Merge pull request #247354 from MicrosoftDocs/main

 Publish to live, Friday 4 AM PST, 8/4

Author: ttorble

articles/active-directory-domain-services/policy-reference.md

@@ -1,7 +1,7 @@
 ---
 title: Built-in policy definitions for Azure Active Directory Domain Services
 description: Lists Azure Policy built-in policy definitions for Azure Active Directory Domain Services. These built-in policy definitions provide common approaches to managing your Azure resources.
-ms.date: 07/25/2023
+ms.date: 08/03/2023
 ms.service: active-directory
 ms.subservice: domain-services
 author: justinha

articles/active-directory/external-identities/allow-deny-list.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 04/17/2023
+ms.date: 08/04/2023
 
 ms.author: mimart
 author: msmimart
@@ -32,6 +32,7 @@ This article discusses two ways to configure an allow or blocklist for B2B colla
 - The number of domains you can add to an allowlist or blocklist is limited only by the size of the policy. This limit applies to the number of characters, so you can have a greater number of shorter domains or fewer longer domains. The maximum size of the entire policy is 25 KB (25,000 characters), which includes the allowlist or blocklist and any other parameters configured for other features.
 - This list works independently from OneDrive for Business and SharePoint Online allow/block lists. If you want to restrict individual file sharing in SharePoint Online, you need to set up an allow or blocklist for OneDrive for Business and SharePoint Online. For more information, see [Restricted domains sharing in SharePoint Online and OneDrive for Business](https://support.office.com/article/restricted-domains-sharing-in-sharepoint-online-and-onedrive-for-business-5d7589cd-0997-4a00-a2ba-2320ec49c4e9).
 - The list doesn't apply to external users who have already redeemed the invitation. The list will be enforced after the list is set up. If a user invitation is in a pending state, and you set a policy that blocks their domain, the user's attempt to redeem the invitation will fail.
+- Both allow/block list and cross-tenant access settings are checked at the time of invitation.
 
 ## Set the allow or blocklist policy in the portal
 

articles/active-directory/external-identities/cross-tenant-access-settings-b2b-collaboration.md

@@ -5,7 +5,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: how-to
-ms.date: 05/31/2023
+ms.date: 08/04/2023
 
 ms.author: mimart
 author: msmimart
@@ -29,6 +29,7 @@ Use External Identities cross-tenant access settings to manage how you collabora
 - Identify any Azure AD organizations that will need customized settings so you can configure **Organizational settings** for them.
 - If you want to apply access settings to specific users, groups, or applications in an external organization, you'll need to contact the organization for information before configuring your settings. Obtain their user object IDs, group object IDs, or application IDs (*client app IDs* or *resource app IDs*) so you can target your settings correctly.
 - If you want to set up B2B collaboration with a partner organization in an external Microsoft Azure cloud, follow the steps in [Configure Microsoft cloud settings](cross-cloud-settings.md). An admin in the partner organization will need to do the same for your tenant.
+- Both allow/block list and cross-tenant access settings are checked at the time of invitation. If a user's domain is on the allow list, they can be invited, unless the domain is explicitly blocked in the cross-tenant access settings. If a user's domain is on the deny list, they can't be invited regardless of the cross-tenant access settings. If a user is not on either list, we check the cross-tenant access settings to determine whether they can be invited. 
 
 ## Configure default settings
 

articles/active-directory/external-identities/troubleshoot.md

@@ -122,7 +122,7 @@ External users can be added only to “assigned” or “Security” groups and
 
 ## My external user didn't receive an email to redeem
 
-The invitee should check with their ISP or spam filter to ensure that the following address is allowed: [email protected]
+The invitee should check with their ISP or spam filter to ensure that the following address is allowed: [email protected].
 
 > [!NOTE]
 >
@@ -198,7 +198,11 @@ Let's say you inadvertently invite a guest user with an email address that match
 
 ## External access blocked by policy error on the login screen
 
-When you try to login to your tenant, you might see this error message: "Your network administrator has restricted what organizations can be accessed. Contact your IT department to unblock access." This error is related to tenant restriction settings. To resolve this issue, ask your IT team to follow the instructions in [this article](/azure/active-directory/manage-apps/tenant-restrictions).  
+When you try to login to your tenant, you might see this error message: "Your network administrator has restricted what organizations can be accessed. Contact your IT department to unblock access." This error is related to tenant restriction settings. To resolve this issue, ask your IT team to follow the instructions in [this article](/azure/active-directory/manage-apps/tenant-restrictions).
+
+## Invitation is blocked due missing cross-tenant access settings 
+
+You might see this message: "This invitation is blocked by cross-tenant access settings in your organization. Your administrator must configure cross-tenant access settings to allow this invitation." In this case, ask your administrator to check the cross-tenant access settings.  
 
 ## Next steps
 

articles/active-directory/saas-apps/g-suite-provisioning-tutorial.md

@@ -293,7 +293,6 @@ Now any end user that was made eligible for the group in PIM can get JIT access
 * 10/17/2020 - Added support for more G Suite user and group attributes.
 * 10/17/2020 - Updated G Suite target attribute names to match what is defined [here](https://developers.google.com/admin-sdk/directory).
 * 10/17/2020 - Updated default attribute mappings.
-* 03/18/2021 - Manager email is now synchronized instead of ID for all new users. For any existing users that were provisioned with a manager as an ID, you can do a restart through [Microsoft Graph](/graph/api/synchronization-synchronizationjob-restart?preserve-view=true&tabs=http&view=graph-rest-beta) with scope "full" to ensure that the email is provisioned. This change only impacts the GSuite provisioning job and not the older provisioning job beginning with Goov2OutDelta. Note, the manager email is provisioned when the user is first created or when the manager changes. The manager email isn't provisioned if the manager changes their email address. 
 
 ## More resources
 

articles/active-directory/saas-apps/litmos-provisioning-tutorial.md

@@ -0,0 +1,166 @@
+---
+title: 'Tutorial: Configure SAP Litmos for automatic user provisioning with Azure Active Directory'
+description: Learn how to automatically provision and de-provision user accounts from Azure AD to SAP Litmos.
+services: active-directory
+author: twimmers
+writer: twimmers
+manager: jeedes
+ms.assetid: 4e0d2a0b-2d22-4b21-8b29-64413549c5a5
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 08/03/2023
+ms.author: thwimmer
+---
+
+# Tutorial: Configure SAP Litmos for automatic user provisioning
+
+This tutorial describes the steps you need to perform in both SAP Litmos and Azure Active Directory (Azure AD) to configure automatic user provisioning. When configured, Azure AD automatically provisions and de-provisions users and groups to [SAP Litmos](http://www.litmos.com/) using the Azure AD Provisioning service. For important details on what this service does, how it works, and frequently asked questions, see [Automate user provisioning and deprovisioning to SaaS applications with Azure Active Directory](../app-provisioning/user-provisioning.md). 
+
+
+## Supported capabilities
+> [!div class="checklist"]
+> * Create users in SAP Litmos.
+> * Remove users in SAP Litmos when they do not require access anymore.
+> * Keep user attributes synchronized between Azure AD and SAP Litmos.
+> * Provision groups and group memberships in SAP Litmos.
+> * [Single sign-on](litmos-tutorial.md) to SAP Litmos (recommended).
+
+## Prerequisites
+
+The scenario outlined in this tutorial assumes that you already have the following prerequisites:
+
+* [An Azure AD tenant](../develop/quickstart-create-new-tenant.md). 
+* A user account in Azure AD with [permission](../roles/permissions-reference.md) to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
+* An SAP Litmos tenant.
+* A user account in SAP Litmos with Admin permissions.
+
+## Step 1. Plan your provisioning deployment
+1. Learn about [how the provisioning service works](../app-provisioning/user-provisioning.md).
+1. Determine who will be in [scope for provisioning](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+1. Determine what data to [map between Azure AD and SAP Litmos](../app-provisioning/customize-application-attributes.md).
+
+## Step 2. Configure SAP Litmos to support provisioning with Azure AD
+Contact SAP Litmos support to configure SAP Litmos to support provisioning with Azure AD.
+
+## Step 3. Add SAP Litmos from the Azure AD application gallery
+
+Add SAP Litmos from the Azure AD application gallery to start managing provisioning to SAP Litmos. If you have previously setup SAP Litmos for SSO you can use the same application. However it's recommended that you create a separate app when testing out the integration initially. Learn more about adding an application from the gallery [here](../manage-apps/add-application-portal.md). 
+
+## Step 4. Define who will be in scope for provisioning 
+
+The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application and or based on attributes of the user / group. If you choose to scope who will be provisioned to your app based on assignment, you can use the following [steps](../manage-apps/assign-user-or-group-access-portal.md) to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter as described [here](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md). 
+
+* Start small. Test with a small set of users and groups before rolling out to everyone. When scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. When scope is set to all users and groups, you can specify an [attribute based scoping filter](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+* If you need more roles, you can [update the application manifest](../develop/howto-add-app-roles-in-azure-ad-apps.md) to add new roles.
+
+
+## Step 5. Configure automatic user provisioning to SAP Litmos 
+
+This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and/or groups in TestApp based on user and/or group assignments in Azure AD.
+
+### To configure automatic user provisioning for SAP Litmos in Azure AD:
+
+1. Sign in to the [Azure portal](https://portal.azure.com). Select **Enterprise Applications**, then select **All applications**.
+
+	![Screenshot of Enterprise applications blade.](common/enterprise-applications.png)
+
+1. In the applications list, select **SAP Litmos**.
+
+	![Screenshot of the SAP Litmos link in the Applications list.](common/all-applications.png)
+
+1. Select the **Provisioning** tab.
+
+	![Screenshot of Provisioning tab.](common/provisioning.png)
+
+1. Set the **Provisioning Mode** to **Automatic**.
+
+	![Screenshot of Provisioning tab automatic.](common/provisioning-automatic.png)
+
+1. Under the **Admin Credentials** section, input your SAP Litmos Tenant URL and Secret Token. Click **Test Connection** to ensure Azure AD can connect to SAP Litmos. If the connection fails, ensure your SAP Litmos account has Admin permissions and try again.
+
+ 	![Screenshot of Token.](common/provisioning-testconnection-tenanturltoken.png)
+
+1. In the **Notification Email** field, enter the email address of a person or group who should receive the provisioning error notifications and select the **Send an email notification when a failure occurs** check box.
+
+	![Screenshot of Notification Email.](common/provisioning-notification-email.png)
+
+1. Select **Save**.
+
+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Users to SAP Litmos**.
+
+1. Review the user attributes that are synchronized from Azure AD to SAP Litmos in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the user accounts in SAP Litmos for update operations. If you choose to change the [matching target attribute](../app-provisioning/customize-application-attributes.md), you'll need to ensure that the SAP Litmos API supports filtering users based on that attribute. Select the **Save** button to commit any changes.
+
+   |Attribute|Type|Supported for filtering|Required by SAP Litmos|
+   |---|---|---|---|
+   |userName|String|✓|✓
+   |active|Boolean||✓
+   |title|String||
+   |emails[type eq "work"].value|String||
+   |preferredLanguage|String||
+   |name.givenName|String||✓
+   |name.familyName|String||✓
+   |addresses[type eq "work"].streetAddress|String||
+   |addresses[type eq "work"].locality|String||
+   |addresses[type eq "work"].region|String||
+   |addresses[type eq "work"].postalCode|String||
+   |addresses[type eq "work"].country|String||
+   |phoneNumbers[type eq "work"].value|String||
+   |phoneNumbers[type eq "mobile"].value|String||
+   |timezone|String||
+   |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber|String||
+   |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization|String||
+   |urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager|Reference||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField1|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField2|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField3|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField4|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField5|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField6|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField7|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField8|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField9|String||
+   |urn:ietf:params:scim:schemas:extension:Litmos:2.0:User:CustomField:CustomField10|String||
+
+1. Under the **Mappings** section, select **Synchronize Azure Active Directory Groups to SAP Litmos**.
+
+1. Review the group attributes that are synchronized from Azure AD to SAP Litmos in the **Attribute-Mapping** section. The attributes selected as **Matching** properties are used to match the groups in SAP Litmos for update operations. Select the **Save** button to commit any changes.
+
+   |Attribute|Type|Supported for filtering|Required by SAP Litmos|
+   |---|---|---|---|
+   |displayName|String|✓|✓
+   |members|Reference||
+   
+1. To configure scoping filters, refer to the following instructions provided in the [Scoping filter tutorial](../app-provisioning/define-conditional-rules-for-provisioning-user-accounts.md).
+
+1. To enable the Azure AD provisioning service for SAP Litmos, change the **Provisioning Status** to **On** in the **Settings** section.
+
+	![Screenshot of Provisioning Status Toggled On.](common/provisioning-toggle-on.png)
+
+1. Define the users and/or groups that you would like to provision to SAP Litmos by choosing the desired values in **Scope** in the **Settings** section.
+
+	![Screenshot of Provisioning Scope.](common/provisioning-scope.png)
+
+1. When you're ready to provision, click **Save**.
+
+	![Screenshot of Saving Provisioning Configuration.](common/provisioning-configuration-save.png)
+
+This operation starts the initial synchronization cycle of all users and groups defined in **Scope** in the **Settings** section. The initial cycle takes longer to perform than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service is running. 
+
+## Step 6. Monitor your deployment
+Once you've configured provisioning, use the following resources to monitor your deployment:
+
+* Use the [provisioning logs](../reports-monitoring/concept-provisioning-logs.md) to determine which users have been provisioned successfully or unsuccessfully
+* Check the [progress bar](../app-provisioning/application-provisioning-when-will-provisioning-finish-specific-user.md) to see the status of the provisioning cycle and how close it's to completion
+* If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states [here](../app-provisioning/application-provisioning-quarantine-status.md).
+
+## More resources
+
+* [Managing user account provisioning for Enterprise Apps](../app-provisioning/configure-automatic-user-provisioning-portal.md)
+* [What is application access and single sign-on with Azure Active Directory?](../manage-apps/what-is-single-sign-on.md)
+
+## Next steps
+
+* [Learn how to review logs and get reports on provisioning activity](../app-provisioning/check-status-user-account-provisioning.md)