@ When technology projects fail, it's typically because of mismatched expectations
 
 ### Plan communications
 
-Communication is critical to the success of any new service. Proactively communicate with your users how their experience will change, when it will change, and how to gain support if they experience issues.
+Communication is critical to the success of any new service. Proactively communicate to your users about their experience, how the experience is changing, when to expect any change, and how to gain support if they experience issues.
 
 ### Plan a pilot
 
@@ -140,7 +140,7 @@ A pilot allows you to test with a small group before deploying a capability for
 
 In your first wave, target IT, usability, and other appropriate users who can test and provide feedback. Use this feedback to further develop the communications and instructions you send to your users, and to give insights into the types of issues your support staff may see.
 
-Widen the rollout to larger groups of users by increasing the scope of the group(s) targeted. This can be done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).
+Widen the rollout to larger groups of users by increasing the scope of the group(s) targeted. Increasing the scope of the group(s) is done through [dynamic group membership](../enterprise-users/groups-dynamic-membership.md), or by manually adding users to the targeted group(s).
 
 ## Plan application connections and administration
 
@@ -150,7 +150,7 @@ Use the Azure portal to view and manage all the applications that support provis
 
 The actual steps required to enable and configure automatic provisioning vary depending on the application. If the application you wish to automatically provision is listed in the [Azure AD SaaS app gallery](../saas-apps/tutorial-list.md), then you should select the [app-specific integration tutorial](../saas-apps/tutorial-list.md) to configure its pre-integrated user provisioning connector.
 
-If not, follow the steps below:
+If not, follow the steps:
 
 1. [Create a request](../manage-apps/v2-howto-app-gallery-listing.md) for a pre-integrated user provisioning connector. Our team will work with you and the application developer to onboard your application to our platform if it supports SCIM.
 
@@ -164,7 +164,7 @@ For more information, see [What applications and systems can I use with Azure AD
 
 Setting up automatic user provisioning is a per-application process. For each application, you need to provide [administrator credentials](../app-provisioning/configure-automatic-user-provisioning-portal.md) to connect to the target system’s user management endpoint.
 
-The image below shows one version of the required admin credentials:
+The image shows one version of the required admin credentials:
 
 ![Provisioning screen to manage user account provisioning settings](./media/plan-auto-user-provisioning/userprovisioning-admincredentials.png)
 
@@ -235,7 +235,7 @@ It's common for a security review to be required as part of a deployment. If you
 
 ### Plan rollback
 
-If the automatic user provisioning implementation fails to work as desired in the production environment, the following rollback steps below can assist you in reverting to a previous known good state:
+If the automatic user provisioning implementation fails to work as desired in the production environment, the following rollback steps can assist you in reverting to a previous known good state:
 
 1. Review the [provisioning logs](../app-provisioning/check-status-user-account-provisioning.md) to determine what incorrect operations occurred on the affected users and/or groups.
 

articles/active-directory/develop/web-app-quickstart-portal-node-js-ciam.md

@@ -0,0 +1,45 @@
+---
+title: "Quickstart: Add sign in to a React SPA"
+description: Learn how to run a sample React SPA to sign in users
+services: active-directory
+author: kengaderdus
+manager: mwongerapk
+ms.author: kengaderdus
+ms.service: active-directory
+ms.workload: identity
+ROBOTS: NOINDEX
+ms.subservice: ciam
+ms.topic: portal
+ms.date: 04/12/2023
+---
+
+# Portal quickstart for React SPA
+
+> [!div renderon="portal" class="sxs-lookup"]
+> In this quickstart, you download and run a code sample that demonstrates how a React single-page application (SPA) can sign in users with Azure AD CIAM.
+>
+> ## Prerequisites
+>
+> * Azure subscription - [Create an Azure subscription for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)
+> * [Node.js](https://nodejs.org/en/download/)
+> * [Visual Studio Code](https://code.visualstudio.com/download) or another code editor
+>
+> ## Download the code
+>
+> > [!div class="nextstepaction"]
+> > [Download the code sample](https://github.com/Azure-Samples/ms-identity-ciam-javascript-tutorial/archive/react-quickstart.zip)
+>
+> ## Run the sample
+>
+> 1. Unzip the downloaded file.
+>
+> 1. Locate the folder that contains the `package.json` file in your terminal, then run the following command:
+>
+>     ```console
+>     npm install && npm start
+>     ```
+>
+> 1. Open your browser and visit `http://locahost:3000`.
+>
+> 1. Select the **Sign-in** link on the navigation bar.
+>

articles/active-directory/reports-monitoring/howto-manage-inactive-user-accounts.md

@@ -57,7 +57,6 @@ The following details relate to the `lastSignInDateTime` property.
 
 - To read the property, you need to grant the app the following Microsoft Graph permissions: 
     - AuditLog.Read.All
-    - Directory.Read.All  
     - User.Read.All
 
 - Each interactive sign-in that was successful results in an update of the underlying data store. Typically, successful sign-ins show up in the related sign-in report within 10 minutes.

articles/active-directory/roles/delegate-by-task.md

@@ -387,7 +387,7 @@ You can further restrict permissions by assigning roles at smaller scopes or by
 > | Create user | [User Administrator](permissions-reference.md#user-administrator) |  |
 > | Delete users | [User Administrator](permissions-reference.md#user-administrator) |  |
 > | Invalidate refresh tokens of limited admins | [User Administrator](permissions-reference.md#user-administrator) |  |
-> | Invalidate refresh tokens of non-admins | [Password Administrator](permissions-reference.md#password-administrator) | [User Administrator](permissions-reference.md#user-administrator) |
+> | Invalidate refresh tokens of non-admins | [Helpdesk Administrator](permissions-reference.md#helpdesk-administrator) | [User Administrator](permissions-reference.md#user-administrator) |
 > | Invalidate refresh tokens of privileged admins | [Privileged Authentication Administrator](permissions-reference.md#privileged-authentication-administrator) |  |
 > | Read basic configuration | [Default user role](../fundamentals/users-default-permissions.md) |  |
 > | Reset password for limited admins | [User Administrator](permissions-reference.md#user-administrator) |  |

articles/active-directory/saas-apps/cisco-anyconnect.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 04/12/2023
 ms.author: jeedes
 ---
 
@@ -72,14 +72,17 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
    ![Edit Basic SAML Configuration](common/edit-urls.png)
 
-1. On the **Set up single sign-on with SAML** page, enter the values for the following fields (note that the values are case-sensitive):
+1. On the **Set up single sign-on with SAML** page, enter the values for the following fields:
 
    1. In the **Identifier** text box, type a URL using the following pattern:  
       `https://<SUBDOMAIN>.YourCiscoServer.com/saml/sp/metadata/<Tunnel_Group_Name>`
 
    1. In the **Reply URL** text box, type a URL using the following pattern:  
       `https://<YOUR_CISCO_ANYCONNECT_FQDN>/+CSCOE+/saml/sp/acs?tgname=<Tunnel_Group_Name>`
 
+    > [!NOTE]
+    > `<Tunnel_Group_Name>` is a case-sensitive and the value must not contain dots "." and slashes "/".
+
     > [!NOTE]
     > For clarification about these values, contact Cisco TAC support. Update these values with the actual Identifier and Reply URL provided by Cisco TAC. Contact the [Cisco AnyConnect Client support team](https://www.cisco.com/c/en/us/support/index.html) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 

articles/active-directory/saas-apps/citi-program-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: how-to
-ms.date: 03/26/2023
+ms.date: 04/12/2023
 ms.author: jeedes
 
 ---
@@ -46,7 +46,7 @@ Add CITI Program from the Azure AD application gallery to configure single sign-
 
 ### Create and assign Azure AD test user
 
-Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal called B.Simon.
+Follow the guidelines in the [create and assign a user account](../manage-apps/add-application-portal-assign-users.md) article to create a test user account in the Azure portal.
 
 Alternatively, you can also use the [Enterprise App Configuration Wizard](https://portal.office.com/AdminPortal/home?Q=Docs#/azureadappintegration). In this wizard, you can add an application to your tenant, add users/groups to the app, and assign roles. The wizard also provides a link to the single sign-on configuration pane in the Azure portal. [Learn more about Microsoft 365 wizards.](/microsoft-365/admin/misc/azure-ad-setup-guides). 
 
@@ -76,17 +76,24 @@ Complete the following steps to enable Azure AD single sign-on in the Azure port
 
 1. CITI Program application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
 
-	![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Image")
+	![Screenshot shows the image of attributes configuration.](common/default-attributes.png "Default Attributes")
 
-1. In addition to above, CITI Program application expects few more attributes to be passed back in SAML response, which are shown below. These attributes are also pre populated but you can review them as per your requirements.
+1. CITI Program application expects urn:oid named attributes to be passed back in the SAML response, which are shown below. These attributes are also pre-populated but you can review them as per your requirements. These are all required.
 
 	| Name |  Source Attribute|
 	| ---------------|  --------- |
 	| urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | user.userprincipalname |
-	| urn:oid:0.9.2342.19200300.100.1.3 | user.userprincipalname |
+	| urn:oid:0.9.2342.19200300.100.1.3 | user.mail |
 	| urn:oid:2.5.4.42 | user.givenname |
 	| urn:oid:2.5.4.4 | user.surname |
 
+1. If you wish to pass additional information in the SAML response, CITI Program can also accept the following optional attributes.
+
+	| Name |  Source Attribute|
+	| ---------------|  --------- |
+	| urn:oid:2.16.840.1.113730.3.1.241 | user.displayname |
+	| urn:oid:2.16.840.1.113730.3.1.3 | user.employeeid |
+
 1. On the **Set-up single sign-on with SAML** page, in the **SAML Signing Certificate** section,  find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer.
 
     ![Screenshot shows the Certificate download link.](common/metadataxml.png "Certificate")
@@ -97,11 +104,7 @@ Complete the following steps to enable Azure AD single sign-on in the Azure port
 
 ## Configure CITI Program SSO
 
-To configure single sign-on on **CITI Program** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [CITI Program support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
-
-### Create CITI Program test user
-
-In this section, a user called B.Simon is created in CITI Program. CITI Program supports just-in-time user provisioning, which is enabled by default. There's no action item for you in this section. If a user doesn't already exist in CITI Program, a new one is commonly created after authentication.
+To configure single sign-on on **CITI Program** side, you need to send the downloaded **Federation Metadata XML** and appropriate copied URLs from Azure portal to [CITI Program support team](mailto:[email protected]). This is required to have the SAML SSO connection set properly on both sides.
 
 ## Test SSO 
 
@@ -113,10 +116,19 @@ In this section, you test your Azure AD single sign-on configuration with follow
 
 * You can use Microsoft My Apps. When you click the CITI Program tile in the My Apps, this will redirect to CITI Program Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
 
+CITI Program supports just-in-time user provisioning. First time SSO users will be prompted to either: 
+
+* Link their existing CITI Program account, in the case that they already have one
+![SSOHaveAccount](https://user-images.githubusercontent.com/46728557/228357500-a74489c7-8c5f-4cbe-ad47-9757d3d9fbe6.PNG "Link existing CITI Program account")
+
+* Or Create a new CITI Program account, which is automatically provisioned
+![SSONotHaveAccount](https://user-images.githubusercontent.com/46728557/228357503-f4eba4bb-f3fa-43e9-a98a-f0da87074eeb.PNG "Provision new CITI Program account")
+
 ## Additional resources
 
+* [CITI Program SSO Technical Information](https://support.citiprogram.org/s/article/single-sign-on-sso-and-shibboleth-technical-specs#EntityInformation)
 * [What is single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
-* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md).
+* [Plan a single sign-on deployment](../manage-apps/plan-sso-deployment.md)
 
 ## Next steps
 

articles/active-directory/saas-apps/cobalt-tutorial.md

@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 04/12/2023
 ms.author: jeedes
 ---
 
@@ -79,7 +79,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
     `https://brightside-prod-<INSTANCENAME>.cobaltdl.com`
 
 	> [!NOTE]
-	> The value is not real. Update the value with the actual Sign-On URL. Contact [Cobalt Client support team](https://www.cobalt.net/support/) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+	> The value is not real. Update the value with the actual Sign-On URL. Contact [Cobalt Client support team](https://cobaltio.zendesk.com/hc/requests/new) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
 
 5. Cobalt application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes.
 
@@ -149,7 +149,13 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ### Create Cobalt test user
 
-In this section, you create a user called B.Simon in Cobalt. Work with [Cobalt support team](https://www.cobalt.net/support/) to add the users in the Cobalt platform. Users must be created and activated before you use single sign-on.
+1. Login to the Cobalt website as an administrator.
+1. Navigate to the **People -> Organization** and select Invite Users.
+1. In the overlay that appears, specify the email addresses of users that you want to invite. Enter the email, and then select **Add** or press **Enter**.
+1. Use commas to separate multiple email addresses.
+1. For each user, select a role: **Member** or **Owner**.
+1. Both members and owners have access to all assets and pentests of an organization.
+1. Select **Invite** to confirm.
 
 ## Test SSO