Merge pull request #187829 from MicrosoftDocs/main

Merge main to live, 4 AM

Author: ttorble

.openpublishing.redirection.json

@@ -39699,6 +39699,11 @@
       "redirect_url": "/azure/cognitive-services/Speech-Service/regions",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/articles/cognitive-services/Speech-Service/how-to-automatic-language-detection.md",
+      "redirect_url": "/azure/cognitive-services/Speech-Service/language-identification",
+      "redirect_document_id": true
+    },
     {
       "source_path_from_root": "/articles/cognitive-services/entitylinking/GettingStarted.md",
       "redirect_url": "/azure/cognitive-services/text-analytics",

articles/active-directory/develop/scenario-web-app-sign-user-app-configuration.md

@@ -135,6 +135,8 @@ In ASP.NET Core, another file ([properties\launchSettings.json](https://github.c
 In the Azure portal, the redirect URIs that you register on the **Authentication** page for your application need to match these URLs. For the two preceding configuration files, they would be `https://localhost:44321/signin-oidc`. The reason is that `applicationUrl` is `http://localhost:3110`, but `sslPort` is specified (44321). `CallbackPath` is `/signin-oidc`, as defined in `appsettings.json`.
 
 In the same way, the sign-out URI would be set to `https://localhost:44321/signout-oidc`.
+> [!NOTE]
+> SignedOutCallbackPath should set either to portal or the application to avoid conflict while handling the event.
 
 # [ASP.NET](#tab/aspnet)
 

articles/active-directory/external-identities/authentication-conditional-access.md

@@ -52,7 +52,7 @@ The following diagram illustrates the authentication flow when an external user
 |--------------|-----------------------|
 | **1** | The B2B guest user requests access to a resource. The resource redirects the user to its resource tenant,  a trusted IdP.|
 | **2** | The resource tenant identifies the user as external and redirects the user to the B2B guest user’s IdP. The user performs primary authentication in the IdP.
-| **3** | Authorization policies are evaluated in the B2B guest user's IdP. If the user satisfies these policies, the B2B guest user’s IdP issues a token to the user. The user is redirected back to the resource tenant with the token. The resource tenant validates the token and then evaluates the user against its Conditional Access policies. For example, the resource tenant could require the user to perform Azure Active Directory (AD) MFA.
+| **3** | Authorization policies are evaluated in the B2B guest user's IdP. If the user satisfies these policies, the B2B guest user's IdP issues a token to the user. The user is redirected back to the resource tenant with the token. The resource tenant validates the token and then evaluates the user against its Conditional Access policies. For example, the resource tenant could require the user to perform Azure Active Directory (AD) MFA.
 | **4** | Inbound cross-tenant access settings and Conditional Access policies are evaluated. If all policies are satisfied, the resource tenant issues its own token and redirects the user to its resource.
 
 ### Example 2: Authentication flow and token for one-time passcode user

articles/active-directory/external-identities/cross-tenant-access-overview.md

@@ -79,9 +79,19 @@ You can configure organization-specific settings by adding an organization and m
 
 Several tools are available to help you identify the access your users and partners need before you set inbound and outbound access settings. To ensure you don’t remove access that your users and partners need, you can examine current sign-in behavior. Taking this preliminary step will help prevent loss of desired access for your end users and partner users. However, in some cases these logs are only retained for 30 days, so we strongly recommend you speak with your business stakeholders to ensure required access isn't lost.
 
-### Sign-In Logs
+### Cross-tenant sign-in activity PowerShell script
 
-To determine your users access to external Azure AD organizations in the last 30 days, run the following PowerShell script:
+To review user sign-in activity associated with external tenants, you can use the [cross-tenant user sign-in activity](https://aka.ms/cross-tenant-signins-ps) PowerShell script. For example, to view all available sign-in events for inbound activity (external users accessing resources in the local tenant) and outbound activity (local users accessing resources in an external tenant), run the following command:
+
+```powershell
+Get-MSIDCrossTenantAccessActivity -SummaryStats -ResolveTenantId
+```
+
+The output is a summary of all available sign-in events for inbound and outbound activity, listed by external tenant ID and external tenant name.
+
+### Sign-in logs PowerShell script
+
+To determine your users' access to external Azure AD organizations, you can use the [Get-MgAuditLogSignIn](https://aka.ms/cross-tenant-log-ps) cmdlet in the Microsoft Graph PowerShell SDK to view data from your sign-in logs for the last 30 days. For example, run the following command:
 
 ```powershell
 Get-MgAuditLogSignIn ` 
@@ -91,24 +101,11 @@ group ResourceTenantId,AppDisplayName,UserPrincipalName| `
 select count, @{n=’Ext TenantID/App User Pair’;e={$_.name}}] 
 ```
 
-The output is a list of outbound sign-ins initiated by your users to apps in external tenants, for example:
-
-```powershell
-Count Ext TenantID/App User Pair
------ --------------------------
-    6 45fc4ed2-8f2b-42c1-b98c-b254d552f4a7, ADIbizaUX, [email protected]
-    6 45fc4ed2-8f2b-42c1-b98c-b254d552f4a7, Azure Portal, [email protected]
-    6 45fc4ed2-8f2b-42c1-b98c-b254d552f4a7, Access Panel, [email protected]
-    6 45fc4ed2-8f2b-42c1-b98c-b254d552f4a7, MS-PIM, [email protected]
-    6 45fc4ed2-8f2b-42c1-b98c-b254d552f4a7, AAD ID Gov, [email protected]
-    6 45fc4ed2-8f2b-42c1-b98c-b254d552f4a7, Access Panel, [email protected]
-```
-
-For the most up-to-date PowerShell script, see the [cross-tenant user sign-in activity script](https://aka.ms/cross-tenant-signins-ps).
+The output is a list of outbound sign-ins initiated by your users to apps in external tenants.
 
 ### Azure Monitor
 
-If your organization subscribes to the Azure Monitor service, you can use the **Cross-tenant access activity**  workbook (available in the Monitoring workbooks gallery in the Azure portal) to visually explore inbound and outbound sign-ins for longer time periods.  
+If your organization subscribes to the Azure Monitor service, you can use the [Cross-tenant access activity workbook](/reports-monitoring/workbook-cross-tenant-access-activity.md) (available in the Monitoring workbooks gallery in the Azure portal) to visually explore inbound and outbound sign-ins for longer time periods.
 
 ### Security Information and Event Management (SIEM) Systems
 

articles/active-directory/external-identities/external-identities-overview.md

@@ -7,7 +7,7 @@ services: active-directory
 ms.service: active-directory
 ms.subservice: B2B
 ms.topic: overview
-ms.date: 01/31/2022
+ms.date: 02/07/2022
 ms.author: mimart
 author: msmimart
 manager: celestedg
@@ -128,7 +128,7 @@ As an inviting organization, you might not know ahead of time who the individual
 
 Microsoft Graph APIs are available for creating and managing External Identities features.
 
-- **Cross-tenant access settings API**: The Microsoft Graph cross-tenant access API lets you programmatically create the same B2B collaboration policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration to allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
+- **Cross-tenant access settings API**: The [Microsoft Graph cross-tenant access API](/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-beta) lets you programmatically create the same B2B collaboration policies that are configurable in the Azure portal. Using the API, you can set up policies for inbound and outbound collaboration to allow or block features for everyone by default and limit access to specific organizations, groups, users, and applications. The API also allows you to accept MFA and device claims (compliant claims and hybrid Azure AD joined claims) from other Azure AD organizations.
 
 - **B2B collaboration invitation manager**: The [Microsoft Graph invitation manager API](/graph/api/resources/invitation) is available for building your own onboarding experiences for B2B guest users. You can use the [create invitation API](/graph/api/invitation-post?tabs=http) to automatically send a customized invitation email directly to the B2B user, for example. Or your app can use the inviteRedeemUrl returned in the creation response to craft your own invitation (through your communication mechanism of choice) to the invited user.
 

articles/active-directory/manage-apps/configure-admin-consent-workflow.md

@@ -30,7 +30,7 @@ To approve requests, a reviewer must be a global administrator, cloud applicatio
 To configure the admin consent workflow, you need:
 
 - An Azure account. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- One of the following roles: Global Administrator or owner of the service principal.
+- You must be a global administrator to turn on the workflow.
 
 ## Enable the admin consent workflow
 

articles/active-directory/saas-apps/embark-tutorial.md

@@ -0,0 +1,136 @@
+---
+title: 'Tutorial: Azure AD SSO integration with Embark'
+description: Learn how to configure single sign-on between Azure Active Directory and Embark.
+services: active-directory
+author: jeevansd
+manager: CelesteDG
+ms.reviewer: CelesteDG
+ms.service: active-directory
+ms.subservice: saas-app-tutorial
+ms.workload: identity
+ms.topic: tutorial
+ms.date: 02/01/2022
+ms.author: jeedes
+
+---
+
+# Tutorial: Azure AD SSO integration with Embark
+
+In this tutorial, you'll learn how to integrate Embark with Azure Active Directory (Azure AD). When you integrate Embark with Azure AD, you can:
+
+* Control in Azure AD who has access to Embark.
+* Enable your users to be automatically signed-in to Embark with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Embark single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Embark supports **SP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Adding Embark from the gallery
+
+To configure the integration of Embark into Azure AD, you need to add Embark from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Embark** in the search box.
+1. Select **Embark** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+
+## Configure and test Azure AD SSO for Embark
+
+Configure and test Azure AD SSO with Embark using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Embark.
+
+To configure and test Azure AD SSO with Embark, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+    1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+    1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Embark SSO](#configure-embark-sso)** - to configure the single sign-on settings on application side.
+    1. **[Create Embark test user](#create-embark-test-user)** - to have a counterpart of B.Simon in Embark that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Embark** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+   ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+
+	In the **Sign on URL** text box, type the URL:
+    `https://hrportal-uat.ehr.com/microsoftbenefits`
+
+1. Your Embark application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Embark expects this to be mapped with the user's employee id. For that you can use **user.employeeid** attribute from the list or use the appropriate attribute value based on your organization configuration..
+
+	![image](common/default-attributes.png)
+
+
+1. On the **Set up single sign-on with SAML** page, In the **SAML Signing Certificate** section, click copy button to copy **App Federation Metadata Url** and save it on your computer.
+
+	![The Certificate download link](common/copy-metadataurl.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+   1. In the **Name** field, enter `B.Simon`.  
+   1. In the **User name** field, enter the [email protected]. For example, `[email protected]`.
+   1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+   1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Embark.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Embark**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Embark SSO
+
+To configure single sign-on on **Embark** side, you need to send the **App Federation Metadata Url** to [Embark support team](mailto:[email protected]). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Embark test user
+
+In this section, you create a user called Britta Simon in Embark. Work with [Embark support team](mailto:[email protected]) to add the users in the Embark platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO 
+
+In this section, you test your Azure AD single sign-on configuration with following options. 
+
+* Click on **Test this application** in Azure portal. This will redirect to Embark Sign-on URL where you can initiate the login flow. 
+
+* Go to Embark Sign-on URL directly and initiate the login flow from there.
+
+* You can use Microsoft My Apps. When you click the Embark tile in the My Apps, this will redirect to Embark Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Embark you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-aad).
+
+

articles/active-directory/saas-apps/toc.yml

@@ -693,6 +693,8 @@
         href: elium-tutorial.md
       - name: eLuminate
         href: eluminate-tutorial.md
+      - name: Embark
+        href: embark-tutorial.md
       - name: embed signage
         href: embed-signage-tutorial.md  
       - name: Empactis

articles/aks/howto-deploy-java-liberty-app-with-postgresql.md

@@ -33,7 +33,7 @@ For more information on Open Liberty, see [the Open Liberty project page](https:
   * Install a Java SE implementation (for example, [AdoptOpenJDK OpenJDK 8 LTS/OpenJ9](https://adoptopenjdk.net/?variant=openjdk8&jvmVariant=openj9)).
   * Install [Maven](https://maven.apache.org/download.cgi) 3.5.0 or higher.
   * Install [Docker](https://docs.docker.com/get-docker/) for your OS.
-  * Create a user-assigned managed identity and assign `Contributor` role to that identity by following the steps in [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). Return to this document after creating the identity and assigning it the necessary role.
+  * Create a user-assigned managed identity and assign `Owner` role or `Contributor` and `User Access Administrator` roles to that identity by following the steps in [Manage user-assigned managed identities](../active-directory/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md). Assign `Directory readers` role to the identity in Azure AD by following [Assign Azure AD roles to users](../active-directory/roles/manage-roles-portal.md). Return to this document after creating the identity and assigning it the necessary roles.
 
 ## Create a Jakarta EE runtime using the portal
 
@@ -151,15 +151,15 @@ In directory *liberty/config*, the *server.xml* is used to configure the DB conn
 
 ### Acquire necessary variables from AKS deployment
 
-After the offer is successfully deployed, an AKS cluster with a namespace will be generated automatically. The AKS cluster is configured to connect to the ACR using a pre-created secret under the generated namespace. Before we get started with the application, we need to extract the namespace and the pull-secret name of the ACR configured for the AKS.
+After the offer is successfully deployed, an AKS cluster will be generated automatically. The AKS cluster is configured to connect to the ACR. Before we get started with the application, we need to extract the namespace configured for the AKS.
 
 1. Run following command to print the current deployment file, using the `appDeploymentTemplateYamlEncoded` you saved above. The output contains all the variables we need.
 
    ```bash
    echo <appDeploymentTemplateYamlEncoded> | base64 -d
    ```
 
-1. Save the `metadata.namespace` and `spec.pullSecret` from this yaml output aside for later use in this article.
+1. Save the `metadata.namespace` from this yaml output aside for later use in this article.
 
 ### Build the project
 
@@ -179,7 +179,6 @@ export DB_TYPE=postgres
 export DB_USER=${DB_ADMIN_USERNAME}@${DB_NAME}
 export DB_PASSWORD=${DB_ADMIN_PASSWORD}
 export NAMESPACE=<metadata.namespace>
-export PULL_SECRET=<pullSecret>
 
 mvn clean install
 ```
@@ -300,4 +299,4 @@ az group delete --name <RESOURCE_GROUP_NAME> --yes --no-wait
 * [Azure Database for PostgreSQL](https://azure.microsoft.com/services/postgresql/)
 * [Open Liberty](https://openliberty.io/)
 * [Open Liberty Operator](https://github.com/OpenLiberty/open-liberty-operator)
-* [Open Liberty Server Configuration](https://openliberty.io/docs/ref/config/)
+* [Open Liberty Server Configuration](https://openliberty.io/docs/ref/config/)