MicrosoftDocs
diff --git a/‎articles/active-directory/saas-apps/citrix-cloud-saml-sso-tutorial.md
Lines changed: 9 additions & 12 deletions b/‎articles/active-directory/saas-apps/citrix-cloud-saml-sso-tutorial.md
Lines changed: 9 additions & 12 deletions
diff --git a/‎articles/active-directory/saas-apps/media/citrix-cloud-saml-sso-tutorial/connect.png
-1.23 KB b/‎articles/active-directory/saas-apps/media/citrix-cloud-saml-sso-tutorial/connect.png
-1.23 KB
diff --git a/‎articles/azure-arc/resource-bridge/includes/network-requirements.md
Lines changed: 1 addition & 0 deletions b/‎articles/azure-arc/resource-bridge/includes/network-requirements.md
Lines changed: 1 addition & 0 deletions
diff --git a/‎articles/azure-arc/servers/deploy-ama-policy.md
Lines changed: 0 additions & 2 deletions b/‎articles/azure-arc/servers/deploy-ama-policy.md
Lines changed: 0 additions & 2 deletions
diff --git a/‎articles/azure-arc/servers/ssh-arc-overview.md
Lines changed: 76 additions & 55 deletions b/‎articles/azure-arc/servers/ssh-arc-overview.md
Lines changed: 76 additions & 55 deletions
@@ -9,7 +9,7 @@ ms.service: active-directory
 ms.subservice: saas-app-tutorial
 ms.workload: identity
 ms.topic: tutorial
-ms.date: 11/21/2022
+ms.date: 07/10/2023
 ms.author: jeedes
 
 ---
@@ -53,7 +53,7 @@ To configure the integration of Citrix Cloud SAML SSO into Azure AD, you need to
 
 ## Configure and test Azure AD SSO for Citrix Cloud SAML SSO
 
-Configure and test Azure AD SSO with Citrix Cloud SAML SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Citrix Cloud SAML SSO.This user must also exist in your Active Directory that is synced with Azure AD Connect to your Azure AD subscription.
+Configure and test Azure AD SSO with Citrix Cloud SAML SSO using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Citrix Cloud SAML SSO. This user must also exist in your Active Directory that is synced with Azure AD Connect to your Azure AD subscription.
 
 To configure and test Azure AD SSO with Citrix Cloud SAML SSO, perform the following steps:
 
@@ -85,13 +85,13 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
 
 	![image](common/default-attributes.png)
 
-1. In addition to above, Citrix Cloud SAML SSO application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre-populated but you can review them as per your requirements.The values passed in the SAML response should map to the Active Directory attributes of the user.
+1. In addition to above, Citrix Cloud SAML SSO application expects few more attributes to be passed back in SAML response which are shown below. These attributes are also pre-populated but you can review them as per your requirements. The values passed in the SAML response should map to the Active Directory attributes of the user.
 
 	| Name | Source Attribute |
 	| -----|-----|
 	| cip_sid | user.onpremisesecurityidentifier |
 	| cip_upn | user.userprincipalname |
-	| cip_oid | ObjectGUID (Extension Attribute ) |
+	| cip_oid | ObjectGUID (Extension Attribute) |
 	| cip_email | user.mail |
 	| displayName | user.displayname |
 
@@ -135,30 +135,27 @@ In this section, you'll enable B.Simon to use Azure single sign-on by granting a
 
 ## Configure Citrix Cloud SAML SSO
 
-
-
-
 1. In a different web browser window, sign in to your up Citrix Cloud SAML SSO company site as an administrator
 
 1. Navigate to the Citrix Cloud menu and select **Identity and Access Management**.
 
-	![Account](./media/citrix-cloud-saml-sso-tutorial/menu.png "Account") 
+	![Screenshot shows Account page.](./media/citrix-cloud-saml-sso-tutorial/menu.png "Account") 
 
 1. Under **Authentication**, locate **SAML 2.0** and select **Connect** from the ellipsis menu.
 
-	![SAML 2.0](./media/citrix-cloud-saml-sso-tutorial/access.png "SAML 2.0")
+	![Screenshot shows SAML 2.0.](./media/citrix-cloud-saml-sso-tutorial/access.png "SAML 2.0")
 
 1. In the **Configure SAML** page, perform the following steps.
 
-	![Configuration](./media/citrix-cloud-saml-sso-tutorial/connect.png "Configuration")
+	![Screenshot shows Configuration.](./media/citrix-cloud-saml-sso-tutorial/connect.png "Configuration")
 
 	a. In the **Entity ID** textbox, paste the **Azure AD Identifier** value which you have copied from the Azure portal.
 
-	b. In the **Sign Authentication Request**, select **No**.
+	b. In the **Sign Authentication Request**, select **Yes**, if you want to use `SAML Request signing`, else select **No**.
 
 	c. In the **SSO Service URL** textbox, paste the **Login URL** value which you have copied from the Azure portal.
 
-	d. Select **Binding Mechanism** from the drop down, you can select either **HTTP-POST** or **HTTP-Redirect** binding.
+	d. Select **Binding Mechanism** from the drop-down, you can select either **HTTP-POST** or **HTTP-Redirect** binding.
 
 	e. Under **SAML Response**, select **Sign Either Response or Assertion** from the dropdown.
 
 
@@ -17,6 +17,7 @@ The firewall and proxy URLs below must be allowlisted in order to enable communi
 |SFS API endpoint | 443 | `msk8s.api.cdp.microsoft.com` | Management machine & Appliance VM IPs need outbound connection. | Used when downloading product catalog, product bits, and OS images from SFS. |
 |Resource bridge (appliance) Dataplane service| 443 | `https://*.dp.prod.appliances.azure.com`| Appliance VMs IP need outbound connection. | Communicate with resource provider in Azure.|
 |Resource bridge (appliance) container image download| 443 | `*.blob.core.windows.net, https://ecpacr.azurecr.io`| Appliance VM IPs need outbound connection. | Required to pull container images. |
+|Managed Identity| 443 | `*.his.arc.azure.com`| Appliance VM IPs need outbound connection. | Required to pull system-assigned Managed Identity certificates. | 
 |Resource bridge (appliance) image download| 80 | `msk8s.b.tlu.dl.delivery.mp.microsoft.com`| Management machine & Appliance VM IPs need outbound connection. |  Download the Arc Resource Bridge OS images.  |
 |Resource bridge (appliance) image download| 443 | `msk8s.sb.tlu.dl.delivery.mp.microsoft.com`| Management machine & Appliance VM IPs need outbound connection. |  Download the Arc Resource Bridge OS images.  |
 |Azure Arc for Kubernetes container image download| 443 | `https://azurearcfork8s.azurecr.io`|  Appliance VM IPs need outbound connection. | Required to pull container images. |
 
@@ -21,8 +21,6 @@ In order for Azure Monitor to work on a machine, it needs to be associated with
 
 ## Select a Data Collection Rule
 
-Data Collection Rules (DCRs) define specify what data should be collected, how to transform that data, and where to send that data. You need to select (or create) a DCR and specify it within the ARM template used for deploying AMA.
-
 Data Collection Rules define the data collection process in Azure Monitor. They specify what data should be collected and where that data should be sent. You'll need to select or create a DCR to be associated with your Policy definition.
 
 1. From your browser, go to the [Azure portal](https://portal.azure.com).
 
@@ -1,7 +1,7 @@
 ---
-title: (Preview) SSH access to Azure Arc-enabled servers
-description: Leverage SSH remoting to access and manage Azure Arc-enabled servers.
-ms.date: 04/12/2023
+title: SSH access to Azure Arc-enabled servers
+description: Use SSH remoting to access and manage Azure Arc-enabled servers.
+ms.date: 07/01/2023
 ms.topic: conceptual
 ms.custom: references_regions
 ---
@@ -11,10 +11,6 @@ SSH for Arc-enabled servers enables SSH based connections to Arc-enabled servers
 This functionality can be used interactively, automated, or with existing SSH based tooling,
 allowing existing management tools to have a greater impact on Azure Arc-enabled servers.
 
-> [!IMPORTANT]
-> SSH for Arc-enabled servers is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
 ## Key benefits
 SSH access to Arc-enabled servers provides the following key benefits:
  - No public IP address or open SSH ports required
@@ -23,14 +19,13 @@ SSH access to Arc-enabled servers provides the following key benefits:
  - Support for other OpenSSH based tooling with config file support
 
 ## Prerequisites
-To leverage this functionality, please ensure the following: 
- - Ensure the Arc-enabled server has a hybrid agent version of "1.13.21320.014" or higher.
- - Run: ```azcmagent show``` on your Arc-enabled Server.
- - [Ensure the Arc-enabled server has the "sshd" service enabled](/windows-server/administration/openssh/openssh_install_firstuse).
- - Ensure you have the Virtual Machine Local User Login role assigned (role ID: 602da2baa5c241dab01d5360126ab525)
+To enable this functionality, ensure the following: 
+ - Ensure the Arc-enabled server has a hybrid agent version of "1.31.xxxx" or higher.  Run: ```azcmagent show``` on your Arc-enabled Server.
+ - Ensure the Arc-enabled server has the "sshd" service enabled. For Linux machines `openssh-server` can be installed via a package manager and needs to be enabled.  SSHD needs to be [enabled on Windows](/windows-server/administration/openssh/openssh_install_firstuse).
+ - Ensure you have the Owner or Contributer role assigned.
 
 Authenticating with Azure AD credentials has additional requirements:
- - `aadsshlogin` and `aadsshlogin-selinux` (as appropriate) must be installed on the Arc-enabled server. These packages are installed with the AADSSHLoginForLinux VM extension. 
+ - `aadsshlogin` and `aadsshlogin-selinux` (as appropriate) must be installed on the Arc-enabled server. These packages are installed with the `Azure AD based SSH Login – Azure Arc` VM extension. 
  - Configure role assignments for the VM.  Two Azure roles are used to authorize VM login:
    - **Virtual Machine Administrator Login**: Users who have this role assigned can log in to an Azure virtual machine with administrator privileges.
    - **Virtual Machine User Login**: Users who have this role assigned can log in to an Azure virtual machine with regular user privileges.
@@ -46,72 +41,98 @@ SSH access to Arc-enabled servers is currently supported in all regions supporte
 
 ## Getting started
 
-### Install local command line tool
-This functionality is currently packaged in an Azure CLI extension and an Azure PowerShell module.
-#### [Install Azure CLI extension](#tab/azure-cli)
+### Register the HybridConnectivity resource provider
+> [!NOTE]
+> This is a one-time operation that needs to be performed on each subscription.
 
-```az extension add --name ssh```
+Check if the HybridConnectivity resource provider (RP) has been registered:
 
-> [!NOTE]
-> The Azure CLI extension version must be greater than 1.1.0.
+```az provider show -n Microsoft.HybridConnectivity```
 
-#### [Install Azure PowerShell module](#tab/azure-powershell)
+If the RP hasn't been registered, run the following:
 
-```Install-Module -Name AzPreview -Scope CurrentUser -Repository PSGallery -Force```
+```az provider register -n Microsoft.HybridConnectivity```
 
----
+This operation can take 2-5 minutes to complete.  Before moving on, check that the RP has been registered.
 
-### Enable functionality on your Arc-enabled server
-In order to use the SSH connect feature, you must enable connections on the hybrid agent.
+### Create default connectivity endpoint
+> [!NOTE]
+> The following step will not need to be run for most users as it should complete automatically at first connection.
+> This step must be completed for each Arc-enabled server.
 
+#### [Create the default endpoint with Azure CLI:](#tab/azure-cli)
+```bash
+az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2023-03-15 --body '{"properties": {"type": "default"}}'
+```
 > [!NOTE]
-> The following actions must be completed in an elevated terminal session.
+> If using Azure CLI from PowerShell, the following should be used.
+```powershell
+az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2023-03-15 --body '{\"properties\":{\"type\":\"default\"}}'
+```
 
-View your current incoming connections:
+Validate endpoint creation:
+ ```bash
+az rest --method get --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2023-03-15
+ ```
+ 
+#### [Create the default endpoint with Azure PowerShell:](#tab/azure-powershell)
+ ```powershell
+Invoke-AzRestMethod -Method put -Path /subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2023-03-15 -Payload '{"properties": {"type": "default"}}'
+```
 
-```azcmagent config list```
+Validate endpoint creation:
+ ```powershell
+ Invoke-AzRestMethod -Method get -Path /subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2023-03-15
+ ```
+ ---
+ 
+ ### Install local command line tool
+This functionality is currently packaged in an Azure CLI extension and an Azure PowerShell module.
+#### [Install Azure CLI extension](#tab/azure-cli)
 
-If you have existing ports, you'll need to include them in the following command.
+```az extension add --name ssh```
 
-To add access to SSH connections, run the following:
+> [!NOTE]
+> The Azure CLI extension version must be greater than 2.0.0.
 
-```azcmagent config set incomingconnections.ports 22<,other open ports,...>```
+#### [Install Azure PowerShell module](#tab/azure-powershell)
 
-If you're using a non-default port for your SSH connection, replace port 22 with your desired port in the previous command.
+```powershell
+Install-Module -Name Az.Ssh -Scope CurrentUser -Repository PSGallery
+Install-Module -Name Az.Ssh.ArcProxy -Scope CurrentUser -Repository PSGallery
+```
 
-> [!NOTE]
-> The following steps will not need to be run for most users.
+---
+
+### Enable functionality on your Arc-enabled server
+In order to use the SSH connect feature, you must update the Service Configuration in the Connectivity Endpoint on the Arc-Enabled Server to allow SSH connection to a specific port. You may only allow connection to a single port. The CLI tools attempt to update the allowed port at runtime, but the port can be manually configured with the following:
 
-### Register the HybridConnectivity resource provider
 > [!NOTE]
-> This is a one-time operation that needs to be performed on each subscription.
+> There may be a delay after updating the Service Configuration until you are able to connect.
 
-Check if the HybridConnectivity resource provider (RP) has been registered:
+#### [Azure CLI](#tab/azure-cli)
 
-```az provider show -n Microsoft.HybridConnectivity```
+```az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default/serviceconfigurations/SSH?api-version=2023-03-15 --body '{\"properties\": {\"serviceName\": \"SSH\", \"port\": \"22\"}}'```
 
-If the RP hasn't been registered, run the following:
+#### [Azure PowerShell](#tab/azure-powershell)
 
-```az provider register -n Microsoft.HybridConnectivity```
+```Invoke-AzRestMethod -Method put -Path /subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default/serviceconfigurations/SSH?api-version=2023-03-15 -Payload '{"properties": {"serviceName": "SSH", "port": 22}}'```
 
-This operation can take 2-5 minutes to complete.  Before moving on, check that the RP has been registered.
+---
 
-### Create default connectivity endpoint
-> [!NOTE]
-> The following actions must be completed for each Arc-enabled server.
+If you're using a nondefault port for your SSH connection, replace port 22 with your desired port in the previous command.
+
+### Optional: Install Azure AD login extension
+The `Azure AD based SSH Login – Azure Arc` VM extension can be added from the extensions menu of the Arc server. The Azure AD login extension can also be installed locally via a package manager via: `apt-get install aadsshlogin` or the following command.
+
+```az connectedmachine extension create --machine-name <arc enabled server name> --resource-group <resourcegroup> --publisher Microsoft.Azure.ActiveDirectory --name AADSSHLogin --type AADSSHLoginForLinux --location <location>```
 
-Create the default endpoint in PowerShell:
- ```powershell
- az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{"properties": {"type": "default"}}'
- ```
-Create the default endpoint in Bash:
-```bash
-az rest --method put --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview --body '{"properties": {"type": "default"}}'
-```
-Validate endpoint creation:
- ```
- az rest --method get --uri https://management.azure.com/subscriptions/<subscription>/resourceGroups/<resourcegroup>/providers/Microsoft.HybridCompute/machines/<arc enabled server name>/providers/Microsoft.HybridConnectivity/endpoints/default?api-version=2021-10-06-preview
- ```
 
 ## Examples
 To view examples, view the Az CLI documentation page for [az ssh](/cli/azure/ssh) or the Azure PowerShell documentation page for [Az.Ssh](/powershell/module/az.ssh).
+
+## Next steps
+
+- Learn about [OpenSSH for Windows](/windows-server/administration/openssh/openssh_overview)
+- Learn about troubleshooting [SSH access to Azure Arc-enabled servers](ssh-arc-troubleshoot.md).
+- Learn about troubleshooting [agent connection issues](troubleshoot-agent-onboard.md).