MicrosoftDocs
diff --git a/‎articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
Lines changed: 9 additions & 7 deletions b/‎articles/active-directory/conditional-access/concept-condition-filters-for-devices.md
Lines changed: 9 additions & 7 deletions
diff --git a/‎articles/active-directory/develop/v2-protocols-oidc.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/develop/v2-protocols-oidc.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/recoverability-overview.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/fundamentals/recoverability-overview.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/index.yml
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/index.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/saas-apps/datto-file-protection-tutorial.md
Lines changed: 144 additions & 0 deletions b/‎articles/active-directory/saas-apps/datto-file-protection-tutorial.md
Lines changed: 144 additions & 0 deletions
diff --git a/‎articles/active-directory/saas-apps/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/saas-apps/toc.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/api-management/api-management-advanced-policies.md
Lines changed: 23 additions & 0 deletions b/‎articles/api-management/api-management-advanced-policies.md
Lines changed: 23 additions & 0 deletions
diff --git a/‎articles/attestation/claim-sets.md
Lines changed: 1 addition & 1 deletion b/‎articles/attestation/claim-sets.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-government/documentation-government-developer-guide.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-government/documentation-government-developer-guide.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-maps/zoom-levels-and-tile-grid.md
Lines changed: 1 addition & 1 deletion b/‎articles/azure-maps/zoom-levels-and-tile-grid.md
Lines changed: 1 addition & 1 deletion
@@ -4,7 +4,7 @@ description: Use filter for devices in Conditional Access to enhance security po
 ms.service: active-directory
 ms.subservice: conditional-access
 ms.topic: conceptual
-ms.date: 04/05/2022
+ms.date: 04/28/2022
 ms.author: joflore
 author: MicrosoftGuyJFlo
 manager: karenhoran
@@ -21,16 +21,18 @@ When creating Conditional Access policies, administrators have asked for the abi
 
 There are multiple scenarios that organizations can now enable using filter for devices condition. Below are some core scenarios with examples of how to use this new condition.
 
-- Restrict access to privileged resources like Microsoft Azure Management, to privileged users, accessing from [privileged or secure admin workstations](/security/compass/privileged-access-devices). For this scenario, organizations would create two Conditional Access policies:
+- **Restrict access to privileged resources**. For this example, lets say you want to allow access to Microsoft Azure Management from a user who is assigned a privilged role Global Admin, has satisfied multifactor authentication and accessing from a device that is [privileged or secure admin workstations](/security/compass/privileged-access-devices) and attested as compliant. For this scenario, organizations would create two Conditional Access policies:
    - Policy 1: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, and for Access controls, Grant access, but require multifactor authentication and require device to be marked as compliant.
-   - Policy 2: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block.
-- Block access to organization resources from devices running an unsupported Operating System version like Windows 7. For this scenario, organizations would create the following two Conditional Access policies:
-   - Policy 1:  All users, accessing all cloud apps and for Access controls, Grant access, but require device to be marked as compliant or require device to be hybrid Azure AD joined.
-   - Policy 2: All users, accessing all cloud apps, including a filter for devices using rule expression device.operatingSystem equals Windows and device.operatingSystemVersion startsWith "6.1" and for Access controls, Block.
-- Do not require multifactor authentication for specific accounts like service accounts when used on specific devices like Teams phones or Surface Hub devices. For this scenario, organizations would create the following two Conditional Access policies:
+   - Policy 2: All users with the directory role of Global administrator, accessing the Microsoft Azure Management cloud app, excluding a filter for devices using rule expression device.extensionAttribute1 equals SAW and for Access controls, Block. Learn how to [update extensionAttributes on an Azure AD device object](https://docs.microsoft.com/graph/api/device-update?view=graph-rest-1.0&tabs=http).
+- **Block access to organization resources from devices running an unsupported Operating System**. For this example, lets say you want to block access to resources from Windows OS version older than Windows 10. For this scenario, organizations would create the following Conditional Access policy:
+   - All users, accessing all cloud apps, excluding a filter for devices using rule expression device.operatingSystem equals Windows and device.operatingSystemVersion startsWith "10.0" and for Access controls, Block.
+- **Do not require multifactor authentication for specific accounts on specific devices**. For this example, lets say you want to not require multifactor authentication when using service accounts on specific devices like Teams phones or Surface Hub devices. For this scenario, organizations would create the following two Conditional Access policies:
    - Policy 1: All users excluding service accounts, accessing all cloud apps, and for Access controls, Grant access, but require multifactor authentication.
    - Policy 2: Select users and groups and include group that contains service accounts only, accessing all cloud apps, excluding a filter for devices using rule expression device.extensionAttribute2 not equals TeamsPhoneDevice and for Access controls, Block.
 
+> [!NOTE] 
+> Azure AD uses device authentication to evaluate device filter rules. For devices that are unregistered with Azure AD, all device properties are considered as null values.
+
 ## Create a Conditional Access policy
 
 Filter for devices is an option when creating a Conditional Access policy in the Azure portal or using the Microsoft Graph API.
 
@@ -284,7 +284,7 @@ Review the [UserInfo documentation](userinfo.md#calling-the-api) to look over ho
 
 When you want to sign out the user from your app, it isn't sufficient to clear your app's cookies or otherwise end the user's session. You must also redirect the user to the Microsoft identity platform to sign out. If you don't do this, the user reauthenticates to your app without entering their credentials again, because they will have a valid single sign-in session with the Microsoft identity platform.
 
-You can redirect the user to the `end_session_endpoint` listed in the OpenID Connect metadata document:
+You can redirect the user to the `end_session_endpoint` (which supports both HTTP GET and POST requests) listed in the OpenID Connect metadata document:
 
 ```HTTP
 GET https://login.microsoftonline.com/common/oauth2/v2.0/logout?
 
@@ -203,7 +203,7 @@ There are several Azure Monitor workbooks that can help you to monitor configura
 - Directory role and group membership updates for service principals
 - Modified federation settings
 
-The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing, and which applications I your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.
+The [Cross-tenant access activity workbook ](../reports-monitoring/workbook-cross-tenant-access-activity.md)can help you monitor which applications in external tenants your users are accessing, and which applications in your tenant external users are accessing. Use this workbook to look for anomalous changes in either inbound or outbound application access across tenants.
 
 ## Operational security 
 
 
@@ -12,7 +12,7 @@ metadata:
   ms.collection: M365-identity-device-management
   author: rolyon
   ms.author: rolyon
-  manager: karenhoran
+  manager: CelesteDG
   ms.date: 01/25/2022
 
 highlightedContent:
@@ -322,4 +322,4 @@ additionalContent:
         url: /powershell/module/azuread/
       - title: Azure CLI commands for Azure AD
         summary: Find the Azure AD commands in the CLI reference.
-        url: /cli/azure/ad
+        url: /cli/azure/ad
@@ -0,0 +1,144 @@
+---
+title: 'Tutorial: Azure AD SSO integration with Datto File Protection Single Sign On'
+description: Learn how to configure single sign-on between Azure Active Directory and Datto File Protection Single Sign On.
+services: active-directory
+author: jeevansd
+manager: CelesteDG
+ms.reviewer: CelesteDG
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 04/13/2022
+ms.author: jeedes
+
+---
+
+# Tutorial: Azure AD SSO integration with Datto File Protection Single Sign On
+
+In this tutorial, you'll learn how to integrate Datto File Protection Single Sign On with Azure Active Directory (Azure AD). When you integrate Datto File Protection Single Sign On with Azure AD, you can:
+
+* Control in Azure AD who has access to Datto File Protection Single Sign On.
+* Enable your users to be automatically signed-in to Datto File Protection Single Sign On with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Datto File Protection Single Sign On enabled subscription.
+* Along with Cloud Application Administrator, Application Administrator can also add or manage applications in Azure AD.
+For more information, see [Azure built-in roles](../roles/permissions-reference.md).
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Datto File Protection Single Sign On supports **SP** and **IDP** initiated SSO.
+
+## Add Datto File Protection Single Sign On from the gallery
+
+To configure the integration of Datto File Protection Single Sign On into Azure AD, you need to add Datto File Protection Single Sign On from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Datto File Protection Single Sign On** in the search box.
+1. Select **Datto File Protection Single Sign On** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Datto File Protection Single Sign On
+
+Configure and test Azure AD SSO with Datto File Protection Single Sign On using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Datto File Protection Single Sign On.
+
+To configure and test Azure AD SSO with Datto File Protection Single Sign On, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Datto File Protection Single Sign On SSO](#configure-datto-file-protection-single-sign-on-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Datto File Protection Single Sign On test user](#create-datto-file-protection-single-sign-on-test-user)** - to have a counterpart of B.Simon in Datto File Protection Single Sign On that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Datto File Protection Single Sign On** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Screenshot shows to edit Basic SAML Configuration.](common/edit-urls.png "Basic Configuration")
+
+1. On the **Basic SAML Configuration** section, the user does not have to perform any step as the app is already pre-integrated with Azure.
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **SP** initiated mode then perform the following steps:
+
+    a. In the **Identifier** textbox, type the URL:
+    `https://saml.fileprotection.datto.com/singlesignon/saml/metadata`
+
+    b. In the **Reply URL** textbox, type the URL:
+    `https://saml.fileprotection.datto.com/singlesignon/saml/SSO`
+
+    c. In the **Sign on URL** textbox, type a URL using the following pattern:
+    `https://<SUBDOMAIN>.fileprotection.datto.com`
+    
+    > [!NOTE]
+	> This value is not real. Update this value with the actual Sign on URL. Contact [Datto File Protection Single Sign On Client support team](mailto:[email protected]) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+	![Screenshot shows the Certificate download link.](common/copy-metadataurl.png "Certificate")
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Datto File Protection Single Sign On.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Datto File Protection Single Sign On**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Datto File Protection Single Sign On SSO
+
+To configure single sign-on on **Datto File Protection Single Sign On** side, you need to send the **App Federation Metadata Url** to [Datto File Protection Single Sign On support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Datto File Protection Single Sign On test user
+
+In this section, you create a user called Britta Simon in Datto File Protection Single Sign On. Work with [Datto File Protection Single Sign On support team](mailto:[email protected]) to add the users in the Datto File Protection Single Sign On platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration with following options. 
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Datto File Protection Single Sign On Sign on URL where you can initiate the login flow.  
+
+* Go to Datto File Protection Single Sign On Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Datto File Protection Single Sign On for which you set up the SSO. 
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Datto File Protection Single Sign On tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Datto File Protection Single Sign On for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Datto File Protection Single Sign On you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
@@ -601,6 +601,8 @@
         href: datasite-tutorial.md
       - name: Datava Enterprise Service Platform
         href: datava-enterprise-service-platform-tutorial.md
+      - name: Datto File Protection Single Sign On
+        href: datto-file-protection-tutorial.md
       - name: Datto Workplace Single Sign On
         href: datto-workplace-tutorial.md
       - name: Dealpath
 
@@ -536,6 +536,29 @@ In the following example, request forwarding is retried up to ten times using an
 
 ```
 
+### Example
+
+In the following example, sending a request to a URL other than the defined backend is retried up to three times if the connection is dropped/timed out, or the request results in a server-side error. Since `first-fast-retry` is set to true, the first retry is executed immediately upon the initial request failure. Note that `send-request` must set `ignore-error` to true in order for `response-variable-name` to be null in the event of an error.
+
+```xml
+
+<retry
+    condition="@(context.Variables["response"] == null || ((IResponse)context.Variables["response"]).StatusCode >= 500)"
+    count="3"
+    interval="1"
+    first-fast-retry="true">
+        <send-request 
+            mode="new" 
+            response-variable-name="response" 
+            timeout="3" 
+            ignore-error="true">
+		        <set-url>https://api.contoso.com/products/5</set-url>
+		        <set-method>GET</set-method>
+		</send-request>
+</retry>
+
+```
+
 ### Elements
 
 | Element | Description                                                         | Required |
 
@@ -135,7 +135,7 @@ Azure Attestation includes the below claims in the attestation token for all att
 - **x-ms-policy-hash**: Hash of Azure Attestation evaluation policy computed as BASE64URL(SHA256(UTF8(BASE64URL(UTF8(policy text)))))
 - **x-ms-policy-signer**: JSON object with a "jwk” member representing the key a customer used to sign their policy. This is applicable when customer uploads a signed policy
 - **x-ms-runtime**: JSON object containing "claims" that are defined and generated within the attested environment.  This is a specialization of the “enclave held data” concept, where the “enclave held data” is specifically formatted as a UTF-8 encoding of well formed JSON
-- **x-ms-inittime**: JSON object containing “claims” that are defined and enforced at secure environment initialization time 
+- **x-ms-inittime**: JSON object containing “claims” that are defined and verified at initialization time of the attested environment 
 
 Below claim names are used from [IETF JWT specification](https://tools.ietf.org/html/rfc7519)
 
 
@@ -58,7 +58,7 @@ Navigate through the following links to get started using Azure Government:
 - [Connect with CLI](./documentation-government-get-started-connect-with-cli.md)
 - [Connect with Visual Studio](./documentation-government-connect-vs.md)
 - [Connect to Azure Storage](./documentation-government-get-started-connect-to-storage.md)
-- [Connect with Azure SDK for Python](/azure/developer/python/azure-sdk-sovereign-domain)
+- [Connect with Azure SDK for Python](/azure/developer/python/sdk/azure-sdk-sovereign-domain)
 
 ### Azure Government Video Library 
 
 
@@ -52,7 +52,7 @@ The following table provides the full list of values for zoom levels where the t
 | 16 | 2.3887 | 611.496 |
 | 17 | 1.1943 | 305.748 |
 | 18 | 0.5972 | 152.874 |
-| 19 | 0.14929 | 76.437 |
+| 19 | 0.2986 | 76.437 |
 | 20 | 0.14929 | 38.2185 |
 | 21 | 0.074646 | 19.10926 |
 | 22 | 0.037323 | 9.55463 |